alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions Activity

Compare commits

base: alexlebens:82f72fc674efdd5bc54b80d58d106fb64f2d9d03
Branches Tags
alexlebens:main alexlebens:renovate/major-unified-vault alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-ntfy alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:tmp/secrets-5
...
compare: alexlebens:b0a2c644b38bf698f02ad74ac6b091f66e7b5038
Branches Tags
alexlebens:renovate/major-unified-vault alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-ntfy alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:main alexlebens:tmp/secrets-5

107 Commits
82f72fc674 ... b0a2c644b3

Author SHA1 Message Date
Alex Lebens
b0a2c644b3 remove lcaim 2025-02-17 21:29:13 -06:00
Alex Lebens
45e6817411 add claim 2025-02-17 21:28:18 -06:00
Alex Lebens
c96e9ab425 change networks 2025-02-17 21:26:17 -06:00
Alex Lebens
a74d62669c remove admin 2025-02-17 21:21:53 -06:00
Alex Lebens
e811970c43 use lb 2025-02-17 21:19:26 -06:00
Alex Lebens
871e67b5d7 add nodeport 2025-02-17 21:13:35 -06:00
Alex Lebens
69e6998f3c add cred 2025-02-17 20:31:31 -06:00
Alex Lebens
e3bc94b203 add gitea 2025-02-17 20:21:41 -06:00
Alex Lebens
b7fea99102 change background 2025-02-17 20:00:50 -06:00
Alex Lebens
d68786dc97 change namespace 2025-02-17 18:31:46 -06:00
Alex Lebens
4a2af5d9bd fix path 2025-02-17 18:29:58 -06:00
Alex Lebens
f3175bcff2 add authentik 2025-02-17 18:23:43 -06:00
Alex Lebens
0315558b6d remove authentik 2025-02-17 18:11:38 -06:00
Alex Lebens
6e05a50e46 change settings 2025-02-17 18:07:37 -06:00
Alex Lebens
e8598cd3f4 change key 2025-02-17 17:55:43 -06:00
Alex Lebens
a2391cd240 add unpoller 2025-02-17 17:52:52 -06:00
Alex Lebens
c1ef7a02bc add searxng 2025-02-17 17:52:23 -06:00
Alex Lebens
9494d424e6 add homepage 2025-02-17 17:52:00 -06:00
Alex Lebens
ecbf560f0e fix label 2025-02-17 17:47:10 -06:00
Alex Lebens
437c6fe7af remove 2025-02-17 17:43:19 -06:00
Alex Lebens
02789b8458 use different proxy 2025-02-17 17:42:59 -06:00
Alex Lebens
2b25ca0444 change namespace 2025-02-17 17:36:54 -06:00
Alex Lebens
7dc174b81a change key 2025-02-17 17:34:28 -06:00
Alex Lebens
ebb173bfa8 remove password 2025-02-17 17:28:09 -06:00
Alex Lebens
8f27e58556 remove authentik 2025-02-17 17:25:51 -06:00
Alex Lebens
c0eb2cb272 add namespace 2025-02-17 17:20:32 -06:00
Alex Lebens
ba9d4f075a add namespace 2025-02-17 17:19:50 -06:00
Alex Lebens
cdac2f69c1 fix key 2025-02-17 17:18:45 -06:00
Alex Lebens
483763c3e3 chnage image 2025-02-17 17:17:43 -06:00
Alex Lebens
ffef4a6508 change storage 2025-02-17 17:14:53 -06:00
Alex Lebens
f5b824d007 add metrics 2025-02-17 17:13:30 -06:00
Alex Lebens
0f5cfc9246 add speedtest 2025-02-17 17:04:08 -06:00
Alex Lebens
b5b54d1e07 add loki 2025-02-17 17:03:37 -06:00
Alex Lebens
b3ac3b610f add ddns 2025-02-17 17:03:01 -06:00
Alex Lebens
590ae83e34 add blocky 2025-02-17 16:55:47 -06:00
Alex Lebens
0c6148bfa5 add applications 2025-02-17 16:54:50 -06:00
Alex Lebens
8a413b3094 fix name 2025-02-17 16:47:06 -06:00
Alex Lebens
69f1583595 add namespace config 2025-02-17 16:40:14 -06:00
Alex Lebens
0f0c1f52af disable forward 2025-02-17 16:32:44 -06:00
Alex Lebens
105b16ad3e change ingress 2025-02-17 16:25:33 -06:00
Alex Lebens
749bbb1736 change path 2025-02-17 16:22:04 -06:00
Alex Lebens
7221266bd4 change service 2025-02-17 16:20:23 -06:00
Alex Lebens
a74204f1b1 enable ingress 2025-02-17 16:17:06 -06:00
Alex Lebens
f1829d42fb add iscsi 2025-02-17 16:11:18 -06:00
Alex Lebens
8faacd7077 add services 2025-02-17 15:56:09 -06:00
Alex Lebens
d2b6009a36 change to use init 2025-02-17 15:44:43 -06:00
Alex Lebens
43979d16f9 change path 2025-02-17 15:38:09 -06:00
Alex Lebens
6625b0085f change command 2025-02-17 15:34:22 -06:00
Alex Lebens
d3098d59f3 fix secrets 2025-02-17 15:16:13 -06:00
Alex Lebens
4fc230c419 switch to s3cmd 2025-02-17 15:14:24 -06:00
Alex Lebens
9d14ccb188 update image 2025-02-17 14:47:45 -06:00
Alex Lebens
50943a667f change path 2025-02-17 14:40:37 -06:00
Alex Lebens
2bf9a1a336 downgrade image 2025-02-17 14:33:28 -06:00
Alex Lebens
4e8dea2e09 change image 2025-02-17 14:26:41 -06:00
Alex Lebens
ec86c659ad update image 2025-02-17 14:23:35 -06:00
Alex Lebens
e1b1a914f7 add checksum env 2025-02-17 14:22:55 -06:00
Alex Lebens
e55d7d9f1c downgrade cli 2025-02-17 14:15:59 -06:00
Alex Lebens
ab5e4f1c1b enable snapshot 2025-02-17 14:00:27 -06:00
Alex Lebens
9d8ad1de1a change path 2025-02-17 13:59:32 -06:00
Alex Lebens
975b515b26 add backups 2025-02-17 13:56:21 -06:00
Alex Lebens
832c8264c4 add unseal 2025-02-17 13:40:31 -06:00
Alex Lebens
ebb507d0ff add vault 2025-02-17 13:09:35 -06:00
renovate[bot]
0df95e32fa Update ghcr.io/open-webui/open-webui Docker tag to v0.5.12 (#1247) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-17 15:49:35 +00:00
renovate[bot]
1d0c6c9a6b Update ghcr.io/onedr0p/plex Docker tag to v1.41.4.9463-630c9f557 (#1246) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-17 12:15:36 +00:00
Alex Lebens
1b7b3eb183 change hosts 2025-02-16 22:41:06 -06:00
Alex Lebens
79427d56d0 change array 2025-02-16 22:31:19 -06:00
Alex Lebens
f9da7d31bd remove 2025-02-16 22:24:50 -06:00
Alex Lebens
50811026a5 add storage 2025-02-16 22:24:34 -06:00
Alex Lebens
b3ad6e695e add services 2025-02-16 22:19:38 -06:00
Alex Lebens
71bf0458da disable init 2025-02-16 22:05:23 -06:00
Alex Lebens
5d65131995 remove gateway api 2025-02-16 21:56:20 -06:00
Alex Lebens
db865d960c change repo 2025-02-16 21:54:22 -06:00
Alex Lebens
ca00810cd6 rename 2025-02-16 20:12:06 -06:00
renovate[bot]
55439756ce Update ghcr.io/advplyr/audiobookshelf Docker tag to v2.19.2 (#1245) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-16 21:36:42 +00:00
renovate[bot]
2857246b4e Update bitnami/kubectl Docker tag to v1.32.2 (#1244) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-16 18:11:01 +00:00
renovate[bot]
b426fff10c Update Helm release matrix-synapse to v3.11.3 (#1243) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-16 10:27:51 +00:00
renovate[bot]
b2b2be036e Update Helm release element-web to v1.4.2 (#1242) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-16 06:30:26 +00:00
Alex Lebens
22a7d77301 remove version 2025-02-15 19:03:16 -06:00
Alex Lebens
05963ff31a remove dependencies 2025-02-15 19:03:16 -06:00
Alex Lebens
8b4eee804f stage for rebuilt 2025-02-15 19:03:16 -06:00
Alex Lebens
91c1b3931d migrate subnet 2025-02-15 19:03:16 -06:00
renovate[bot]
0f623a068d Update Helm release elasticsearch to v21.4.5 (#1241) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-15 22:33:35 +00:00
renovate[bot]
5344dcd5db Update Helm release cert-manager to v1.17.1 (#1240) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-15 17:48:32 +00:00
renovate[bot]
54e59a5e94 Update vaultwarden/server Docker tag to v1.33.2 (#1237) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-14 12:31:37 +00:00
renovate[bot]
01be01e99f Update ollama/ollama Docker tag to v0.5.8 (#1236) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-14 07:28:35 +00:00
renovate[bot]
c0f2011086 Update ghcr.io/linuxserver/sonarr Docker tag to v4.0.13 (#1235) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-14 03:12:58 +00:00
renovate[bot]
6682df9fbb Update Helm release descheduler to v0.32.2 (#1234) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-13 23:43:21 +00:00
renovate[bot]
997039591d Update Helm release argo-workflows to v0.45.6 (#1233) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-13 19:08:50 +00:00
renovate[bot]
e095642854 Update slskd/slskd Docker tag to v0.22.2 (#1232) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-12 10:59:21 +00:00
renovate[bot]
76e74163d0 Update Helm release headlamp to v0.28.1 (#1231) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-12 07:36:08 +00:00
renovate[bot]
08c69254bb Update Helm release external-secrets to v0.14.1 (#1230) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-12 03:40:35 +00:00
renovate[bot]
34c82f43ac Update amazon/aws-cli Docker tag to v2.24.0 (#1221) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-10 17:11:23 +00:00
renovate[bot]
6f59c14b29 Update nginx Docker tag to v1.27.4 (#1220) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-10 13:51:40 +00:00
renovate[bot]
6344470fad Update gitea/gitea Docker tag to v1.23.3 (#1219) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-10 09:05:46 +00:00
renovate[bot]
f16867c364 Update Helm release loki to v6.25.1 (#1218) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-10 04:54:34 +00:00
renovate[bot]
07fff5a49a Update Helm release argo-cd to v7.8.2 (#1217) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-10 01:00:34 +00:00
renovate[bot]
dceae4dfe3 Update vaultwarden/server Docker tag to v1.33.1 (#1211) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-08 13:01:53 +00:00
renovate[bot]
ae5948e91d Update ghcr.io/open-webui/open-webui Docker tag to v0.5.10 (#1210) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-08 09:02:03 +00:00
renovate[bot]
06824edc8e Update ghcr.io/haveagitgat/tdarr_node Docker tag to v2.31.02 (#1209) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-08 04:54:04 +00:00
renovate[bot]
2ea78d221e Update ghcr.io/haveagitgat/tdarr Docker tag to v2.31.02 (#1208) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-08 00:49:44 +00:00
renovate[bot]
f31cb34921 Update directus/directus Docker tag to v11.4.1 (#1207) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-07 20:56:27 +00:00
renovate[bot]
2b3961fa8b Update cyfershepard/jellystat Docker tag to v1.1.3 (#1206) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-07 18:32:10 +00:00
renovate[bot]
fec36205a8 Update Helm release rook-ceph-cluster to v1.16.3 (#1205) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-07 13:01:53 +00:00
renovate[bot]
003b18f481 Update Helm release rook-ceph to v1.16.3 (#1204) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-07 08:25:17 +00:00
Alex Lebens
ca40146f2d downgrade 2025-02-05 19:55:05 -06:00
renovate[bot]
376d6974f5 Update Helm release external-secrets to v0.14.0 (#1202) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-05 11:20:44 -06:00
renovate[bot]
e58bfb4466 Update Helm release cilium to v1.17.0 (#1201) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-02-05 11:16:29 -06:00
280 changed files with 611 additions and 797 deletions
Expand all files Collapse all files

214
clusters/cl01tl/applications/homepage/templates/external-secret.yaml
View File

@@ -1,107 +1,107 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: homepage-keys-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: homepage-keys-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /synology/auth
metadataPolicy: None
property: user
- secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /synology/auth
metadataPolicy: None
property: password
- secretKey: HOMEPAGE_VAR_UNIFI_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: user
- secretKey: HOMEPAGE_VAR_UNIFI_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: password
- secretKey: HOMEPAGE_VAR_SONARR_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/sonarr4/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_SONARR4K_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/sonarr4-4k/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_SONARRANIME_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/sonarr4-anime/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_RADARR_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/radarr5/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_RADARR4K_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/radarr5-4k/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_RADARRANIME_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/radarr5-anime/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/radarr5-standup/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_LIDARR2_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/lidarr2/key
metadataPolicy: None
property: key
- secretKey: HOMEPAGE_VAR_PROWLARR_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/prowlarr/key
metadataPolicy: None
property: key
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: homepage-keys-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: homepage-keys-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: web
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /synology/auth
# metadataPolicy: None
# property: user
# - secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /synology/auth
# metadataPolicy: None
# property: password
# - secretKey: HOMEPAGE_VAR_UNIFI_USER
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /unifi/auth
# metadataPolicy: None
# property: user
# - secretKey: HOMEPAGE_VAR_UNIFI_PASSWORD
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /unifi/auth
# metadataPolicy: None
# property: password
# - secretKey: HOMEPAGE_VAR_SONARR_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/sonarr4/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_SONARR4K_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/sonarr4-4k/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_SONARRANIME_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/sonarr4-anime/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_RADARR_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/radarr5/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_RADARR4K_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/radarr5-4k/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_RADARRANIME_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/radarr5-anime/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/radarr5-standup/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_LIDARR2_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/lidarr2/key
# metadataPolicy: None
# property: key
# - secretKey: HOMEPAGE_VAR_PROWLARR_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/prowlarr/key
# metadataPolicy: None
# property: key

10
clusters/cl01tl/applications/homepage/values.yaml
View File

@@ -13,9 +13,9 @@ homepage:
repository: ghcr.io/gethomepage/homepage
tag: v0.10.9
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: homepage-keys-secret
# envFrom:
# - secretRef:
# name: homepage-keys-secret
resources:
requests:
cpu: 10m
@@ -36,7 +36,7 @@ homepage:
hideVersion: true
color: zinc
background:
image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background-2.jpg
image: https://web-assets-3bfcb5585cbd63dc365d32a3.nyc3.cdn.digitaloceanspaces.com/alexlebens-net/background-3.jpg
brightness: 50
theme: dark
disableCollapse: true
@@ -281,7 +281,7 @@ homepage:
icon: sh-argo-cd.svg
description: ArgoCD
href: https://argocd-cl01tl.boreal-beaufort.ts.net
siteMonitor: http://argocd-server.argocd:80
siteMonitor: http://argo-cd-argocd-server.argo-cd:80
statusStyle: dot
namespace: argocd
- Workflows:

21
clusters/cl01tl/applications/plex/templates/persistent-volume-claim.yaml
View File

@@ -1,26 +1,5 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: plex-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 80Gi
storageClassName: ceph-block
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-nfs-storage
namespace: {{ .Release.Namespace }}

18
clusters/cl01tl/applications/plex/values.yaml
View File

@@ -5,23 +5,17 @@ plex:
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
pod:
securityContext:
runAsUser: 568
runAsGroup: 568
containers:
main:
image:
repository: ghcr.io/onedr0p/plex
tag: 1.41.3.9314-a0bfb8370
repository: ghcr.io/linuxserver/plex
tag: 1.41.4@sha256:76d2cf7acc05bba64356dc47fa8d061135519f380c86d0a9a46a48c6bb37102e
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: ADVERTISE_IP
value: https://plex-cl01tl.boreal-beaufort.ts.net:443/
- name: ALLOWED_NETWORKS
value: 10.0.0.0/8,192.168.1.0/24
- name: VERSION
value: docker
resources:
requests:
gpu.intel.com/i915: 1
@@ -57,7 +51,9 @@ plex:
- plex-cl01tl
persistence:
config:
existingClaim: plex-config
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 60Gi
advancedMounts:
main:
main:

6
clusters/cl01tl/applications/searxng/templates/external-secret.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: searxng-config-secret
name: searxng-api-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: searxng-config-secret
@@ -18,13 +18,13 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/searxng/config
key: /cl01tl/searxng/api/config
metadataPolicy: None
property: settings.yml
- secretKey: limiter.toml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/searxng/config
key: /cl01tl/searxng/api/config
metadataPolicy: None
property: limiter.toml

6
clusters/cl01tl/applications/searxng/values.yaml
View File

@@ -98,7 +98,7 @@ searxng:
config:
enabled: true
type: secret
name: searxng-config-secret
name: searxng-api-config-secret
advancedMounts:
api:
main:
@@ -111,7 +111,7 @@ searxng:
mountPropagation: None
subPath: limiter.toml
api-data:
storageClass: ceph-block-delete
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
advancedMounts:
@@ -120,7 +120,7 @@ searxng:
- path: /etc/searxng
readOnly: false
browser-data:
storageClass: ceph-block-delete
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
advancedMounts:

2
clusters/cl01tl/deployment/argocd/Chart.yaml → clusters/cl01tl/deployment/argo-cd/Chart.yaml
View File

@@ -15,7 +15,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: argo-cd
version: 7.8.0
version: 7.8.2
repository: https://argoproj.github.io/argo-helm
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/argocd.png
appVersion: v2.13.2

70
clusters/cl01tl/deployment/argo-cd/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,70 @@
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: argocd-oidc-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: "{{ .Release.Name }}-server"
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: server
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: secret
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /authentik/oidc/argocd
# metadataPolicy: None
# property: secret
# - secretKey: client
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /authentik/oidc/argocd
# metadataPolicy: None
# property: client
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: argocd-gitea-repo-infrastructure-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: repo
# app.kubernetes.io/part-of: {{ .Release.Name }}
# argocd.argoproj.io/secret-type: repository
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: type
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: type
# - secretKey: url
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: url
# - secretKey: sshPrivateKey
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: sshPrivateKey

2
clusters/cl01tl/deployment/argocd/templates/ingress.yaml → clusters/cl01tl/deployment/argo-cd/templates/ingress.yaml
View File

@@ -22,6 +22,6 @@ spec:
pathType: Prefix
backend:
service:
name: argocd-server
name: argo-cd-argocd-server
port:
number: 80

32
clusters/cl01tl/deployment/argocd/values.yaml → clusters/cl01tl/deployment/argo-cd/values.yaml
View File

@@ -17,21 +17,21 @@ argo-cd:
timeout.reconciliation.jitter: 60s
url: https://argocd-cl01tl.boreal-beaufort.ts.net
statusbadge.enabled: true
dex.config: |
connectors:
- config:
issuer: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/argocd/
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: authentik
type: oidc
id: authentik
# dex.config: |
# connectors:
# - config:
# issuer: https://auth-cl01tl.boreal-beaufort.ts.net/application/o/argocd/
# clientID: $argocd-oidc-secret:client
# clientSecret: $argocd-oidc-secret:secret
# insecureEnableGroups: true
# scopes:
# - openid
# - profile
# - email
# - groups
# name: authentik
# type: oidc
# id: authentik
rbac:
policy.csv: |
g, ArgoCD Admins, role:admin
@@ -57,6 +57,8 @@ argo-cd:
enabled: true
redis-ha:
enabled: true
redisSecretInit:
enabled: false
controller:
replicas: 1
metrics:

70
clusters/cl01tl/deployment/argocd/templates/external-secret.yaml
View File

@@ -1,70 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "{{ .Release.Name }}-server"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: server
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-repo-infrastructure-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-repo-infrastructure-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: repo
app.kubernetes.io/part-of: {{ .Release.Name }}
argocd.argoproj.io/secret-type: repository
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: type
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None
property: type
- secretKey: url
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None
property: url
- secretKey: sshPrivateKey
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None
property: sshPrivateKey

10
clusters/cl01tl/deployment/stack/templates/application.yaml
View File

@@ -33,7 +33,7 @@ spec:
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- ServerSideApply=true
- PruneLast=true
---
@@ -67,7 +67,7 @@ spec:
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- ServerSideApply=true
- PruneLast=true
---
@@ -100,7 +100,7 @@ spec:
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
@@ -134,7 +134,7 @@ spec:
maxDuration: 16m
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
@@ -168,6 +168,6 @@ spec:
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true

5
clusters/cl01tl/deployment/stack/values.yaml
View File

@@ -2,7 +2,8 @@ cluster:
name: cl01tl
git:
# repo: git@github.com:alexlebens/infrastructure.git
repo: http://gitea-http.gitea:3000/alexlebens/infrastructure
repo: https://github.com/alexlebens/infrastructure.git
# repo: http://gitea-http.gitea:3000/alexlebens/infrastructure
# repo: ssh://git@gitea-ssh.gitea:2222/alexlebens/infrastructure
revision: HEAD
applicationSet:
@@ -25,7 +26,7 @@ applicationSet:
kind: ValidatingWebhookConfiguration
jqPathExpressions:
- .webhooks[].clientConfig.caBundle
namespace: argocd
namespace: argo-cd
syncPolicy:
automated:
prune: true

2
clusters/cl01tl/monitoring/kube-prometheus-stack/templates/external-secret.yaml
View File

@@ -18,7 +18,7 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /discord/alertmanager
key: /discord/webhook/alertmanager
metadataPolicy: None
property: webhook
- secretKey: pushover_token

10
clusters/cl01tl/standalone/cilium/templates/namespace.yaml → clusters/cl01tl/monitoring/kube-prometheus-stack/templates/namespace.yaml
View File

@@ -1,14 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: kube-system
---
apiVersion: v1
kind: Namespace
metadata:
name: cilium
name: kube-prometheus-stack
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/audit: privileged

6
clusters/cl01tl/monitoring/kube-prometheus-stack/values.yaml
View File

@@ -35,7 +35,7 @@ kube-prometheus-stack:
- name: discord
discord_configs:
- send_resolved: true
webhook_url: https://discord.com/api/webhooks/1215465356315983922/CSaWG3SygslTNQo0uw07FB-0eKGl9nw2kDAqbAfH7JMe1ExVin8UvjlP4qkJoEyjDawz
webhook_url_file: /etc/alertmanager/secrets/alertmanager-config-secret/discord_webhook
- name: pushover
pushover_configs:
- send_resolved: true
@@ -44,6 +44,8 @@ kube-prometheus-stack:
ingress:
enabled: true
ingressClassName: tailscale
labels:
tailscale.com/proxy-class: no-metrics
hosts:
- alertmanager-cl01tl
tls:
@@ -132,6 +134,8 @@ kube-prometheus-stack:
ingress:
enabled: true
ingressClassName: tailscale
labels:
tailscale.com/proxy-class: no-metrics
hosts:
- prometheus-cl01tl
tls:

2
clusters/cl01tl/monitoring/loki/Chart.yaml
View File

@@ -15,7 +15,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: loki
version: 6.25.0
version: 6.25.1
repository: https://grafana.github.io/helm-charts
- name: promtail
version: 6.16.6

8
clusters/cl01tl/monitoring/loki/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: loki
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

4
clusters/cl01tl/monitoring/unpoller/templates/external-secret.yaml
View File

@@ -18,13 +18,13 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
key: /unifi/auth/cl01tl
metadataPolicy: None
property: user
- secretKey: UP_UNIFI_CONTROLLER_0_PASS
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
key: /unifi/auth/cl01tl
metadataPolicy: None
property: password

16
clusters/cl01tl/platform/authentik/templates/ingress.yaml
View File

@@ -1,26 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authentik-local
name: authentik-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-local
app.kubernetes.io/name: authentik-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
spec:
ingressClassName: traefik
ingressClassName: tailscale
tls:
- hosts:
- authentik.alexlebens.net
secretName: authentik-tls-secret
- auth-cl01tl
secretName: auth-cl01tl
rules:
- host: authentik.alexlebens.net
- host: auth-cl01tl
http:
paths:
- path: /

14
clusters/cl01tl/platform/authentik/values.yaml
View File

@@ -43,17 +43,15 @@ authentik:
enabled: true
ingress:
enabled: true
ingressClassName: tailscale
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
ingressClassName: traefik
hosts:
- auth-cl01tl
- authentik.alexlebens.net
paths:
- /
tls:
- secretName: auth-cl01tl
- secretName: authentik-tls-secret
hosts:
- auth-cl01tl
- authentik.alexlebens.net
worker:
name: worker
replicas: 1
@@ -76,8 +74,8 @@ postgres-17-cluster:
monitoring:
enabled: true
backup:
enabled: true
enabled: false
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
endpointCredentials: authentik-postgresql-17-cluster-backup-secret
backupIndex: 1
backupIndex: 2

4
clusters/cl01tl/platform/external-secrets/Chart.yaml
View File

@@ -12,7 +12,7 @@ sources:
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies:
- name: external-secrets
version: 0.13.0
version: 0.14.1
repository: https://charts.external-secrets.io
icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
appVersion: 0.11.0
appVersion: 0.14.1

8
clusters/cl01tl/platform/gitea/Chart.yaml
View File

@@ -25,10 +25,10 @@ dependencies:
alias: cloudflared
repository: http://alexlebens.github.io/helm-charts
version: 1.13.0
- name: app-template
alias: backup
repository: https://bjw-s.github.io/helm-charts/
version: 3.6.1
# - name: app-template
# alias: backup
# repository: https://bjw-s.github.io/helm-charts/
# version: 3.6.1
- name: postgres-cluster
alias: postgres-17-cluster
version: 4.1.4

39
clusters/cl01tl/platform/gitea/templates/external-secret.yaml
View File

@@ -110,20 +110,6 @@ spec:
key: /digital-ocean/home-infra/gitea-backup
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/gitea-backup
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ENDPOINT_URL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/gitea-backup
metadataPolicy: None
property: AWS_ENDPOINT_URL
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
@@ -132,6 +118,31 @@ spec:
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-s3cmd-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-s3cmd-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: backup
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/gitea/backup
metadataPolicy: None
property: s3cfg
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret

2
clusters/cl01tl/platform/gitea/templates/ingress.yaml
View File

@@ -43,8 +43,6 @@ metadata:
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:

42
clusters/cl01tl/platform/gitea/values.yaml
View File

@@ -1,7 +1,7 @@
gitea:
image:
repository: gitea/gitea
tag: 1.23.1
tag: 1.23.3
service:
http:
type: ClusterIP
@@ -24,8 +24,8 @@ gitea:
name: gitea-nfs-storage-backup
readOnly: false
gitea:
admin:
existingSecret: gitea-admin-secret
# admin:
# existingSecret: gitea-admin-secret
metrics:
enabled: true
serviceMonitor:
@@ -118,11 +118,11 @@ backup:
failedJobsHistory: 3
backoffLimit: 3
parallelism: 1
containers:
initContainers:
backup:
image:
repository: bitnami/kubectl
tag: 1.32.1
tag: 1.32.2
pullPolicy: IfNotPresent
command:
- sh
@@ -135,18 +135,18 @@ backup:
requests:
cpu: 100m
memory: 128Mi
containers:
s3:
image:
repository: amazon/aws-cli
tag: 2.23.3
repository: d3fk/s3cmd
tag: latest@sha256:ae12ef40440ee069dac63d98a3590da0e02acc56ea4f60e9e4c5353d585a9140
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
until [ -f /opt/backup/gitea-backup.zip ]; do sleep 5; done;
aws s3 cp /opt/backup/gitea-backup.zip s3://cl01tl-gitea-backups/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
s3cmd put --no-check-md5 --no-check-certificate /opt/backup/gitea-backup.zip s3://gitea-backups-8ba8dae3674a2f53354c600e/cl01tl/cl01tl-gitea-backups/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
mv /opt/backup/gitea-backup.zip /opt/backup/gitea-backup-$(date +"%Y%m%d-%H-%M").zip;
envFrom:
- secretRef:
@@ -165,8 +165,19 @@ backup:
s3:
- path: /opt/backup
readOnly: false
s3cmd-config:
enabled: true
type: secret
name: gitea-s3cmd-config
advancedMounts:
backup:
s3:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
postgres-17-cluster:
mode: standalone
mode: recovery
cluster:
walStorage:
storageClass: local-path
@@ -174,9 +185,14 @@ postgres-17-cluster:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
recovery:
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
endpointCredentials: gitea-postgresql-17-cluster-backup-secret
backupIndex: 1
recoveryIndex: 1
backup:
enabled: false
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/gitea/gitea-postgresql-17-cluster
endpointCredentials: gitea-postgresql-17-cluster-backup-secret
backupIndex: 2

27
clusters/cl01tl/platform/qbittorrent/templates/external-secret.yaml
View File

@@ -1,30 +1,5 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: qbittorrent-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: qbittorrent-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: admin-password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/qbittorrent/auth
metadataPolicy: None
property: admin-password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: qbittorrent-wireguard-conf
namespace: {{ .Release.Namespace }}
@@ -43,6 +18,6 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/qbittorrent/config
key: /protonvpn/conf/cl01tl
metadataPolicy: None
property: private-key

8
clusters/cl01tl/platform/qbittorrent/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: qbittorrent
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

3
clusters/cl01tl/platform/vault/Chart.yaml
View File

@@ -8,6 +8,7 @@ keywords:
home: https://wiki.alexlebens.dev/doc/vault-TJ1ocQp9WB
sources:
- https://github.com/hashicorp/vault
- https://github.com/lrstanley/vault-unseal
- https://hub.docker.com/r/hashicorp/vault
- https://github.com/hashicorp/vault-helm
maintainers:
@@ -25,4 +26,4 @@ dependencies:
repository: https://bjw-s.github.io/helm-charts/
version: 3.6.1
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vault.png
appVersion: 1.18.2
appVersion: 1.18.4

47
clusters/cl01tl/platform/vault/templates/external-secret.yaml
View File

@@ -18,16 +18,16 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot/approle
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: role-id
property: VAULT_APPROLE_ROLE_ID
- secretKey: VAULT_APPROLE_SECRET_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot/approle
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: secret-id
property: VAULT_APPROLE_SECRET_ID
---
apiVersion: external-secrets.io/v1beta1
@@ -53,20 +53,6 @@ spec:
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ENDPOINT_URL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/vault-backup
metadataPolicy: None
property: AWS_ENDPOINT_URL
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
@@ -75,6 +61,31 @@ spec:
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-s3cmd-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: snapshot
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: s3cfg
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret

18
clusters/cl01tl/platform/vault/templates/ingress.yaml
View File

@@ -1,26 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vault-local
name: vault-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-local
app.kubernetes.io/name: vault-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
# annotations:
# tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: traefik
ingressClassName: tailscale
tls:
- hosts:
- vault.alexlebens.net
secretName: vault-tls-secret
- vault-cl01tl
secretName: vault-cl01tl
rules:
- host: vault.alexlebens.net
- host: vault-cl01tl
http:
paths:
- path: /

39
clusters/cl01tl/platform/vault/values.yaml
View File

@@ -23,18 +23,20 @@ vault:
ingress:
enabled: true
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
ingressClassName: tailscale
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
pathType: Prefix
activeService: true
hosts:
- host: vault-cl01tl
- host: vault.alexlebens.net
paths:
- /
tls:
- secretName: vault-cl01tl
- secretName: vault-tls-secret
hosts:
- vault-cl01tl
- vault.alexlebens.net
route:
enabled: false
authDelegator:
@@ -74,12 +76,12 @@ vault:
targetPort: 8200
dataStorage:
enabled: true
size: 10Gi
size: 1Gi
mountPath: "/vault/data"
accessMode: ReadWriteOnce
auditStorage:
enabled: false
size: 10Gi
size: 5Gi
mountPath: "/vault/audit"
accessMode: ReadWriteOnce
dev:
@@ -179,7 +181,7 @@ snapshot:
failedJobsHistory: 3
backoffLimit: 3
parallelism: 1
containers:
initContainers:
snapshot:
image:
repository: hashicorp/vault
@@ -205,19 +207,19 @@ snapshot:
requests:
cpu: 10m
memory: 64Mi
containers:
backup:
image:
repository: amazon/aws-cli
tag: 2.23.3
repository: d3fk/s3cmd
tag: latest@sha256:ae12ef40440ee069dac63d98a3590da0e02acc56ea4f60e9e4c5353d585a9140
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
until [ -f /opt/backup/vault-snapshot-s3.snap ]; do sleep 5; done;
aws s3 cp /opt/backup/vault-snapshot-s3.snap s3://cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm /opt/backup/vault-snapshot-s3.snap;
s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm -f /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-s3
@@ -238,6 +240,17 @@ snapshot:
backup:
- path: /opt/backup
readOnly: false
s3cmd-config:
enabled: true
type: secret
name: vault-s3cmd-config
advancedMounts:
snapshot:
backup:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
unseal:
global:
fullnameOverride: vault-unseal

53
clusters/cl01tl/services/blocky/values.yaml
View File

@@ -50,29 +50,29 @@ blocky:
IN NS dns2.
IN NS dns3.
dns1 IN A 192.168.1.15
dns2 IN A 192.168.1.134
dns3 IN A 192.168.1.147
dns1 IN A 10.232.1.22
dns2 IN A 10.232.1.51
dns3 IN A 10.232.1.52
;; Computer Names
nw01un IN A 192.168.1.1
nw01un IN A 192.168.1.1 ; Unifi Gateway
ps08rp IN A 192.168.1.134
ps09rp IN A 192.168.1.147
ps02sn IN A 192.168.1.55 ; Synology Web
ps02sn-bond IN A 192.168.1.194 ; Synology Bond for Storage
ps08rp IN A 10.232.1.51 ; DNS
ps09rp IN A 10.232.1.52 ; DNS
ps02sn IN A 10.232.1.61 ; Synology Web
ps02sn-bond IN A 10.232.1.64 ; Synology Bond for Storage
pd05wd IN A 192.168.1.115 ; Desktop
pl02mc IN A 192.168.1.116 ; Laptop
pd05wd IN A 10.230.0.115 ; Desktop
pl02mc IN A 10.230.0.105 ; Laptop
dv01hr IN A 192.168.1.213 ; HD Homerun
dv02kv IN A 192.168.1.57 ; Pi KVM
dv01hr IN A 10.232.1.72 ; HD Homerun
dv02kv IN A 10.232.1.71 ; Pi KVM
it01ag IN A 192.168.1.100 ; Airgradient
it02ph IN A 192.168.1.145 ; Phillips Hue
it03tb IN A 192.168.1.193 ; TubesZB ZigBee
it04tb IN A 192.168.1.135 ; TubesZB Z-Wave
it01ag IN A 10.232.1.83 ; Airgradient
it02ph IN A 10.232.1.85 ; Phillips Hue
it03tb IN A 10.232.1.81 ; TubesZB ZigBee
it04tb IN A 10.232.1.82 ; TubesZB Z-Wave
;; Common Names
synology IN CNAME ps02sn
@@ -84,16 +84,20 @@ blocky:
;; Service Names
cl01tl IN A 192.168.1.35
cl01tl IN A 192.168.1.36
cl01tl IN A 192.168.1.37
cl01tl IN A 10.232.1.11
cl01tl IN A 10.232.1.12
cl01tl IN A 10.232.1.13
cl01tl-endpoint IN A 192.168.1.15
cl01tl-endpoint IN A 192.168.1.16
cl01tl-endpoint IN A 192.168.1.17
cl01tl-api IN A 10.232.1.11
cl01tl-api IN A 10.232.1.12
cl01tl-api IN A 10.232.1.13
traefik-cl01tl IN A 192.168.1.16
blocky IN A 192.168.1.15
cl01tl-endpoint IN A 10.232.1.21
cl01tl-endpoint IN A 10.232.1.22
cl01tl-endpoint IN A 10.232.1.23
traefik-cl01tl IN A 10.232.1.21
blocky IN A 10.232.1.22
;; Application Names
@@ -174,6 +178,7 @@ blocky:
format: text
timestamp: true
privacy: false
service:
dns-external:
controller: main

2
clusters/cl01tl/services/cert-manager/Chart.yaml
View File

@@ -14,7 +14,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: cert-manager
version: v1.17.0
version: v1.17.1
repository: https://charts.jetstack.io
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
appVersion: v1.16.2

4
clusters/cl01tl/services/cert-manager/values.yaml
View File

@@ -3,8 +3,8 @@ cert-manager:
enabled: true
keep: true
replicaCount: 2
extraArgs:
- --enable-gateway-api
# extraArgs:
# - --enable-gateway-api
prometheus:
enabled: true
servicemonitor:

2
clusters/cl01tl/services/descheduler/Chart.yaml
View File

@@ -14,7 +14,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: descheduler
version: 0.32.1
version: 0.32.2
repository: https://kubernetes-sigs.github.io/descheduler/
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: 0.31.0

22
clusters/cl01tl/services/external-dns/Chart.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: v2
name: external-dns
version: 1.0.0
description: External DNS
keywords:
- external-dns
- dns
- unifi
- kubernetes
home: https://wiki.alexlebens.dev/doc/external-dns-Zdhuh9NAT1
sources:
- https://github.com/kubernetes-sigs/external-dns
- https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
maintainers:
- name: alexlebens
dependencies:
- name: external-dns
alias: external-dns-unifi
version: 1.15.1
repository: https://kubernetes-sigs.github.io/external-dns/
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/kubernetes.png
appVersion: 1.15.0

160
clusters/cl01tl/services/external-dns/templates/dns-endpoint.yaml
View File

@@ -1,160 +0,0 @@
apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
name: external-device-names
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: external-device-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: networking
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
endpoints:
# Unifi UDM
- dnsName: unifi.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.1
# Synology Web
- dnsName: synology.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.55
# Synology Storage
- dnsName: synologybond.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.194
# HD Homerun
- dnsName: hdhr.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.213
# Pi KVM
- dnsName: pikvm.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.57
---
apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
name: iot-device-names
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: iot-device-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: networking
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
endpoints:
# Airgradient
- dnsName: it01ag.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.100
# Phillips Hue
- dnsName: it02ph.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.57
# TubesZB ZigBee
- dnsName: it03tb.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.193
# TubesZB Z-Wave
- dnsName: it04tb.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.135
---
apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
name: host-names
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: host-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: networking
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
endpoints:
# Surface Book 3
- dnsName: pl01wd.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.86
# Synology
- dnsName: ps02sn.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.55
# Synology Storage
- dnsName: ps02sn-bond.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.194
# Desktop
- dnsName: pd05wd.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.115
---
apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
name: cluster-names
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cluster-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: networking
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
endpoints:
# Control
- dnsName: cl01tl.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.35
- 192.168.1.36
- 192.168.1.37
# Workers
- dnsName: cl01tl-endpoint.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.15
- 192.168.1.16
- 192.168.1.17
# Traefik ps08rp
- dnsName: traefik-cl01tl.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 192.168.1.15
- 192.168.1.16
- 192.168.1.17

30
clusters/cl01tl/services/external-dns/templates/external-secret.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-dns-unifi-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: external-dns-unifi-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: username
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: user
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: password

51
clusters/cl01tl/services/external-dns/values.yaml
View File

@@ -1,51 +0,0 @@
external-dns-unifi:
fullnameOverride: external-dns-unifi
serviceMonitor:
enabled: true
interval: 1m
sources:
- ingress
- crd
- gateway-httproute
- gateway-tlsroute
policy: sync
registry: txt
txtOwnerId: default
txtPrefix: k8s.
domainFilters: ["alexlebens.net"]
excludeDomains: []
provider:
name: webhook
webhook:
image:
repository: ghcr.io/kashalls/external-dns-unifi-webhook
tag: v0.4.1
env:
- name: UNIFI_HOST
value: https://192.168.1.1
- name: UNIFI_USER
valueFrom:
secretKeyRef:
name: external-dns-unifi-secret
key: username
- name: UNIFI_PASS
valueFrom:
secretKeyRef:
name: external-dns-unifi-secret
key: password
- name: LOG_LEVEL
value: debug
livenessProbe:
httpGet:
path: /healthz
port: http-webhook
initialDelaySeconds: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /readyz
port: http-webhook
initialDelaySeconds: 10
timeoutSeconds: 5
extraArgs:
- --ignore-ingress-tls-spec

8
clusters/cl01tl/services/generic-device-plugin/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: generic-device-plugin
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

8
clusters/cl01tl/services/intel-device-plugin/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: intel-device-plugin
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

1
clusters/cl01tl/services/intel-device-plugin/values.yaml
View File

@@ -8,3 +8,4 @@ intel-device-plugins-gpu:
nodeSelector:
intel.feature.node.kubernetes.io/gpu: 'true'
nodeFeatureRule: false
tolerations: []

2
clusters/cl01tl/services/kubernetes-cloudflare-ddns/Chart.yaml
View File

@@ -9,7 +9,7 @@ keywords:
- kubernetes
home: https://wiki.alexlebens.dev/doc/kubernetes-ddns-STOtBY6W6q
sources:
- https://github.com/kubitodev/kubernetes-cloudflare-ddns
- c
- https://hub.docker.com/r/kubitodev/kubernetes-cloudflare-ddns
- https://github.com/bjw-s/helm-charts/blob/main/charts/other/app-template/values.yaml
maintainers:

10
clusters/cl01tl/services/kubernetes-cloudflare-ddns/templates/external-secret.yaml
View File

@@ -18,27 +18,27 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/alexlebens-net
key: /cloudflare/alexlebens.net/ddns
metadataPolicy: None
property: auth-key
property: token
- secretKey: NAME
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/alexlebens-net
key: /cloudflare/alexlebens.net/ddns
metadataPolicy: None
property: name
- secretKey: RECORD_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/alexlebens-net
key: /cloudflare/alexlebens.net/ddns
metadataPolicy: None
property: record-id
- secretKey: ZONE_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/alexlebens-net
key: /cloudflare/alexlebens.net/ddns
metadataPolicy: None
property: zone-id

8
clusters/cl01tl/services/node-feature-discovery/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: node-feature-discovery
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

2
clusters/cl01tl/services/spegel/templates/namespace.yaml
View File

@@ -3,4 +3,6 @@ kind: Namespace
metadata:
name: spegel
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

2
clusters/cl01tl/services/tailscale-operator/Chart.yaml
View File

@@ -20,4 +20,4 @@ dependencies:
version: 1.80.0
repository: https://pkgs.tailscale.com/helmcharts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/tailscale.png
appVersion: v1.78.3
appVersion: v1.80.0

2
clusters/cl01tl/services/tailscale-operator/templates/connector.yaml
View File

@@ -15,3 +15,5 @@ spec:
subnetRouter:
advertiseRoutes:
- 192.168.1.0/24
- 10.230.0.0/24
- 10.232.0.0/22

2
clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml
View File

@@ -13,4 +13,4 @@ spec:
nameserver:
image:
repo: tailscale/k8s-nameserver
tag: unstable-v1.79.213
tag: unstable-v1.81.44

4
clusters/cl01tl/services/tailscale-operator/templates/external-secrets.yaml
View File

@@ -18,13 +18,13 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/tailscale/operator/oauth
key: /tailscale/k8s-operator
metadataPolicy: None
property: clientId
- secretKey: client_secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/tailscale/operator/oauth
key: /tailscale/k8s-operator
metadataPolicy: None
property: clientSecret

8
clusters/cl01tl/services/tailscale-operator/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: tailscale-operator
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

26
clusters/cl01tl/services/tailscale-operator/templates/proxy-class.yaml
View File

@@ -24,3 +24,29 @@ spec:
resources:
limits:
squat.ai/tun: "1"
---
apiVersion: tailscale.com/v1alpha1
kind: ProxyClass
metadata:
name: no-metrics
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: no-metrics
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: proxy
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
metrics:
enable: false
statefulSet:
pod:
tailscaleContainer:
resources:
limits:
squat.ai/tun: "1"
tailscaleInitContainer:
resources:
limits:
squat.ai/tun: "1"

2
clusters/cl01tl/standalone/cilium/Chart.yaml
View File

@@ -18,4 +18,4 @@ dependencies:
version: 1.16.6
repository: https://helm.cilium.io/
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cilium.png
appVersion: 1.16.4
appVersion: 1.16.6

4
clusters/cl01tl/standalone/cilium/templates/cilium-load-balancer-ip-pool.yaml
View File

@@ -11,5 +11,5 @@ metadata:
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
blocks:
- start: "192.168.1.15"
stop: "192.168.1.17"
- start: "10.232.1.21"
stop: "10.232.1.23"

2
clusters/cl01tl/standalone/metrics-server/values.yaml
View File

@@ -1,5 +1,5 @@
metrics-server:
replicas: 2
replicas: 3
metrics:
enabled: true
serviceMonitor:

2
clusters/cl01tl/storage/democratic-csi-synology-iscsi/templates/external-secret.yaml
View File

@@ -18,6 +18,6 @@ spec:
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /synology/config
key: /cl01tl/democratic-csi-synology-iscsi/config
metadataPolicy: None
property: driver-config-file.yaml

8
clusters/cl01tl/storage/local-path-provisioner/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: local-path-provisioner
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

12
clusters/cl01tl/storage/local-path-provisioner/values.yaml
View File

@@ -13,13 +13,13 @@ local-path-provisioner:
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
nodePathMap:
- node: talos-di4-2sr
- node: talos-5zy-00y
paths:
- /var/local-path-provisioner
- node: talos-iyl-d2a
- node: talos-6ht-r95
paths:
- /var/local-path-provisioner
- node: talos-2ok-0ky
- node: talos-q4m-8t4
paths:
- /var/local-path-provisioner
affinity:
@@ -30,9 +30,9 @@ local-path-provisioner:
- key: kubernetes.io/hostname
operator: In
values:
- talos-di4-2sr
- talos-iyl-d2a
- talos-2ok-0ky
- talos-5zy-00y
- talos-6ht-r95
- talos-q4m-8t4
configmap:
name: local-path-config
setup: |-

2
clusters/cl01tl/storage/nfs/values.yaml
View File

@@ -1,6 +1,6 @@
nfs-subdir-external-provisioner:
nfs:
server: 192.168.1.194
server: 10.232.1.64
path: /volume2/Talos
mountOptions:
- hard

4
clusters/cl01tl/storage/rook-ceph/Chart.yaml
View File

@@ -16,10 +16,10 @@ maintainers:
- name: alexlebens
dependencies:
- name: rook-ceph
version: v1.16.2
version: v1.16.3
repository: https://charts.rook.io/release
- name: rook-ceph-cluster
version: v1.16.2
version: v1.16.3
repository: https://charts.rook.io/release
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/rook.png
appVersion: v1.16.0

8
clusters/cl01tl/storage/rook-ceph/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: rook-ceph
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

20
clusters/cl01tl/storage/rook-ceph/templates/storage-class.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ceph-block-delete
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: ext4
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering,exclusive-lock,object-map,fast-diff
imageFormat: "2"
pool: ceph-blockpool
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: Immediate

10
clusters/cl01tl/storage/rook-ceph/values.yaml
View File

@@ -20,7 +20,7 @@ rook-ceph-cluster:
cephClusterSpec:
cephVersion:
# https://quay.io/repository/ceph/ceph?tab=tags
image: quay.io/ceph/ceph:v19.2.0-20240927
image: quay.io/ceph/ceph:v19.2.1-20250202
mon:
count: 3
mgr:
@@ -53,12 +53,12 @@ rook-ceph-cluster:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/rook-control-node
- key: node-role.kubernetes.io/rook-mon-node
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: node-role.kubernetes.io/rook-control-node
- key: node-role.kubernetes.io/rook-mon-node
operator: Exists
- key: node-role.kubernetes.io/control-plane
operator: Exists
@@ -126,7 +126,7 @@ rook-ceph-cluster:
enabled: true
name: ceph-block
isDefault: true
reclaimPolicy: Retain
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: "Immediate"
parameters:
@@ -143,4 +143,4 @@ rook-ceph-cluster:
enabled: true
name: ceph-blockpool-snapshot
isDefault: false
deletionPolicy: Retain
deletionPolicy: Delete

0
clusters/cl01tl/applications/audiobookshelf/Chart.yaml → clusters/standby/applications/audiobookshelf/Chart.yaml
View File

0
clusters/cl01tl/applications/audiobookshelf/templates/external-secret.yaml → clusters/standby/applications/audiobookshelf/templates/external-secret.yaml
View File

0
clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume-claim.yaml → clusters/standby/applications/audiobookshelf/templates/persistent-volume-claim.yaml
View File

0
clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume.yaml → clusters/standby/applications/audiobookshelf/templates/persistent-volume.yaml
View File

0
clusters/cl01tl/applications/audiobookshelf/templates/replication-source.yaml → clusters/standby/applications/audiobookshelf/templates/replication-source.yaml
View File

2
clusters/cl01tl/applications/audiobookshelf/values.yaml → clusters/standby/applications/audiobookshelf/values.yaml
View File

@@ -9,7 +9,7 @@ audiobookshelf:
main:
image:
repository: ghcr.io/advplyr/audiobookshelf
tag: 2.19.0
tag: 2.19.2
pullPolicy: IfNotPresent
env:
- name: TZ

0
clusters/cl01tl/applications/calibre-web-automated/Chart.yaml → clusters/standby/applications/calibre-web-automated/Chart.yaml
View File

0
clusters/cl01tl/applications/calibre-web-automated/templates/external-secret.yaml → clusters/standby/applications/calibre-web-automated/templates/external-secret.yaml
View File

0
clusters/cl01tl/applications/calibre-web-automated/templates/persistent-volume-claim.yaml → clusters/standby/applications/calibre-web-automated/templates/persistent-volume-claim.yaml
View File

0
clusters/cl01tl/applications/calibre-web-automated/templates/persistent-volume.yaml → clusters/standby/applications/calibre-web-automated/templates/persistent-volume.yaml
View File

0
clusters/cl01tl/applications/calibre-web-automated/templates/replication-source.yaml → clusters/standby/applications/calibre-web-automated/templates/replication-source.yaml
View File

0
clusters/cl01tl/applications/calibre-web-automated/values.yaml → clusters/standby/applications/calibre-web-automated/values.yaml
View File

0
clusters/cl01tl/applications/checkrr/Chart.yaml → clusters/standby/applications/checkrr/Chart.yaml
View File

0
clusters/cl01tl/applications/checkrr/templates/external-secret.yaml → clusters/standby/applications/checkrr/templates/external-secret.yaml
View File

0
clusters/cl01tl/applications/checkrr/templates/persistent-volume-claim.yaml → clusters/standby/applications/checkrr/templates/persistent-volume-claim.yaml
View File

0
clusters/cl01tl/applications/checkrr/templates/persistent-volume.yaml → clusters/standby/applications/checkrr/templates/persistent-volume.yaml
View File

0
clusters/cl01tl/applications/checkrr/values.yaml → clusters/standby/applications/checkrr/values.yaml
View File

0
clusters/cl01tl/applications/code-server/Chart.yaml → clusters/standby/applications/code-server/Chart.yaml
View File

0
clusters/cl01tl/applications/code-server/templates/external-secret.yaml → clusters/standby/applications/code-server/templates/external-secret.yaml
View File

0
clusters/cl01tl/applications/code-server/templates/persistent-volume-claim.yaml → clusters/standby/applications/code-server/templates/persistent-volume-claim.yaml
View File

0
clusters/cl01tl/applications/code-server/values.yaml → clusters/standby/applications/code-server/values.yaml
View File

0
clusters/cl01tl/applications/directus/Chart.yaml → clusters/standby/applications/directus/Chart.yaml
View File

0
clusters/cl01tl/applications/directus/templates/external-secret.yaml → clusters/standby/applications/directus/templates/external-secret.yaml
View File

2
clusters/cl01tl/applications/directus/values.yaml → clusters/standby/applications/directus/values.yaml
View File

@@ -9,7 +9,7 @@ directus:
main:
image:
repository: directus/directus
tag: 11.4.0
tag: 11.4.1
pullPolicy: IfNotPresent
env:
- name: PUBLIC_URL

2
clusters/cl01tl/applications/element-web/Chart.yaml → clusters/standby/applications/element-web/Chart.yaml
View File

@@ -17,7 +17,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: element-web
version: 1.4.1
version: 1.4.2
repository: https://ananace.gitlab.io/charts
- name: cloudflared
alias: cloudflared

0
clusters/cl01tl/applications/element-web/templates/external-secret.yaml → clusters/standby/applications/element-web/templates/external-secret.yaml
View File

0
clusters/cl01tl/applications/element-web/values.yaml → clusters/standby/applications/element-web/values.yaml
View File

0
clusters/cl01tl/applications/freshrss/Chart.yaml → clusters/standby/applications/freshrss/Chart.yaml
View File

0
clusters/cl01tl/applications/freshrss/templates/external-secret.yaml → clusters/standby/applications/freshrss/templates/external-secret.yaml
View File

0
clusters/cl01tl/applications/freshrss/templates/replication-source.yaml → clusters/standby/applications/freshrss/templates/replication-source.yaml
View File

0
clusters/cl01tl/applications/freshrss/values.yaml → clusters/standby/applications/freshrss/values.yaml
View File

0
clusters/cl01tl/applications/hoarder/Chart.yaml → clusters/standby/applications/hoarder/Chart.yaml
View File

0
clusters/cl01tl/applications/hoarder/templates/external-secret.yaml → clusters/standby/applications/hoarder/templates/external-secret.yaml
View File

0
clusters/cl01tl/applications/hoarder/templates/replication-source.yaml → clusters/standby/applications/hoarder/templates/replication-source.yaml
View File

0
clusters/cl01tl/applications/hoarder/values.yaml → clusters/standby/applications/hoarder/values.yaml
View File

0
clusters/cl01tl/applications/homepage-dev/Chart.yaml → clusters/standby/applications/homepage-dev/Chart.yaml
View File

Some files were not shown because too many files have changed in this diff Show More