alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 7 Actions 3 Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Alex Lebens
2024-05-22 12:49:28 -05:00
commit 35b77bb0df
219 changed files with 9997 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/renovate-update-notification/Dockerfile vendored Normal file
View File

@@ -0,0 +1,2 @@
# This file is processed by Renovate bot so that it creates a PR on new major Renovate versions
FROM renovate/renovate:37

175
.github/renovate.json vendored Normal file
View File

@@ -0,0 +1,175 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
"mergeConfidence:all-badges",
":rebaseStalePrs"
],
"timezone": "US/Central",
"schedule": [
"every weekday"
],
"labels": [],
"packageRules": [
{
"description": "Disables for non major Renovate version",
"matchPaths": [
".github/renovate-update-notification/Dockerfile"
],
"matchUpdateTypes": [
"minor",
"patch",
"pin",
"digest",
"rollback"
],
"enabled": false
},
{
"description": "Generate for major Renovate version",
"matchPaths": [
".github/renovate-update-notification/Dockerfile"
],
"matchUpdateTypes": [
"major"
],
"addLabels": [
"upgrade"
],
"automerge": false
},
{
"description": "Label service images",
"matchDepNames": [
"dpage/pgadmin4",
"ghcr.io/cloudnative-pg/postgresql",
"hashicorp/vault",
"portainer/portainer-ce",
"redis/redis-stack-server",
"unpoller/unpoller"
],
"matchDatasources": [
"docker"
],
"addLabels": [
"service",
"image"
],
"automerge": false,
"minimumReleaseAge": "3 days"
},
{
"description": "Label service charts",
"matchDepNames": [
"argo-cd",
"authentik",
"cert-manager",
"cilium",
"cloudnative-pg",
"democratic-csi",
"external-secrets",
"gitea",
"grafana",
"intel-device-plugins-gpu",
"intel-device-plugins-operator",
"kube-prometheus-stack",
"kubelet-serving-cert-approver",
"kubernetes-cloudflare-ddns",
"loki",
"metallb",
"metrics-server",
"nfs-subdir-external-provisioner",
"node-feature-discovery",
"pgadmin4",
"portainer",
"postgres-cluster",
"prometheus-operator-crds",
"promtail",
"redis",
"rook-ceph-cluster",
"rook-ceph",
"speedtest-exporter",
"traefik",
"unpoller",
"vault"
],
"matchDatasources": [
"helm"
],
"addLabels": [
"service",
"chart"
],
"automerge": false,
"minimumReleaseAge": "3 days"
},
{
"description": "Label application images",
"matchDepNames": [
"deluan/navidrome",
"ghcr.io/advplyr/audiobookshelf",
"ghcr.io/linuxserver/calibre-web",
"jellyfin/jellyfin",
"linuxserver/code-server",
"vikunja/api",
"vikunja/frontend"
],
"matchDatasources": [
"docker"
],
"addLabels": [
"application",
"image"
],
"automerge": false,
"minimumReleaseAge": "3 days"
},
{
"description": "Label application charts",
"matchDepNames": [
"audiobookshelf",
"calibre-server",
"calibre-web",
"code-server",
"cops",
"freshrss",
"home-assistant",
"homepage",
"jellyfin",
"libation",
"navidrome",
"outline",
"plex",
"tubearchivist",
"tubearchivist-to-jellyfin",
"vikunja"
],
"matchDatasources": [
"helm"
],
"addLabels": [
"application",
"chart"
],
"automerge": false,
"minimumReleaseAge": "3 days"
},
{
"description": "Automerge the plex image",
"matchDepNames": [
"ghcr.io/onedr0p/plex"
],
"matchDatasources": [
"docker"
],
"addLabels": [
"application",
"image"
],
"versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>.+)?$",
"automerge": true,
"automergeType": "branch",
"minimumReleaseAge": "3 days"
}
]
}

37
.github/workflows/lint-test.yaml vendored Normal file
View File

@@ -0,0 +1,37 @@
name: lint-and-test-charts
on: pull_request
jobs:
lint-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: v3.13.3
- uses: actions/setup-python@v5
with:
python-version: "3.10"
check-latest: true
- name: Set up chart-testing
uses: helm/chart-testing-action@v2.6.1
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$changed" ]]; then
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Run chart-testing (lint)
if: steps.list-changed.outputs.changed == 'true'
run: ct lint --target-branch ${{ github.event.repository.default_branch }}

201
LICENSE Normal file
View File

@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

7
README.md Normal file
View File

@@ -0,0 +1,7 @@
# alexlebens.net
GitOps definied infrastrucutre for the alexlebens.net domain.
## License
This project is licensed under the terms of the Apache 2.0 License license.

11
clusters/cl01tl/applications/audiobookshelf/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: audiobookshelf
version: 0.0.1
sources:
- https://github.com/advplyr/audiobookshelf
- https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/audiobookshelf
dependencies:
- name: audiobookshelf
version: 2.0.0
repository: https://k8s-home-lab.github.io/helm-charts/
appVersion: "2.8.0"

40
clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.nfs.path }}
server: {{ .Values.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

48
clusters/cl01tl/applications/audiobookshelf/values.yaml Normal file
View File

@@ -0,0 +1,48 @@
audiobookshelf:
image:
repository: ghcr.io/advplyr/audiobookshelf
tag: 2.9.0
env:
TZ: US/Central
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: audiobookshelf.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: audiobookshelf-secret-tls
hosts:
- audiobookshelf.alexlebens.net
persistence:
config:
enabled: true
mountPath: /config
accessMode: ReadWriteOnce
size: 2Gi
metadata:
enabled: true
mountPath: /metadata
accessMode: ReadWriteOnce
size: 10Gi
backup:
enabled: true
mountPath: /metadata/backups
type: pvc
existingClaim: audiobookshelf-nfs-storage-backup
audiobooks:
enabled: true
mountPath: /mnt/store/
type: pvc
existingClaim: audiobookshelf-nfs-storage
storage:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net

11
clusters/cl01tl/applications/calibre-server/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: calibre-server
version: 1.0.0
sources:
- https://github.com/kovidgoyal/calibre
- https://github.com/alexlebens/helm-charts/tree/main/charts/calibre-server
dependencies:
- name: calibre-server
version: 0.0.8
repository: http://alexlebens.github.io/helm-charts
appVersion: 7.5.1

19
clusters/cl01tl/applications/calibre-server/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: calibre-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: calibre-server-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/calibre-server/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: calibre-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ index .Values "calibre-server" "persistence" "books" "nfs" "path" }}
server: {{ index .Values "calibre-server" "persistence" "books" "nfs" "server" }}
mountOptions:
- vers=4
- minorversion=1
- noac

20
clusters/cl01tl/applications/calibre-server/values.yaml Normal file
View File

@@ -0,0 +1,20 @@
calibre-server:
deployment:
env:
TZ: US/Central
ingressRoute:
enabled: true
http:
host: calibre-server.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik
persistence:
config:
storageClassName: ceph-block
storageSize: 5Gi
books:
claimName: calibre-server-nfs-storage
nfs:
path: /volume2/Storage/Calibre
server: synologybond.alexlebens.net

11
clusters/cl01tl/applications/calibre-web/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: calibre-web
version: 0.0.1
sources:
- https://github.com/janeczku/calibre-web
- https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/calibre-web
dependencies:
- name: calibre-web
version: 9.0.2
repository: https://k8s-home-lab.github.io/helm-charts/
appVersion: v0.6.21

33
clusters/cl01tl/applications/calibre-web/templates/ingress-route.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: "Host(`{{ .Values.ingressRoute.host }}`)"
middlewares:
- name: "authentik-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}
port: {{ .Values.ingressRoute.port }}
- kind: Rule
match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services:
- kind: Service
name: {{ .Values.ingressRoute.authentik.outpost }}
port: {{ .Values.ingressRoute.authentik.port }}
namespace: {{ .Values.ingressRoute.authentik.namespace }}

27
clusters/cl01tl/applications/calibre-web/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: "authentik-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

19
clusters/cl01tl/applications/calibre-web/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: calibre-web-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: calibre-web-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/calibre-web/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: calibre-web-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

33
clusters/cl01tl/applications/calibre-web/values.yaml Normal file
View File

@@ -0,0 +1,33 @@
calibre-web:
image:
repository: ghcr.io/linuxserver/calibre-web
tag: 0.6.21-ls253
env:
TZ: US/Central
DOCKER_MODS: linuxserver/mods:universal-calibre
ingress:
main:
enabled: false
persistence:
config:
enabled: true
mountPath: /config
accessMode: ReadWriteOnce
size: 5Gi
media:
enabled: true
mountPath: /books
type: pvc
existingClaim: calibre-web-nfs-storage
ingressRoute:
host: calibre.alexlebens.net
port: 8083
authentik:
outpost: authentik-outpost-proxy
port: 9000
namespace: authentik
storage:
storage:
nfs:
path: /volume2/Storage/Calibre
server: synologybond.alexlebens.net

12
clusters/cl01tl/applications/code-server/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
name: code-server
version: 0.0.1
sources:
- https://github.com/coder/code-server
- https://github.com/linuxserver/docker-code-server
- https://gitlab.com/alexander-chernov/helm/code-server
dependencies:
- name: code-server
version: 0.1.1
repository: https://charts.alekc.dev
appVersion: "4.22.0"

23
clusters/cl01tl/applications/code-server/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: codeserver-password-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /code-server/auth
metadataPolicy: None
property: password

19
clusters/cl01tl/applications/code-server/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

34
clusters/cl01tl/applications/code-server/values.yaml Normal file
View File

@@ -0,0 +1,34 @@
code-server:
image:
repository: linuxserver/code-server
tag: 4.89.1
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: codeserver.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: codeserver-secret-tls
hosts:
- codeserver.alexlebens.net
env:
simple:
TZ: US/Central
DEFAULT_WORKSPACE: /config
full:
- name: SUDO_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: codeserver-password-secret
optional: false
persistence:
existingClaim: code-server-nfs-storage
enabled: true

11
clusters/cl01tl/applications/cops/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: cops
version: 0.0.1
sources:
- https://github.com/mikespub-org/seblucas-cops
- http://alexlebens.github.io/helm-charts
dependencies:
- name: cops
version: 0.0.3
repository: http://alexlebens.github.io/helm-charts
appVersion: 1.1.3

19
clusters/cl01tl/applications/cops/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cops-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: cops-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/cops/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: cops-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.books.nfsPath }}
server: {{ .Values.storage.books.nfsServer }}
mountOptions:
- vers=4
- minorversion=1
- noac

22
clusters/cl01tl/applications/cops/values.yaml Normal file
View File

@@ -0,0 +1,22 @@
cops:
deployment:
env:
TZ: US/Central
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
className: traefik
host: calibre-content.alexlebens.net
persistence:
config:
storageClassName: ceph-block
storageSize: 1Gi
books:
claimName: cops-nfs-storage
storage:
books:
nfsPath: /volume2/Storage/Calibre
nfsServer: synologybond.alexlebens.net

15
clusters/cl01tl/applications/freshrss/Chart.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v2
name: freshrss
version: 1.0.0
sources:
- https://github.com/FreshRSS/FreshRSS
- https://github.com/alexlebens/helm-charts/tree/main/charts/hfreshrss
dependencies:
- name: freshrss
version: 0.0.3
repository: http://alexlebens.github.io/helm-charts
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: "1.23.1"

94
clusters/cl01tl/applications/freshrss/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,94 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/freshrss
metadataPolicy: None
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/freshrss
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss-install-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: FRESHRSS_INSTALL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /freshrss/config
metadataPolicy: None
property: FRESHRSS_INSTALL
- secretKey: FRESHRSS_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /freshrss/config
metadataPolicy: None
property: FRESHRSS_USER
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: freshrss-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-freshrss-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-freshrss-postgresql
metadataPolicy: None
property: secret_key

42
clusters/cl01tl/applications/freshrss/values.yaml Normal file
View File

@@ -0,0 +1,42 @@
freshrss:
deployment:
env:
TZ: US/Central
CRON_MIN: 13,43
OIDC_ENABLED: 1
OIDC_PROVIDER_METADATA_URL: https://authentik.alexlebens.net/application/o/freshrss/.well-known/openid-configuration
OIDC_X_FORWARDED_HEADERS: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
OIDC_SCOPES: openid email profile
OIDC_REMOTE_USER_CLAIM: preferred_username
envFrom:
- secretRef:
name: freshrss-oidc-secret
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
host: rss.alexlebens.net
persistence:
config:
storageClassName: ceph-block
storageSize: 5Gi
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/freshrss
endpointCredentials: freshrss-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/applications/home-assistant/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: home-assistant
version: 1.0.0
sources:
- https://github.com/home-assistant
- https://github.com/alexlebens/helm-charts/tree/main/charts/home-assistant
dependencies:
- name: home-assistant
version: 0.1.15
repository: http://alexlebens.github.io/helm-charts
appVersion: v2024.5.3

48
clusters/cl01tl/applications/home-assistant/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: home-assistant-codeserver-password-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: SUDO_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /home-assistant/auth
metadataPolicy: None
property: SUDO_PASSWORD
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: home-assistant-token-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: bearerToken
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /home-assistant/auth
metadataPolicy: None
property: bearerToken

46
clusters/cl01tl/applications/home-assistant/values.yaml Normal file
View File

@@ -0,0 +1,46 @@
home-assistant:
deployment:
env:
TZ: US/Central
ingressRoute:
enabled: true
host: homeassistant.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik
metrics:
enabled: true
serviceMonitor:
bearerTokenSecret:
name: home-assistant-token-secret
key: bearerToken
prometheusRule:
enabled: true
rules:
- alert: HomeAssistantAbsent
annotations:
description: Home Assistant has disappeared from Prometheus service discovery.
summary: Home Assistant is down.
expr: |
absent(up{job=~".*home-assistant.*"} == 1)
for: 5m
labels:
severity: critical
persistence:
config:
storageClassName: ceph-block
storageSize: 1Gi
codeserver:
enabled: true
env:
TZ: US/Central
DEFAULT_WORKSPACE: /config
envFrom:
- secretRef:
name: home-assistant-codeserver-password-secret
ingressRoute:
enabled: true
host: homeassistant-codeserver.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik

18
clusters/cl01tl/applications/homepage-dev/Chart.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v2
name: homepage-dev
version: 1.0.0
home: https://outline.alexlebens.net/doc/homepage-dev-s2clWoI5EC
sources:
- https://github.com/gethomepage/homepage
- https://github.com/cloudflare/cloudflared
- https://github.com/bjw-s/helm-charts/blob/main/charts/other/app-template/values.yaml
dependencies:
- name: app-template
alias: homepage
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
- name: app-template
alias: cloudflared
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
appVersion: v0.8.12

23
clusters/cl01tl/applications/homepage-dev/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: homepage-dev-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: homepage-dev-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/homepage-dev
metadataPolicy: None
property: token

225
clusters/cl01tl/applications/homepage-dev/values.yaml Normal file
View File

@@ -0,0 +1,225 @@
homepage:
global:
nameOverride: homepage
controllers:
main:
type: deployment
annotations:
reloader.stakater.com/auto: "true"
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/gethomepage/homepage
tag: v0.8.13
pullPolicy: IfNotPresent
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 10m
memory: 128Mi
serviceAccount:
create: true
configMaps:
config:
enabled: true
data:
docker.yaml: ""
kubernetes.yaml: ""
settings.yaml: |
favicon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
headerStyle: clean
hideVersion: true
color: slate
background:
image: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/background.jpg
theme: dark
disableCollapse: true
layout:
- Media:
icon: mdi-multimedia-#ffffff
- Applications:
icon: mdi-application-#ffffff
widgets.yaml: |
- logo:
icon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
- datetime:
text_size: xl
format:
dateStyle: long
timeStyle: short
hour12: false
- openmeteo:
label: Denver
latitude: 39.73
longitude: 104.99
units: metric
cache: 5
services.yaml: |
- Media:
- Plex:
icon: plex.png
href: https://plex.alexlebens.net
description: Media server
siteMonitor: http://plex.plex:32400
statusStyle: dot
- Overseerr:
icon: overseerr.png
description: Requests
href: https://overseerr.alexlebens.net
siteMonitor: http://overseerr.overseerr:5055
statusStyle: dot
- Jellyfin:
icon: jellyfin.png
description: Media server
href: https://jellyfin.alexlebens.net/
siteMonitor: http://jellyfin.jellyfin:8096
statusStyle: dot
- TubeAchivist:
icon: tube-archivist.png
description: Youtube downloader
href: https://tubearchivist.alexlebens.net/login/
siteMonitor: http://tubearchivist.tubearchivist:8000
statusStyle: dot
- Navidrome:
icon: navidrome.png
description: Music
href: https://navidrome.alexlebens.net
siteMonitor: http://navidrome.navidrome:4533
statusStyle: dot
- Audiobookshelf:
icon: audiobookshelf.png
description: Audiobooks, Books, and Podcasts
href: https://audiobookshelf.alexlebens.net
siteMonitor: http://audiobookshelf.audiobookshelf:80
statusStyle: dot
- Calibre:
icon: calibre-web.png
description: Books
href: https://calibre.alexlebens.net
siteMonitor: http://calibre-web.calibre-web:8083
statusStyle: dot
- Applications:
- Ghost:
icon: ghost.png
description: Website and blog
href: https://blog.alexlebens.dev
siteMonitor: https://blog.alexlebens.dev
statusStyle: dot
- Chat:
icon: element.svg
description: Web client for Matrix chat
href: https://chat.alexlebens.dev
siteMonitor: https://chat.alexlebens.dev
statusStyle: dot
- Home Assistant:
icon: home-assistant.png
description: Home automation
href: https://homeassistant.alexlebens.net
siteMonitor: http://home-assistant.home-assistant:8123
statusStyle: dot
- Vikunja:
icon: vikunja.png
description: Notes and tasks
href: https://vikunja.alexlebens.net
siteMonitor: http://vikunja-frontend.vikunja:80
statusStyle: dot
- Taiga:
icon: taiga.png
description: Project planning
href: https://taiga.alexlebens.net
siteMonitor: http://taiga-front.taiga:80
statusStyle: dot
- Penpot:
icon: https://raw.githubusercontent.com/penpot/penpot/362d4ea47f06d169dd6e0a34cb9d141200e646e6/frontend/resources/images/icons/penpot-logo-icon.svg
description: Web design
href: https://penpot.alexlebens.net
siteMonitor: http://penpot.penpot:80
statusStyle: dot
- Outline:
icon: outline.png
description: Wiki
href: https://outline.alexlebens.net
siteMonitor: http://outline.outline:3000
statusStyle: dot
- FreshRss:
icon: freshrss.svg
description: Rss reader
href: https://rss.alexlebens.net
siteMonitor: http://freshrss.freshrss:80
statusStyle: dot
bookmarks.yaml: ""
service:
http:
controller: main
ports:
http:
port: 80
targetPort: 3000
protocol: HTTP
persistence:
config:
enabled: true
type: configMap
name: homepage-dev-config
advancedMounts:
main:
main:
- path: /app/config/bookmarks.yaml
readOnly: true
mountPropagation: None
subPath: bookmarks.yaml
- path: /app/config/docker.yaml
readOnly: true
mountPropagation: None
subPath: docker.yaml
- path: /app/config/kubernetes.yaml
readOnly: true
mountPropagation: None
subPath: kubernetes.yaml
- path: /app/config/services.yaml
readOnly: true
mountPropagation: None
subPath: services.yaml
- path: /app/config/settings.yaml
readOnly: true
mountPropagation: None
subPath: settings.yaml
- path: /app/config/widgets.yaml
readOnly: true
mountPropagation: None
subPath: widgets.yaml
cloudflared:
global:
nameOverride: cloudflared
controllers:
main:
type: deployment
strategy: Recreate
containers:
main:
image:
repository: cloudflare/cloudflared
tag: "2024.5.0"
pullPolicy: IfNotPresent
args:
- tunnel
- --no-autoupdate
- run
- --token
- $(CF_MANAGED_TUNNEL_TOKEN)
env:
- name: CF_MANAGED_TUNNEL_TOKEN
valueFrom:
secretKeyRef:
name: homepage-dev-cloudflared-secret
key: cf-tunnel-token
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi

12
clusters/cl01tl/applications/homepage/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
name: homepage-front
version: 1.0.0
home: https://outline.alexlebens.net/doc/homepage-s2clWoI5EC
sources:
- https://github.com/gethomepage/homepage
- https://github.com/alexlebens/helm-charts/tree/main/charts/homepage
dependencies:
- name: homepage
version: 0.0.15
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.8.12

44
clusters/cl01tl/applications/homepage/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: homepage-back-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /synology/auth
metadataPolicy: None
property: user
- secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /synology/auth
metadataPolicy: None
property: password
- secretKey: HOMEPAGE_VAR_UNIFI_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: user
- secretKey: HOMEPAGE_VAR_UNIFI_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: password

420
clusters/cl01tl/applications/homepage/values.yaml Normal file
View File

@@ -0,0 +1,420 @@
homepage:
deployment:
annotations:
reloader.stakater.com/auto: "true"
resources:
limits:
memory: 2Gi
cpu: 1000m
envFrom:
- secretRef:
name: homepage-back-key-secret
ingressRoute:
host: home.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik
config:
widgets:
- logo:
icon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
- kubernetes:
cluster:
show: true
cpu: true
memory: true
showLabel: true
label: "Cluster"
nodes:
show: false
- datetime:
text_size: xl
format:
dateStyle: long
timeStyle: short
hour12: false
- openmeteo:
label: Denver
latitude: 39.73
longitude: 104.99
units: metric
cache: 5
services:
- Media:
- Plex:
icon: plex.png
href: https://plex.alexlebens.net
description: Media server
siteMonitor: http://plex.plex:32400
statusStyle: dot
- Overseerr:
icon: overseerr.png
description: Requests
href: https://overseerr.alexlebens.net
siteMonitor: http://overseerr.overseerr:5055
statusStyle: dot
- Jellyfin:
icon: jellyfin.png
description: Media server
href: https://jellyfin.alexlebens.net/
siteMonitor: http://jellyfin.jellyfin:8096
statusStyle: dot
- Kyoo:
icon: https://raw.githubusercontent.com/zoriya/Kyoo/master/icons/icon-256x256.png
description: Media server
href: https://kyoo.alexlebens.net/
siteMonitor: http://kyoo-front.kyoo:8901
statusStyle: dot
- TubeAchivist:
icon: tube-archivist.png
description: Youtube downloader
href: https://tubearchivist.alexlebens.net/login/
siteMonitor: http://tubearchivist.tubearchivist:8000
statusStyle: dot
- Navidrome:
icon: navidrome.png
description: Music
href: https://navidrome.alexlebens.net
siteMonitor: http://navidrome.navidrome:4533
statusStyle: dot
- Audiobookshelf:
icon: audiobookshelf.png
description: Audiobooks, Books, and Podcasts
href: https://audiobookshelf.alexlebens.net
siteMonitor: http://audiobookshelf.audiobookshelf:80
statusStyle: dot
- Calibre:
icon: calibre-web.png
description: Books
href: https://calibre.alexlebens.net
siteMonitor: http://calibre-web.calibre-web:8083
statusStyle: dot
- Applications:
- Ghost (.dev):
icon: ghost.png
description: Website and blog
href: https://blog.alexlebens.dev
siteMonitor: https://blog.alexlebens.dev
statusStyle: dot
- Chat (.dev):
icon: element.svg
description: Web client for Matrix chat
href: https://chat.alexlebens.dev
siteMonitor: https://chat.alexlebens.dev
statusStyle: dot
- Home Assistant:
icon: home-assistant.png
description: Home automation
href: https://homeassistant.alexlebens.net
siteMonitor: http://home-assistant.home-assistant:8123
statusStyle: dot
- Vikunja:
icon: vikunja.png
description: Notes and tasks
href: https://vikunja.alexlebens.net
siteMonitor: http://vikunja-frontend.vikunja:80
statusStyle: dot
- Taiga:
icon: taiga.png
description: Project planning
href: https://taiga.alexlebens.net
siteMonitor: http://taiga-front.taiga:80
statusStyle: dot
- Penpot:
icon: https://raw.githubusercontent.com/penpot/penpot/362d4ea47f06d169dd6e0a34cb9d141200e646e6/frontend/resources/images/icons/penpot-logo-icon.svg
description: Web design
href: https://penpot.alexlebens.net
siteMonitor: http://penpot.penpot:80
statusStyle: dot
- Outline:
icon: outline.png
description: Wiki
href: https://outline.alexlebens.net
siteMonitor: http://outline.outline:3000
statusStyle: dot
- FreshRss:
icon: freshrss.svg
description: Rss reader
href: https://rss.alexlebens.net
siteMonitor: http://freshrss.freshrss:80
statusStyle: dot
- Code:
- Code Server:
icon: code-server.png
description: VS Code in a browser
href: https://codeserver.alexlebens.net
siteMonitor: http://code-server.code-server:8443
statusStyle: dot
- Code Server - Home Assistant:
icon: code-server.png
description: Edit config for Home Assistant
href: https://homeassistant-codeserver.alexlebens.net
siteMonitor: http://home-assistant-codeserver.home-assistant:8443
statusStyle: dot
- Gitea:
icon: gitea.png
description: Code repository
href: https://gitea.alexlebens.net
siteMonitor: http://gitea-http.gitea:3000
statusStyle: dot
- ArgoCD:
icon: argocd.png
description: Continous Deployment
href: https://argocd.alexlebens.net
siteMonitor: http://argocd-server.argocd:80
statusStyle: dot
namespace: argocd
- Argo Rollouts:
icon: argocd.png
description: Deployment mangement and evaluation
href: https://argo-rollouts.alexlebens.net
siteMonitor: http://argo-rollouts-dashboard.argocd:3100
statusStyle: dot
namespace: argocd
- Argo Workflows:
icon: argocd.png
description: Workflows and events for ArgoCD
href: https://argo-workflows.alexlebens.net
siteMonitor: http://argo-workflows-server.argocd:2746
statusStyle: dot
namespace: argocd
- Kargo:
icon: https://raw.githubusercontent.com/akuity/kargo/main/ui/public/kargo-icon.png
description: Continous Integration
href: https://kargo.alexlebens.net
siteMonitor: http://kargo-api.argocd:80
statusStyle: dot
namespace: argocd
- Management:
- Calibre Server:
icon: calibre.png
description: Calibre content server
href: https://calibre-server.alexlebens.net
siteMonitor: http://calibre-server.calibre-server:8080
statusStyle: dot
- COPS:
icon: calibre-web.png
description: Calibre OPDS (and HTML) PHP Server
href: https://calibre-content.alexlebens.net
siteMonitor: http://cops.cops:80
statusStyle: dot
- Monitoring:
- Portainer:
icon: portainer.png
description: Service monitoring
href: https://portainer.alexlebens.net
siteMonitor: http://portainer.portainer:9000
statusStyle: dot
- Headlamp:
icon: kubernetes.png
description: Kubernetes dashboard
href: https://headlamp.alexlebens.net
siteMonitor: http://headlamp.headlamp:80
statusStyle: dot
- Hubble:
icon: cilium.png
description: Network monitoring for Cilium
href: https://hubble.alexlebens.net
siteMonitor: http://hubble-ui.kube-system:80
statusStyle: dot
- Grafana:
icon: grafana.png
description: Dashboard
href: https://grafana.alexlebens.net
siteMonitor: https://grafana.alexlebens.net
statusStyle: dot
- Prometheus:
icon: prometheus.png
description: Metrics database
href: https://prometheus.alexlebens.net
siteMonitor: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
statusStyle: dot
widget:
type: prometheus
url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
- Alertmanager:
icon: alertmanager.png
description: Alerting and notification
href: https://alertmanager.alexlebens.net
siteMonitor: http://kube-prometheus-stack-alertmanager.kube-prometheus-stack:9093
statusStyle: dot
- Services:
- Authentik:
icon: authentik.png
description: Identity management and provider
href: https://authentik.alexlebens.net
siteMonitor: http://authentik-server.authentik:80
statusStyle: dot
- Authentik (.dev):
icon: authentik.png
description: Identity management and provider
href: https://auth.alexlebens.dev
siteMonitor: https://auth.alexlebens.dev
statusStyle: dot
- Traefik - cl01tl:
icon: traefik.png
description: Reverse proxy
href: https://traefik-cl01tl.alexlebens.net/dashboard/#/
siteMonitor: https://traefik-cl01tl.alexlebens.net/dashboard/#/
statusStyle: dot
widget:
type: traefik
url: https://traefik-cl01tl.alexlebens.net
- Traefik - ps08rp:
icon: traefik.png
description: Reverse proxy
href: https://traefik-ps08rp.alexlebens.net/dashboard/#/
siteMonitor: https://traefik-ps08rp.alexlebens.net/dashboard/#/
statusStyle: dot
- Traefik - ps09rp:
icon: traefik.png
description: Reverse proxy
href: https://traefik-ps09rp.alexlebens.net/dashboard/#/
siteMonitor: https://traefik-ps09rp.alexlebens.net/dashboard/#/
statusStyle: dot
- Technitium - ps08rp:
icon: technitium.png
description: DNS
href: https://technitium-ps08rp.alexlebens.net
siteMonitor: https://technitium-ps08rp.alexlebens.net
statusStyle: dot
- Technitium - ps09rp:
icon: technitium.png
description: DNS
href: https://technitium-ps09rp.alexlebens.net
siteMonitor: https://technitium-ps09rp.alexlebens.net
statusStyle: dot
- Hardware:
- Unifi:
icon: unifi.png
description: Manager network hardware
href: https://unifi.alexlebens.net
siteMonitor: https://unifi.alexlebens.net
statusStyle: dot
- Synology:
icon: synology.png
description: Network Attached Storage
href: https://synology.alexlebens.net
siteMonitor: https://synology.alexlebens.net
statusStyle: dot
widget:
type: diskstation
url: https://synology.alexlebens.net
username: '{{HOMEPAGE_VAR_SYNOLOGY_USER}}'
password: '{{HOMEPAGE_VAR_SYNOLOGY_PASSWORD}}'
volume: volume_2
- HD Homerun Flex:
icon: hdhomerun.png
description: TV Tuner
href: http://hdhr.alexlebens.net
siteMonitor: http://hdhr.alexlebens.net
statusStyle: dot
- Pi KVM:
icon: pikvm.png
description: IP KVM
href: https://pikvm.alexlebens.net
siteMonitor: https://pikvm.alexlebens.net
statusStyle: dot
- Storage:
- Ceph:
icon: ceph.png
description: Clustered storage
href: https://ceph.alexlebens.net
siteMonitor: http://rook-ceph-mgr-dashboard.rook-ceph:7000
statusStyle: dot
- PGAdmin:
icon: pgadmin.png
description: Postgresql console
href: https://pgadmin.alexlebens.net
siteMonitor: http://pgadmin-pgadmin4.pgadmin:80
statusStyle: dot
- Vault:
icon: vault.png
description: Secret management
href: https://vault.alexlebens.net
siteMonitor: http://vault.vault:8200
statusStyle: dot
- Minio:
icon: minio.png
description: Operator for Minio S3 storage
href: https://minio.alexlebens.net
siteMonitor: http://console.minio-operator:9090
statusStyle: dot
- Minio - Outline:
icon: minio.png
description: Tenant for Outline S3 storage
href: https://minio-outline.alexlebens.net
siteMonitor: http://minio-outline-console.outline:9090
statusStyle: dot
- Minio - Penpot:
icon: minio.png
description: Tenant for Penpot S3 storage
href: https://minio-penpot.alexlebens.net
siteMonitor: http://minio-penpot-console.penpot:9090
statusStyle: dot
bookmarks:
- External Services:
- Github:
- abbr: GH
href: https://github.com/alexlebens/alexlebens-net
- Renovate:
- abbr: RN
href: https://developer.mend.io/[platform]/alexlebens/alexlebens-net
- AWS:
- abbr: AW
href: https://aws.amazon.com/console/
- Cloudflare:
- abbr: CF
href: https://dash.cloudflare.com/b76e303258b84076ee01fd0f515c0768
- Tailscale:
- abbr: TS
href: https://login.tailscale.com/admin/machines
- ProtonVPN:
- abbr: PV
href: https://account.protonvpn.com/
- Pushover:
- abbr: PO
href: https://pushover.net
- ReCaptcha:
- abbr: RC
href: https://www.google.com/recaptcha/admin/site/698983587
- Dashboard Icons:
- abbr: DI
href: https://github.com/walkxcode/dashboard-icons/tree/main/png
settings:
favicon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
headerStyle: clean
hideVersion: true
color: slate
background:
image: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/background.jpg
theme: dark
disableCollapse: true
layout:
- Media:
tab: Apps
icon: mdi-multimedia-#ffffff
- Applications:
tab: Apps
icon: mdi-application-#ffffff
- Code:
tab: Tools
icon: mdi-code-braces-box-#ffffff
- Monitoring:
tab: Tools
icon: mdi-chart-bar-#ffffff
- Management:
tab: Tools
icon: mdi-content-save-cog-#ffffff
- Services:
tab: Services
icon: mdi-server-network-#ffffff
- Hardware:
tab: Services
icon: mdi-lan-connect-#ffffff
- Storage:
tab: Services
icon: mdi-harddisk-#ffffff
- External Services:
tab: Bookmarks
icon: mdi-cloud-#ffffff

11
clusters/cl01tl/applications/jellyfin/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: jellyfin
version: 0.0.1
sources:
- https://github.com/jellyfin/jellyfin
- https://github.com/loeken/helm-charts/tree/main/charts/jellyfin
dependencies:
- name: jellyfin
version: 10.9.1
repository: https://loeken.github.io/helm-charts
appVersion: 10.8.13

40
clusters/cl01tl/applications/jellyfin/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: jellyfin-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-youtube-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: jellyfin-youtube-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadOnlyMany
resources:
requests:
storage: 1Gi

52
clusters/cl01tl/applications/jellyfin/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-youtube-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadOnlyMany
nfs:
path: {{ .Values.storage.youtube.nfs.path }}
server: {{ .Values.storage.youtube.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

55
clusters/cl01tl/applications/jellyfin/values.yaml Normal file
View File

@@ -0,0 +1,55 @@
jellyfin:
env:
TZ: US/Central
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: jellyfin.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: jellyfin-secret-tls
hosts:
- jellyfin.alexlebens.net
persistence:
config:
enabled: true
mountPath: /config
accessMode: ReadWriteOnce
size: 40Gi
cache:
enabled: true
mountPath: /cache
accessMode: ReadWriteOnce
size: 40Gi
media:
enabled: true
mountPath: /mnt/store
type: pvc
existingClaim: jellyfin-nfs-storage
youtube:
enabled: true
mountPath: /youtube
type: pvc
existingClaim: jellyfin-youtube-nfs-storage
resources:
requests:
gpu.intel.com/i915: 1
limits:
gpu.intel.com/i915: 1
storage:
storage:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net
youtube:
nfs:
path: /volume2/Storage/YouTube
server: synologybond.alexlebens.net

32
clusters/cl01tl/applications/kyoo/Chart.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v2
name: kyoo
version: 1.0.0
description: A Helm chart for deploying Kyoo
keywords:
- kyoo
- media
sources:
- https://github.com/zoriya/Kyoo
- https://github.com/rabbitmq/rabbitmq-server
- https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
- https://github.com/meilisearch/meilisearch
- https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: app-template
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
- name: rabbitmq
version: 14.1.4
repository: https://charts.bitnami.com/bitnami
- name: meilisearch
version: 0.7.0
repository: https://meilisearch.github.io/meilisearch-kubernetes
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
icon: https://raw.githubusercontent.com/zoriya/Kyoo/master/icons/icon-256x256.png
appVersion: v4.5.0

183
clusters/cl01tl/applications/kyoo/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,183 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/authentication
metadataPolicy: None
property: key
- secretKey: kyoo
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/authentication
metadataPolicy: None
property: kyoo
- secretKey: tmdb
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/authentication
metadataPolicy: None
property: tmdb
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-api-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-api-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: kyoo
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/api
metadataPolicy: None
property: kyoo
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kyoo
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kyoo
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-rabbitmq-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-rabbitmq-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: rabbitmq
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/rabbitmq
metadataPolicy: None
property: password
- secretKey: erlang
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/rabbitmq
metadataPolicy: None
property: erlang
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-meilisearch-master-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-meilisearch-master-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: meilisearch
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: MEILI_MASTER_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/meilisearch
metadataPolicy: None
property: MEILI_MASTER_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-kyoo-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-kyoo-postgresql
metadataPolicy: None
property: secret_key

32
clusters/cl01tl/applications/kyoo/templates/ingress-route.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: kyoo
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`kyoo.alexlebens.net`)
priority: 10
services:
- kind: Service
name: kyoo-front
port: 8901
- kind: Rule
match: Host(`kyoo.alexlebens.net`) && PathPrefix(`/api/`)
middlewares:
- name: kyoo-strip-prefix
namespace: {{ .Release.Namespace }}
priority: 15
services:
- kind: Service
name: kyoo-back
port: 5000

15
clusters/cl01tl/applications/kyoo/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: kyoo-strip-prefix
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-strip-prefix
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
stripPrefix:
prefixes:
- /api/

229
clusters/cl01tl/applications/kyoo/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,229 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-anime-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-anime-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-anime-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-anime-movies-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-documentaries-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentaries-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-documentaries-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-documentary-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentary-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-documentary-shows-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-4k-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-classics-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-classics-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-classics-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-foreign-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-foreign-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-foreign-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-stand-up-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-stand-up-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-stand-up-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-tv-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-tv-shows-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-tv-shows-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-tv-shows-4k-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

295
clusters/cl01tl/applications/kyoo/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,295 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-anime-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Anime
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-anime-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Anime Movies"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-documentaries-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentaries-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Documentaries
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-documentary-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentary-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Documentary Shows"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Movies
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Movies 4K"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-classics-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-classics-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Movies Classics"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-foreign-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-foreign-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Movies Foreign"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-stand-up-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-stand-up-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Stand Up"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-tv-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/TV Shows"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-tv-shows-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/TV Shows 4K"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

590
clusters/cl01tl/applications/kyoo/values.yaml Normal file
View File

@@ -0,0 +1,590 @@
app-template:
controllers:
autosync:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_autosync
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 10m
memory: 128Mi
back:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
initContainers:
migrations:
image:
repository: ghcr.io/zoriya/kyoo_migrations
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: password
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: dbname
- name: POSTGRES_SERVER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: host
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: port
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 10m
memory: 256Mi
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_back
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: REQUIRE_ACCOUNT_VERIFICATION
value: "false"
- name: UNLOGGED_PERMISSIONS
value: overall.read
- name: DEFAULT_PERMISSIONS
value: overall.read,overall.play
- name: AUTHENTICATION_SECRET
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: key
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
- name: THEMOVIEDB_APIKEY
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: tmdb
- name: PUBLIC_URL
value: https://kyoo.alexlebens.net
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: password
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: dbname
- name: POSTGRES_SERVER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: host
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: port
- name: OIDC_SERVICE_NAME
value: Authentik
- name: OIDC_SERVICE_LOGO
value: https://avatars.githubusercontent.com/u/82976448?s=200&v=4
- name: OIDC_SERVICE_AUTHORIZATION
value: https://authentik.alexlebens.net/application/o/authorize/
- name: OIDC_SERVICE_TOKEN
value: https://authentik.alexlebens.net/application/o/token/
- name: OIDC_SERVICE_PROFILE
value: https://authentik.alexlebens.net/application/o/userinfo/
- name: OIDC_SERVICE_SCOPE
value: "openid profile email"
- name: OIDC_SERVICE_CLIENTID
valueFrom:
secretKeyRef:
name: kyoo-oidc-secret
key: client
- name: OIDC_SERVICE_SECRET
valueFrom:
secretKeyRef:
name: kyoo-oidc-secret
key: secret
- name: TRANSCODER_URL
value: http://kyoo-transcoder.kyoo:7666
- name: MEILI_HOST
value: http://kyoo-meilisearch.kyoo:7700
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: kyoo-meilisearch-master-key-secret
key: MEILI_MASTER_KEY
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 5000m
memory: 5Gi
requests:
cpu: 100m
memory: 256Mi
front:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_front
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: KYOO_URL
value: http://kyoo-back.kyoo:5000
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
matcher:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_scanner
tag: "4.5.0"
pullPolicy: IfNotPresent
args:
- matcher
env:
- name: KYOO_URL
value: http://kyoo-back.kyoo:5000
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
- name: THEMOVIEDB_APIKEY
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: tmdb
- name: LIBRARY_LANGUAGES
value: en
- name: LIBRARY_IGNORE_PATTERN
value: .*/[dD]ownloads?/.*
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 5000m
memory: 2Gi
requests:
cpu: 100m
memory: 256Mi
scanner:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_scanner
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: KYOO_URL
value: http://kyoo-back.kyoo:5000
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
- name: THEMOVIEDB_APIKEY
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: tmdb
- name: LIBRARY_LANGUAGES
value: en
- name: LIBRARY_IGNORE_PATTERN
value: .*/[dD]ownloads?/.*
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 5000m
memory: 2Gi
requests:
cpu: 100m
memory: 256Mi
transcoder:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_transcoder
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: GOCODER_HWACCEL
value: qsv
- name: GOCODER_QSV_RENDERER
value: /dev/dri/renderD128
- name: GOCODER_PRESET
value: fast
- name: GOCODER_METADATA_ROOT
value: /metadata
- name: GOCODER_CACHE_ROOT
value: /cache
resources:
limits:
cpu: 5000m
memory: 4Gi
gpu.intel.com/i915: 1
requests:
cpu: 100m
memory: 512Mi
gpu.intel.com/i915: 1
serviceAccount:
create: true
service:
back:
controller: back
ports:
http:
port: 5000
targetPort: 5000
protocol: HTTP
front:
controller: front
ports:
http:
port: 8901
targetPort: 8901
protocol: HTTP
transcoder:
controller: transcoder
ports:
http:
port: 7666
targetPort: 7666
protocol: HTTP
persistence:
back:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 50Gi
retain: true
advancedMounts:
back:
main:
- path: /metadata
readOnly: false
metadata:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
retain: true
advancedMounts:
transcoder:
main:
- path: /metadata
readOnly: false
cache:
type: emptyDir
advancedMounts:
transcoder:
main:
- path: /cache
readOnly: false
anime:
existingClaim: kyoo-anime-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Anime"
readOnly: true
matcher:
main:
- path: "/video/Anime"
readOnly: true
transcoder:
main:
- path: "/video/Anime"
readOnly: true
anime-movies:
existingClaim: kyoo-anime-movies-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Anime Movies"
readOnly: true
matcher:
main:
- path: "/video/Anime Movies"
readOnly: true
transcoder:
main:
- path: "/video/Anime Movies"
readOnly: true
documentaries:
existingClaim: kyoo-documentaries-nfs-storage
advancedMounts:
scanner:
main:
- path: /video/Documentaries
readOnly: true
matcher:
main:
- path: /video/Documentaries
readOnly: true
transcoder:
main:
- path: /video/Documentaries
readOnly: true
documentary-shows:
existingClaim: kyoo-documentary-shows-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Documentary Shows"
readOnly: true
matcher:
main:
- path: "/video/Documentary Shows"
readOnly: true
transcoder:
main:
- path: "/video/Documentary Shows"
readOnly: true
movies:
existingClaim: kyoo-movies-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies"
readOnly: true
matcher:
main:
- path: "/video/Movies"
readOnly: true
transcoder:
main:
- path: "/video/Movies"
readOnly: true
movies-4k:
existingClaim: kyoo-movies-4k-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies 4K"
readOnly: true
matcher:
main:
- path: "/video/Movies 4K"
readOnly: true
transcoder:
main:
- path: "/video/Movies 4K"
readOnly: true
movies-classics:
existingClaim: kyoo-movies-classics-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies Classics"
readOnly: true
matcher:
main:
- path: "/video/Movies Classics"
readOnly: true
transcoder:
main:
- path: "/video/Movies Classics"
readOnly: true
movies-foreign:
existingClaim: kyoo-movies-foreign-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies Foreign"
readOnly: true
matcher:
main:
- path: "/video/Movies Foreign"
readOnly: true
transcoder:
main:
- path: "/video/Movies Foreign"
readOnly: true
stand-up:
existingClaim: kyoo-stand-up-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Stand Up"
readOnly: true
matcher:
main:
- path: "/video/Stand Up"
readOnly: true
transcoder:
main:
- path: "/video/Stand Up"
readOnly: true
tv-shows:
existingClaim: kyoo-tv-shows-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/TV Shows"
readOnly: true
matcher:
main:
- path: "/video/TV Shows"
readOnly: true
transcoder:
main:
- path: "/video/TV Shows"
readOnly: true
tv-shows-4k:
existingClaim: kyoo-tv-shows-4k-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/TV Shows 4K"
readOnly: true
matcher:
main:
- path: "/video/TV Shows 4K"
readOnly: true
transcoder:
main:
- path: "/video/TV Shows 4K"
readOnly: true
rabbitmq:
auth:
username: kyoo
existingPasswordSecret: kyoo-rabbitmq-secret
existingSecretPasswordKey: password
existingErlangSecret: kyoo-rabbitmq-secret
existingSecretErlangKey: erlang
extraConfiguration: |-
default_vhost = /
default_permissions.configure = .*
default_permissions.read = .*
default_permissions.write = .*
meilisearch:
environment:
MEILI_NO_ANALYTICS: true
MEILI_ENV: production
auth:
existingMasterKeySecret: kyoo-meilisearch-master-key-secret
service:
type: ClusterIP
port: 7700
persistence:
enabled: true
storageClass: ceph-block
size: 10Gi
resources:
limits:
cpu: 200m
memory: 2Gi
requests:
cpu: 10m
memory: 128Mi
serviceMonitor:
enabled: true
postgres-16-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/kyoo
endpointCredentials: kyoo-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/applications/libation/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: libation
version: 0.0.5
sources:
- https://github.com/rmcrackan/Libation
- https://github.com/alexlebens/helm-charts/charts/libation
dependencies:
- name: libation
version: 0.0.6
repository: http://alexlebens.github.io/helm-charts
appVersion: "11.1.0"

19
clusters/cl01tl/applications/libation/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: libation-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: libation-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/libation/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: libation-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

14
clusters/cl01tl/applications/libation/values.yaml Normal file
View File

@@ -0,0 +1,14 @@
libation:
libation:
job:
schedule: "0 * * * *"
persistence:
config:
storageClassName: nfs-client
books:
claimName: libation-nfs-storage
storage:
storage:
nfs:
path: /volume2/Storage/Audiobooks/
server: synologybond.alexlebens.net

11
clusters/cl01tl/applications/navidrome/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: navidrome
version: 0.0.2
sources:
- https://github.com/navidrome/navidrome
- https://github.com/0xEmma/helm-charts/tree/main/charts/navidrome
dependencies:
- name: navidrome
version: 0.0.6
repository: https://0xemma.github.io/helm-charts
appVersion: "0.51.1"

19
clusters/cl01tl/applications/navidrome/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: navidrome-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: navidrome-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/navidrome/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: navidrome-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

43
clusters/cl01tl/applications/navidrome/values.yaml Normal file
View File

@@ -0,0 +1,43 @@
navidrome:
image:
repository: deluan/navidrome
tag: "0.52.5"
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: navidrome.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: navidrome-secret-tls
hosts:
- navidrome.alexlebens.net
persistence:
config:
enabled: true
mountPath: /data
accessMode: ReadWriteOnce
size: 2Gi
music:
enabled: true
mountPath: /mnt/store
type: pvc
existingClaim: navidrome-nfs-storage
env:
ND_MUSICFOLDER: /mnt/store/Music
ND_SCANSCHEDULE: 1h
ND_LOGLEVEL: info
ND_SESSIONTIMEOUT: 24h
ND_BASEURL: "/"
storage:
storage:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net

21
clusters/cl01tl/applications/outline/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: outline
version: 1.0.0
sources:
- https://github.com/outline/outline
- https://github.com/minio/operator
- https://github.com/alexlebens/helm-charts/charts/outline
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: outline
version: 0.6.1
repository: http://alexlebens.github.io/helm-charts
- name: tenant
version: 5.0.15
alias: minio
repository: https://operator.min.io/
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.75.2

176
clusters/cl01tl/applications/outline/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,176 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret-key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/key
metadataPolicy: None
property: secret-key
- secretKey: utils-key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/key
metadataPolicy: None
property: utils-key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/outline
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/outline
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-bucket-user-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: outline-bucket-user-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/auth
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/auth
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-minio-root-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: outline-bucket-auth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/root
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-minio-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: outline-bucket-auth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/config
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-outline-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-outline-postgresql
metadataPolicy: None
property: secret_key

123
clusters/cl01tl/applications/outline/values.yaml Normal file
View File

@@ -0,0 +1,123 @@
outline:
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
host: outline.alexlebens.net
persistence:
type: s3
s3:
credentialsSecret: outline-bucket-user-secret
region: us-east-1
bucketName: outline
bucketUrl: https://minio-outline-api.alexlebens.net/outline
forcePathStyle: false
outline:
url: https://outline.alexlebens.net
secretKey:
existingSecretName: outline-key-secret
existingSecretKey: secret-key
utilsSecret:
existingSecretName: outline-key-secret
existingSecretKey: utils-key
database:
usernameSecret:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: username
passwordSecret:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: password
databaseName:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: dbname
databaseHost:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: host
databasePort:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: port
auth:
oidc:
enabled: true
clientId:
existingSecretName: outline-oidc-secret
existingSecretKey: client
clientSecret:
existingSecretName: outline-oidc-secret
existingSecretKey: secret
authUri: https://authentik.alexlebens.net/application/o/authorize/
tokenUri: https://authentik.alexlebens.net/application/o/token/
userinfoUri: https://authentik.alexlebens.net/application/o/userinfo/
usernameClaim: email
displayName: Authentik
scopes: openid profile email
minio:
existingSecret:
name: outline-minio-root-secret
tenant:
name: minio-outline
configuration:
name: outline-minio-config-secret
pools:
- servers: 3
name: pool
volumesPerServer: 2
size: 10Gi
storageClassName: ceph-block
mountPath: /export
subPath: /data
metrics:
enabled: true
port: 9000
protocol: http
certificate:
requestAutoCert: false
ingress:
api:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-outline-api-secret-tls
hosts:
- minio-outline-api.alexlebens.net
host: minio-outline-api.alexlebens.net
path: /
pathType: Prefix
console:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-outline-console-secret-tls
hosts:
- minio-outline.alexlebens.net
host: minio-outline.alexlebens.net
path: /
pathType: Prefix
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/outline
endpointCredentials: outline-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

25
clusters/cl01tl/applications/penpot/Chart.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v2
name: penpot
version: 1.0.0
sources:
- https://github.com/penpot/penpot
- https://github.com/minio/operator
- https://github.com/bitnami/charts/tree/main/bitnami/redis
- https://github.com/alexlebens/helm-charts/charts/penpot
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: penpot
version: 0.1.0
repository: http://alexlebens.github.io/helm-charts
- name: redis
version: 19.3.2
repository: https://charts.bitnami.com/bitnami
- name: tenant
version: 5.0.15
alias: minio
repository: https://operator.min.io/
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: 2.0.0

169
clusters/cl01tl/applications/penpot/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,169 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/penpot
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/penpot
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-bucket-user-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-bucket-user-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/auth
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/auth
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-minio-root-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-bucket-auth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/root
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-minio-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-minio-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/config
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-penpot-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-penpot-postgresql
metadataPolicy: None
property: secret_key

135
clusters/cl01tl/applications/penpot/values.yaml Normal file
View File

@@ -0,0 +1,135 @@
penpot:
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: penpot.alexlebens.net
tls:
- secretName: penpot-secret-tls
hosts:
- penpot.alexlebens.net
persistence:
enabled: true
storageClass: ceph-block
size: 8Gi
accessModes:
- ReadWriteOnce
config:
publicURI: https://penpot.alexlebens.net
flags: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning
apiSecretKey:
existingSecretName: penpot-key-secret
existingSecretKey: key
postgresql:
host: penpot-postgresql-16-cluster-rw.penpot.svc.cluster.local
port: 5432
database: app
existingSecret: penpot-postgresql-16-cluster-app
secretKeys:
usernameKey: username
passwordKey: password
redis:
host: penpot-redis-headless.penpot.svc.cluster.local
port: 6379
database: 0
assets:
storageBackend: assets-s3
s3:
region: us-east-1
bucket: penpot
endpointURI: https://minio-penpot-api.alexlebens.net/penpot
existingSecret: penpot-bucket-user-secret
secretKeys:
accessKeyIDKey: AWS_ACCESS_KEY_ID
secretAccessKey: AWS_SECRET_ACCESS_KEY
telemetryEnabled: false
providers:
oidc:
enabled: true
baseURI: https://authentik.alexlebens.net/application/o/
authURI: https://authentik.alexlebens.net/application/o/authorize/
tokenURI: https://authentik.alexlebens.net/application/o/token/
userURI: https://authentik.alexlebens.net/application/o/userinfo/
roles: ""
rolesAttribute: ""
scopes: "openid profile email"
nameAttribute: preferred_username
emailAttribute: email
existingSecret: penpot-oidc-secret
secretKeys:
oidcClientIDKey: client
oidcClientSecretKey: secret
redis:
architecture: standalone
auth:
enabled: false
minio:
existingSecret:
name: penpot-minio-root-secret
tenant:
name: minio-penpot
configuration:
name: penpot-minio-config-secret
pools:
- servers: 3
name: pool
volumesPerServer: 2
size: 10Gi
storageClassName: ceph-block
mountPath: /export
subPath: /data
metrics:
enabled: true
port: 9000
protocol: http
certificate:
requestAutoCert: false
ingress:
api:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-penpot-api-secret-tls
hosts:
- minio-penpot-api.alexlebens.net
host: minio-penpot-api.alexlebens.net
path: /
pathType: Prefix
console:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-penpot-console-secret-tls
hosts:
- minio-penpot.alexlebens.net
host: minio-penpot.alexlebens.net
path: /
pathType: Prefix
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/penpot
endpointCredentials: penpot-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/applications/plex/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: plex
version: 0.0.1
sources:
- https://www.plex.tv/
- https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/plex
dependencies:
- name: plex
version: 7.1.4
repository: https://k8s-home-lab.github.io/helm-charts/
appVersion: 1.40.0.7998-c29d4c0c8

40
clusters/cl01tl/applications/plex/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: plex-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.config.storageSize }}
storageClassName: {{ .Values.storage.config.storageClassName }}
volumeMode: {{ .Values.storage.config.volumeMode }}

25
clusters/cl01tl/applications/plex/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: plex-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.media.nfs.path }}
server: {{ .Values.storage.media.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

78
clusters/cl01tl/applications/plex/values.yaml Normal file
View File

@@ -0,0 +1,78 @@
plex:
image:
repository: ghcr.io/onedr0p/plex
tag: 1.40.2.8395-c67dce28e
env:
ADVERTISE_IP: "https://plex.alexlebens.net:443/"
ALLOWED_NETWORKS: "10.0.0.0/8,192.168.1.0/24"
service:
main:
primary: true
type: LoadBalancer
annotations:
metallb.universe.tf/allow-shared-ip: "external"
externalIPs:
- 192.168.1.17
- 192.168.1.16
- 192.168.1.15
ports:
http:
port: 32400
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: plex.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: plex-secret-tls
hosts:
- plex.alexlebens.net
hostNetwork: false
persistence:
config:
enabled: true
existingClaim: plex-config
transcode:
enabled: true
type: emptyDir
media:
enabled: true
mountPath: /mnt/store
type: pvc
existingClaim: plex-nfs-storage
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
supplementalGroups:
- 44
- 100
- 109
- 65539
resources:
requests:
gpu.intel.com/i915: 1
cpu: 100m
memory: 256Mi
limits:
gpu.intel.com/i915: 1
cpu: 4000m
memory: 4096Mi
storage:
config:
storageClassName: ceph-block
storageSize: 80Gi
volumeMode: Filesystem
media:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net

17
clusters/cl01tl/applications/taiga/Chart.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v2
name: taiga
version: 1.0.0
sources:
- https://github.com/taigaio
- https://github.com/rabbitmq/rabbitmq-server
- https://github.com/alexlebens/helm-charts/charts/taiga
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: taiga
version: 0.2.2
repository: http://alexlebens.github.io/helm-charts
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: 6.7.7

200
clusters/cl01tl/applications/taiga/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,200 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: secret
- secretKey: scopes
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: scopes
- secretKey: signatureAlgorithm
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: signatureAlgorithm
- secretKey: baseUrl
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: baseUrl
- secretKey: jwksEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: jwksEndpoint
- secretKey: authorizationEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: authorizationEndpoint
- secretKey: tokenEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: tokenEndpoint
- secretKey: userEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: userEndpoint
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-async-rabbitmq-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-async-rabbitmq-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/async
metadataPolicy: None
property: password
- secretKey: erlang
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/async
metadataPolicy: None
property: erlang
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-events-rabbitmq-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-events-rabbitmq-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/events
metadataPolicy: None
property: password
- secretKey: erlang
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/events
metadataPolicy: None
property: erlang
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-taiga-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-taiga-postgresql
metadataPolicy: None
property: secret_key

152
clusters/cl01tl/applications/taiga/values.yaml Normal file
View File

@@ -0,0 +1,152 @@
taiga:
serviceAccount:
create: true
secretKey:
existingSecretName: taiga-key-secret
existingSecretKey: key
createInitialUser: false
enableTelemetry: false
publicRegisterEnabled: false
postgresql:
existingSecretName: taiga-postgresql-16-cluster-app
usernameKey: username
passwordKey: password
databaseNameKey: dbname
hostKey: host
portKey: port
oidc:
enabled: true
existingSecretName: taiga-oidc-secret
scopesKey: scopes
signatureAlgorithmKey: signatureAlgorithm
clientIdKey: client
clientSecretKey: secret
baseUrlKey: baseUrl
jwksEndpointKey: jwksEndpoint
authorizationEndpointKey: authorizationEndpoint
tokenEndpointKey: tokenEndpoint
userEndpointKey: userEndpoint
back:
image:
repository: ghcr.io/alexlebens/taiga-back-docker-oidc
tag: latest
pullPolicy: Always
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: true
readinessProbe:
enabled: true
async:
image:
repository: ghcr.io/alexlebens/taiga-back-docker-oidc
tag: latest
pullPolicy: Always
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: true
readinessProbe:
enabled: true
async-rabbitmq:
auth:
username: taiga
existingPasswordSecret: taiga-async-rabbitmq-secret
existingSecretPasswordKey: password
existingErlangSecret: taiga-async-rabbitmq-secret
existingSecretErlangKey: erlang
events:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: false
readinessProbe:
enabled: false
events-rabbitmq:
auth:
username: taiga
existingPasswordSecret: taiga-events-rabbitmq-secret
existingSecretPasswordKey: password
existingErlangSecret: taiga-events-rabbitmq-secret
existingSecretErlangKey: erlang
protected:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: false
readinessProbe:
enabled: false
front:
image:
repository: ghcr.io/alexlebens/taiga-front-docker-oidc
tag: latest
pullPolicy: Always
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: true
readinessProbe:
enabled: true
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
className: traefik
host: taiga.alexlebens.net
persistence:
static:
enabled: true
storageClass: nfs-client
accessMode: ReadWriteMany
size: 1Gi
media:
enabled: true
storageClass: nfs-client
accessMode: ReadWriteMany
size: 1Gi
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: false
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/taiga
endpointCredentials: taiga-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

13
clusters/cl01tl/applications/tubearchivist/Chart.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v2
name: tubearchivist
version: 0.0.7
sources:
- https://github.com/tubearchivist/tubearchivist
- https://github.com/alexlebens/helm-charts/charts/tubearchivist
- https://github.com/tubearchivist/tubearchivist-jf
- https://github.com/alexlebens/helm-charts/charts/tubearchivist-to-jellyfin
dependencies:
- name: tubearchivist
version: 0.2.7
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.4.6

83
clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,83 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tubearchivist-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ELASTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: ELASTIC_PASSWORD
- secretKey: ES_URL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: ES_URL
- secretKey: REDIS_HOST
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: REDIS_HOST
- secretKey: TA_HOST
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: TA_HOST
- secretKey: TA_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: TA_PASSWORD
- secretKey: TA_USERNAME
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: TA_USERNAME
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tubearchivist-elasticsearch-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ELASTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: ELASTIC_PASSWORD

19
clusters/cl01tl/applications/tubearchivist/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tubearchivist-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: tubearchivist-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/tubearchivist/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: tubearchivist-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.youtube.nfsPath }}
server: {{ .Values.storage.youtube.nfsServer }}
mountOptions:
- vers=4
- minorversion=1
- noac

46
clusters/cl01tl/applications/tubearchivist/values.yaml Normal file
View File

@@ -0,0 +1,46 @@
tubearchivist:
deployment:
env:
TZ: US/Central
envFrom:
- secretRef:
name: tubearchivist-config-secret
resources:
limits:
memory: 2Gi
cpu: 1000m
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
host: tubearchivist.alexlebens.net
persistence:
cache:
enabled: true
storageClassName: ceph-block
storageSize: 80Gi
youtube:
claimName: tubearchivist-nfs-storage
elasticsearch:
global:
storageClass: ceph-block
extraEnvVarsSecret: tubearchivist-elasticsearch-secret
extraConfig:
path:
repo: /usr/share/elasticsearch/data/snapshot
extraVolumes:
- name: snapshot
nfs:
path: /volume2/Storage/TubeArchivist
server: synologybond.alexlebens.net
extraVolumeMounts:
- name: snapshot
mountPath: /usr/share/elasticsearch/data/snapshot
snapshotRepoPath: /usr/share/elasticsearch/data/snapshot
storage:
youtube:
nfsPath: /volume2/Storage/YouTube
nfsServer: synologybond.alexlebens.net

20
clusters/cl01tl/applications/vikunja/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v2
name: vikunja
version: 1.0.0
sources:
- https://kolaente.dev/vikunja/vikunja
- https://kolaente.dev/vikunja/helm-chart
- https://github.com/bitnami/charts/tree/main/bitnami/redis
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: vikunja
version: 0.4.3
repository: oci://kolaente.dev/vikunja
- name: redis
version: 19.3.2
repository: https://charts.bitnami.com/bitnami
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.22.1

62
clusters/cl01tl/applications/vikunja/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vikunja-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.yml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /vikunja/config
metadataPolicy: None
property: config.yml
- secretKey: redis-password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /vikunja/config
metadataPolicy: None
property: redis-password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vikunja-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vikunja-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-vikunja-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-vikunja-postgresql
metadataPolicy: None
property: secret_key

117
clusters/cl01tl/applications/vikunja/values.yaml Normal file
View File

@@ -0,0 +1,117 @@
vikunja:
api:
enabled: true
image:
repository: vikunja/api
tag: 0.22.1
persistence:
data:
enabled: true
size: 10Gi
mountPath: /app/vikunja/files
storageClass: ceph-block
config:
type: secret
name: vikunja-config-secret
configMaps:
config:
enabled: false
ingress:
main:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: vikunja.alexlebens.net
paths:
- path: /api/v1/
tls:
- hosts:
- vikunja.alexlebens.net
secretName: vikunja-secret-tls
env:
VIKUNJA_SERVICE_FRONTENDURL: https://vikunja.alexlebens.net
VIKUNJA_SERVICE_ENABLEREGISTRATION: "true"
VIKUNJA_SERVICE_TIMEZONE: US/Central
VIKUNJA_REDIS_ENABLED: "true"
VIKUNJA_REDIS_HOST: vikunja-redis-headless:6379
VIKUNJA_REDIS_PASSWORD:
valueFrom:
secretKeyRef:
name: vikunja-config-secret
key: redis-password
VIKUNJA_DATABASE_USER:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: user
VIKUNJA_DATABASE_DATABASE:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: dbname
VIKUNJA_DATABASE_HOST:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: host
VIKUNJA_DATABASE_PASSWORD:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: password
frontend:
enabled: true
image:
repository: vikunja/frontend
tag: 0.22.1
env:
VIKUNJA_API_URL: https://vikunja.alexlebens.net/api/v1/
ingress:
main:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: vikunja.alexlebens.net
paths:
- path: /
tls:
- hosts:
- vikunja.alexlebens.net
secretName: vikunja-secret-tls
postgresql:
enabled: false
redis:
enabled: false
typesense:
enabled: false
redis:
architecture: standalone
auth:
enabled: true
existingSecret: vikunja-config-secret
existingSecretPasswordKey: redis-password
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/vikunja
endpointCredentials: vikunja-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/deployment/argo-rollouts/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: argo-rollouts
version: 1.0.0
sources:
- https://github.com/argoproj/argo-rollouts
- https://github.com/argoproj/argo-helm/tree/main/charts
dependencies:
- name: argo-rollouts
version: 2.35.2
repository: https://argoproj.github.io/argo-helm
appVersion: v1.6.6

45
clusters/cl01tl/deployment/argo-rollouts/values.yaml Normal file
View File

@@ -0,0 +1,45 @@
argo-rollouts:
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: argocd
dashboard:
enabled: true
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
hosts:
- argo-rollouts.alexlebens.net
tls:
- secretName: argo-rollouts-secret-tls
hosts:
- argo-rollouts.alexlebens.net
notifications:
notifiers: {}
# service.slack: |
# token: $slack-token
# -- Notification templates
templates: {}
# template.my-purple-template: |
# message: |
# Rollout {{.rollout.metadata.name}} has purple image
# slack:
# attachments: |
# [{
# "title": "{{ .rollout.metadata.name}}",
# "color": "#800080"
# }]
# -- The trigger defines the condition when the notification should be sent
triggers: {}
# trigger.on-purple: |
# - send: [my-purple-template]
# when: rollout.spec.template.spec.containers[0].image == 'argoproj/rollouts-demo:purple'

20
clusters/cl01tl/deployment/argo-workflows/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v2
name: argo-workflows
version: 1.0.0
sources:
- https://github.com/argoproj/argo-workflows
- https://github.com/argoproj/argo-events
- https://github.com/argoproj/argo-helm/tree/main/charts
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: argo-workflows
version: 0.41.4
repository: https://argoproj.github.io/argo-helm
- name: argo-events
version: 2.4.4
repository: https://argoproj.github.io/argo-helm
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: v3.5.6

62
clusters/cl01tl/deployment/argo-workflows/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argo-workflows-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-argo-workflows-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-argo-workflows-postgresql
metadataPolicy: None
property: secret_key

121
clusters/cl01tl/deployment/argo-workflows/values.yaml Normal file
View File

@@ -0,0 +1,121 @@
argo-workflows:
controller:
metricsConfig:
enabled: true
persistence:
connectionPool:
maxIdleConns: 100
maxOpenConns: 0
nodeStatusOffLoad: true
archive: true
postgresql:
host: argo-workflows-postgresql-16-cluster-rw
port: 5432
database: app
tableName: app
userNameSecret:
name: argo-workflows-postgresql-16-cluster-app
key: username
passwordSecret:
name: argo-workflows-postgresql-16-cluster-app
key: password
ssl: false
sslMode: disable
workflowWorkers: 2
workflowTTLWorkers: 1
podCleanupWorkers: 1
cronWorkflowWorkers: 1
telemetryConfig:
enabled: true
serviceMonitor:
enabled: true
name: workflow-controller
workflowNamespaces:
- argocd
server:
authModes:
- sso
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
hosts:
- argo-workflows.alexlebens.net
tls:
- secretName: argoworkflows-example-tls
hosts:
- argo-workflows.alexlebens.net
sso:
enabled: true
issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
clientId:
name: argo-workflows-oidc-secret
key: client
clientSecret:
name: argo-workflows-oidc-secret
key: secret
redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
rbac:
enabled: false
scopes:
- openid
- email
- profile
useStaticCredentials: true
artifactRepository:
archiveLogs: false
s3: {}
# accessKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: accesskey
# secretKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: secretkey
# insecure: true
# bucket:
# endpoint:
# region:
# encryptionOptions:
# enableEncryption: true
argo-events:
global:
image:
repository: quay.io/argoproj/argo-events
tag: v1.9.1
controller:
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: argocd
webhook:
enabled: true
postgres-16-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/argo-workflows
endpointCredentials: argo-workflows-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

12
clusters/cl01tl/deployment/argocd/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
name: argocd
version: 0.1.0
home: https://outline.alexlebens.net/doc/argo-cd-qLEdrgdwOD
sources:
- https://github.com/argoproj/argo-cd
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
dependencies:
- name: argo-cd
version: 6.9.3
repository: https://argoproj.github.io/argo-helm
appVersion: v2.10.8

110
clusters/cl01tl/deployment/argocd/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,110 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "{{ .Release.Name }}-server"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: server
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-cluster-cl02do-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "{{ .Release.Name }}-server"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: server
app.kubernetes.io/part-of: {{ .Release.Name }}
argocd.argoproj.io/secret-type: cluster
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: name
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: name
- secretKey: server
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: server
- secretKey: config
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: config
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-repo-alexlebens-dev-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "{{ .Release.Name }}-server"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: server
app.kubernetes.io/part-of: {{ .Release.Name }}
argocd.argoproj.io/secret-type: repository
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: type
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/repo/alexlebens-dev
metadataPolicy: None
property: type
- secretKey: url
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/repo/alexlebens-dev
metadataPolicy: None
property: url
- secretKey: sshPrivateKey
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/repo/alexlebens-dev
metadataPolicy: None
property: sshPrivateKey

66
clusters/cl01tl/deployment/argocd/values.yaml Normal file
View File

@@ -0,0 +1,66 @@
argo-cd:
crds:
install: true
configs:
cm:
admin.enabled: true
url: https://argocd.alexlebens.net
statusbadge.enabled: true
dex.config: |
connectors:
- config:
issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: authentik
type: oidc
id: authentik
rbac:
policy.csv: |
g, ArgoCD Admins, role:admin
params:
server.insecure: true
server:
replicas: 2
ingress:
enabled: true
controller: generic
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hostname: argocd.alexlebens.net
tls: true
metrics:
enabled: true
serviceMonitor:
enabled: true
dex:
enabled: true
redis-ha:
enabled: true
controller:
replicas: 1
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true
applicationSet:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true

11
clusters/cl01tl/deployment/kargo/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: kargo
version: 1.0.0
sources:
- https://github.com/akuity/kargo
- https://github.com/akuity/kargo/blob/main/charts/kargo/Chart.yaml
dependencies:
- name: kargo
version: 0.6.0
repository: oci://ghcr.io/akuity/kargo-charts
appVersion: v0.5.1

56
clusters/cl01tl/deployment/kargo/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,56 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kargo-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kargo-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kargo
metadataPolicy: None
property: secret
- secretKey: CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kargo
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kargo-cluster-cl02do-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kargo-cluster-cl02do-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
argocd.argoproj.io/secret-type: cluster
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: kubeconfig
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: kubeconfig

120
clusters/cl01tl/deployment/kargo/values.yaml Normal file
View File

@@ -0,0 +1,120 @@
kargo:
api:
host: kargo.alexlebens.net
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
tls:
enabled: false
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
tls:
enabled: true
selfSignedCert: false
adminAccount:
enabled: false
oidc:
enabled: true
admins:
groups: ["ArgoCD Admins"]
dex:
enabled: true
image:
repository: ghcr.io/dexidp/dex
tag: v2.39.1
env:
- name: CLIENT_ID
valueFrom:
secretKeyRef:
name: kargo-oidc-secret
key: CLIENT_ID
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: kargo-oidc-secret
key: CLIENT_SECRET
tls:
selfSignedCert: false
skipApprovalScreen: true
connectors:
- type: oidc
id: authentik
name: Authentik
config:
issuer: https://authentik.alexlebens.net/application/o/kargo/
clientID: "$CLIENT_ID"
clientSecret: "$CLIENT_SECRET"
redirectURI: https://kargo.alexlebens.net/dex/callback
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
argocd:
urls:
"": https://argocd.alexlebens.net
rollouts:
integrationEnabled: true
controller:
enabled: true
gitClient:
name: "Kargo cl01tl"
email: "alexanderlebens@gmail.com"
argocd:
integrationEnabled: true
rollouts:
integrationEnabled: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
managementController:
enabled: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
webhooks:
register: true
webhooksServer:
tls:
selfSignedCert: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
garbageCollector:
schedule: "0 * * * *"
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi

6
clusters/cl01tl/deployment/stack/Chart.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v2
name: stack
version: 1.0.0
sources:
- https://github.com/alexlebens/alexlebens-net.git
appVersion: 1.0.0

55
clusters/cl01tl/deployment/stack/templates/application-set.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- range $index, $stack := .Values.applicationSet }}
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: {{ $stack.name }}
namespace: {{ $.Release.Namespace }}
labels:
app.kubernetes.io/name: {{ $stack.name }}
app.kubernetes.io/instance: {{ $stack.name }}
app.kubernetes.io/version: {{ $.Chart.AppVersion }}
app.kubernetes.io/component: {{ $stack.name }}
app.kubernetes.io/part-of: {{ $.Release.Name }}
spec:
syncPolicy:
applicationsSync: create-only
preserveResourcesOnDeletion: true
generators:
- git:
repoURL: {{ $.Values.git.repo }}
revision: {{ $.Values.git.revision }}
directories:
- path: "{{ $.Values.git.path }}/{{ $stack.name }}/*"
template:
metadata:
name: '{{ `{{path.basename}}` }}'
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
name: in-cluster
namespace: '{{ $stack.namespace | default `{{path.basename}}` }}'
project: default
revisionHistoryLimit: 3
source:
repoURL: {{ $.Values.git.repo }}
targetRevision: {{ $.Values.git.revision }}
path: '{{ `{{path}}` }}'
ignoreDifferences:
{{- toYaml $stack.ignoreDifferences | nindent 8 }}
syncPolicy:
{{- if $stack.syncPolicy.automated.enabled }}
automated:
prune: {{ $stack.syncPolicy.automated.prune | default false }}
selfHeal: {{ $stack.syncPolicy.automated.selfHeal | default false }}
{{- end }}
retry:
limit: 3
backoff:
duration: 1m
factor: 2
maxDuration: 15m
syncOptions:
{{- toYaml $stack.syncPolicy.syncOptions | nindent 10 }}
{{- end }}

82
clusters/cl01tl/deployment/stack/templates/application.yaml Normal file
View File

@@ -0,0 +1,82 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cilium
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.cilium.source.repo }}
targetRevision: {{ .Values.application.cilium.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.cilium.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.cilium.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.cilium.syncPolicy | nindent 4 }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metrics-server
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.metricsServer.source.repo }}
targetRevision: {{ .Values.application.metricsServer.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.metricsServer.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.metricsServer.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.metricsServer.syncPolicy | nindent 4 }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubelet-serving-cert-approver
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.kubeletServingCertApprover.source.repo }}
targetRevision: {{ .Values.application.kubeletServingCertApprover.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.kubeletServingCertApprover.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.kubeletServingCertApprover.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.kubeletServingCertApprover.syncPolicy | nindent 4 }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prometheus-operator-crds
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.prometheusOperatorCrds.source.repo }}
targetRevision: {{ .Values.application.prometheusOperatorCrds.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.prometheusOperatorCrds.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.prometheusOperatorCrds.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.prometheusOperatorCrds.syncPolicy | nindent 4 }}

148
clusters/cl01tl/deployment/stack/values.yaml Normal file
View File

@@ -0,0 +1,148 @@
git:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: clusters/cl01tl
applicationSet:
- name: applications
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- PruneLast=true
- name: deployment
namespace: argocd
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- PruneLast=true
- name: platform
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
- name: services
ignoreDifferences:
- group: ""
kind: Service
jqPathExpressions:
- .status.loadBalancer.ingress[].ipMode
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
- name: storage
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- PruneLast=true
application:
cilium:
namespace: kube-system
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/cilium
syncPolicy:
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
metricsServer:
namespace: kube-system
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/metrics-server
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=false
- ServerSideApply=true
- PruneLast=true
kubeletServingCertApprover:
namespace: kubelet-serving-cert-approver
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/kubelet-serving-cert-approver
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=false
- ServerSideApply=true
- PruneLast=true
prometheusOperatorCrds:
namespace: kube-system
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/prometheus-operator-crds
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=false
- ServerSideApply=true
- PruneLast=true

21
clusters/cl01tl/platform/authentik/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: authentik
version: 1.0.0
sources:
- https://github.com/goauthentik/authentik
- https://github.com/goauthentik/helm
- https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: authentik
version: 2024.4.2
repository: https://charts.goauthentik.io/
- name: app-template
alias: cloudflared
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: "2024.4.2"

60
clusters/cl01tl/platform/authentik/templates/config-map.yaml Normal file
View File

@@ -0,0 +1,60 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: authentik-custom-css
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
data:
custom.css: |
/* Change sign button color */
.pf-c-button.pf-m-primary {
color: black;
background-color: white;
}
/* Remove background */
.pf-c-login__main {
background-color: rgba(3, 3, 3, 0.16);
}
/* Remove specific height */
.pf-c-brand {
height: auto;
}
/* Center text */
.pf-c-title {
text-align: center;
}
/* Match text field to login button */
.pf-c-form-control {
border-radius: 3px;
background-color: white;
color: black;
}
/* Force border color */
.pf-c-form-control {
border-color: white;
}
/* Use default cursor on this div */
.pf-c-form__label {
cursor: default;
}
/* Hide required asterik */
.pf-c-form__label-required {
display: none;
}
/* Change link color to white */
.a {
color: white;
}

80
clusters/cl01tl/platform/authentik/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/authentik
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-authentik-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-authentik-postgresql
metadataPolicy: None
property: secret_key

118
clusters/cl01tl/platform/authentik/values.yaml Normal file
View File

@@ -0,0 +1,118 @@
authentik:
global:
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-key-secret
key: key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: host
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: dbname
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: password
server:
name: server
replicas: 1
volumes:
- name: custom-css
configMap:
name: authentik-custom-css
volumeMounts:
- name: custom-css
mountPath: /web/dist/custom.css
subPath: custom.css
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
hosts:
- auth.alexlebens.net
- authentik.alexlebens.net
tls:
- secretName: authentik-secret-tls
hosts:
- auth.alexlebens.net
- authentik.alexlebens.net
worker:
name: worker
replicas: 1
prometheus:
rules:
enabled: true
postgresql:
enabled: false
redis:
enabled: true
cloudflared:
global:
nameOverride: cloudflared
controllers:
main:
type: deployment
strategy: Recreate
containers:
main:
image:
repository: cloudflare/cloudflared
tag: "2024.5.0"
pullPolicy: IfNotPresent
args:
- tunnel
- --no-autoupdate
- run
- --token
- $(CF_MANAGED_TUNNEL_TOKEN)
env:
- name: CF_MANAGED_TUNNEL_TOKEN
valueFrom:
secretKeyRef:
name: authentik-cloudflared-secret
key: cf-tunnel-token
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
postgres-16-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: false
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/authentik
endpointCredentials: authentik-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/platform/external-secrets/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: external-secrets
version: 0.0.1
sources:
- https://github.com/external-secrets/external-secrets
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies:
- name: external-secrets
version: 0.9.18
repository: https://charts.external-secrets.io
appVersion: 0.9.13

21
clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
provider:
vault:
server: http://vault-internal.vault:8200
path: secret
auth:
tokenSecretRef:
namespace: vault
name: vault-token
key: token

Some files were not shown because too many files have changed in this diff Show More