Compare commits
34 Commits
e1b98ccd3c
...
renovate/m
| Author | SHA1 | Date | |
|---|---|---|---|
64e169555e
|
|||
| 939b9c3f8c | |||
| 78043bdaab | |||
| 912cc8df6c | |||
|
7a06594947
|
|||
| 4b7cc18956 | |||
| 6cbe4bcdb3 | |||
| 01e419879d | |||
| 8486899750 | |||
|
15526181c8
|
|||
| bf24f60161 | |||
| 2eee76307a | |||
| 2a6062a62f | |||
| 0beda0a4c1 | |||
| c9bc02b831 | |||
| 0cd6ca5ea0 | |||
| df27228e11 | |||
| 5878d1eb45 | |||
| c67ee7c8e6 | |||
| c6948462cb | |||
| d0bb9edbb0 | |||
| b9d3cd7453 | |||
|
4416f2fca6
|
|||
| 651c135e15 | |||
| b9e649fa66 | |||
| ad070b5767 | |||
| acad2fa4e2 | |||
| cf3bdbe9a9 | |||
| 020a3b297d | |||
| fd8819a38b | |||
| f1d383ed9a | |||
| baf50c63b6 | |||
| 9078347d8f | |||
| 3b3832865f |
@@ -169,9 +169,10 @@ jobs:
|
||||
|
||||
echo ">> Running linting on changed charts ..."
|
||||
|
||||
for DIR in ${CHANGED_CHARTS}; do
|
||||
CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
|
||||
CHART_NAME=$(basename "${CHART_PATH}")
|
||||
lint_chart() {
|
||||
local DIR="$1"
|
||||
local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
|
||||
local CHART_NAME=$(basename "${CHART_PATH}")
|
||||
|
||||
if [ -f "${CHART_PATH}/Chart.yaml" ]; then
|
||||
echo ""
|
||||
@@ -182,15 +183,8 @@ jobs:
|
||||
echo ">> Linting helm chart ${CHART_NAME} ..."
|
||||
|
||||
if ! helm lint "${CHART_PATH}" --namespace "default"; then
|
||||
EXIT_CODE=1
|
||||
|
||||
if [ -z "${FAILED_CHARTS}" ]; then
|
||||
FAILED_CHARTS="${DIR}"
|
||||
|
||||
else
|
||||
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
|
||||
|
||||
fi
|
||||
echo "${DIR}" > ".failed_chart_${CHART_NAME}"
|
||||
return 1
|
||||
fi
|
||||
|
||||
else
|
||||
@@ -198,8 +192,20 @@ jobs:
|
||||
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
done
|
||||
export -f lint_chart
|
||||
export CLUSTER
|
||||
|
||||
for DIR in ${CHANGED_CHARTS}; do
|
||||
echo "${DIR}"
|
||||
done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
|
||||
|
||||
if ls .failed_chart_* 1> /dev/null 2>&1; then
|
||||
EXIT_CODE=1
|
||||
FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
|
||||
rm -f .failed_chart_*
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "----"
|
||||
@@ -329,8 +335,9 @@ jobs:
|
||||
EXIT_CODE=0
|
||||
FAILED_CHARTS=""
|
||||
|
||||
for DIR in ${CHANGED_CHARTS}; do
|
||||
CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
|
||||
validate_chart() {
|
||||
local DIR="$1"
|
||||
local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
|
||||
echo ""
|
||||
echo ">> Validating: ${DIR}"
|
||||
|
||||
@@ -343,18 +350,23 @@ jobs:
|
||||
-strict \
|
||||
-summary; then
|
||||
|
||||
EXIT_CODE=1
|
||||
|
||||
if [ -z "${FAILED_CHARTS}" ]; then
|
||||
FAILED_CHARTS="${DIR}"
|
||||
|
||||
else
|
||||
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
|
||||
|
||||
fi
|
||||
echo "${DIR}" > ".failed_chart_${DIR}"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
done
|
||||
export -f validate_chart
|
||||
export CLUSTER SCHEMA_LOCATIONS
|
||||
|
||||
for DIR in ${CHANGED_CHARTS}; do
|
||||
echo "${DIR}"
|
||||
done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
|
||||
|
||||
if ls .failed_chart_* 1> /dev/null 2>&1; then
|
||||
EXIT_CODE=1
|
||||
FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
|
||||
rm -f .failed_chart_*
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "----"
|
||||
|
||||
@@ -19,4 +19,4 @@ dependencies:
|
||||
version: 4.6.2
|
||||
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
|
||||
# renovate: datasource=github-releases depName=excalidraw/excalidraw
|
||||
appVersion: v0.18.0
|
||||
appVersion: v0.18.1
|
||||
|
||||
@@ -13,5 +13,5 @@ spec:
|
||||
data:
|
||||
- secretKey: api-key
|
||||
remoteRef:
|
||||
key: /unifi/auth/cl01tl
|
||||
key: /unifi/users/cl01tl
|
||||
property: api-key
|
||||
|
||||
@@ -70,7 +70,7 @@ foldergram:
|
||||
forceRename: foldergram-data
|
||||
storageClass: synology-iscsi-delete
|
||||
accessMode: ReadWriteOnce
|
||||
size: 250Gi
|
||||
size: 500Gi
|
||||
advancedMounts:
|
||||
main:
|
||||
main:
|
||||
|
||||
@@ -213,7 +213,7 @@ gitea-actions:
|
||||
registry: docker.io
|
||||
repository: docker
|
||||
# renovate: datasource=docker depName=docker
|
||||
tag: 29.4.0-dind@sha256:f80c26212befc1c1988b529495532c6b9180d9b1dab1611f4a1efbe9da8ec821
|
||||
tag: 29.4.1-dind@sha256:c77e5d7912f9b137cc67051fdc2991d8f5ae22c55ddf532bb836dcb693a04940
|
||||
extraVolumeMounts:
|
||||
- name: docker-vol
|
||||
mountPath: /var/lib/docker
|
||||
|
||||
@@ -28,4 +28,4 @@ dependencies:
|
||||
repository: oci://harbor.alexlebens.net/helm-charts
|
||||
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grimmory.png
|
||||
# renovate: datasource=github-releases depName=grimmory-tools/grimmory
|
||||
appVersion: v2.3.0
|
||||
appVersion: v3.0.0
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: grimmory-database-config
|
||||
name: grimmory-database-secret
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: grimmory-database-config
|
||||
app.kubernetes.io/name: grimmory-database-secret
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
secretStoreRef:
|
||||
@@ -33,11 +33,11 @@ spec:
|
||||
- secretKey: access
|
||||
remoteRef:
|
||||
key: /digital-ocean/home-infra/mariadb-backups
|
||||
property: access
|
||||
property: AWS_ACCESS_KEY_ID
|
||||
- secretKey: secret
|
||||
remoteRef:
|
||||
key: /digital-ocean/home-infra/mariadb-backups
|
||||
property: secret
|
||||
property: AWS_SECRET_ACCESS_KEY
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
|
||||
@@ -12,7 +12,7 @@ grimmory:
|
||||
main:
|
||||
image:
|
||||
repository: ghcr.io/grimmory-tools/grimmory
|
||||
tag: v2.3.0@sha256:9014247f591074529894f81115ca40f899db697e89f72c2fe91ec530e3f19597
|
||||
tag: v3.0.0@sha256:0130c338d4c1186f2f6b6acdc4a7ee56388dfdab9cb0b9a23ac0fc91b79e7d75
|
||||
env:
|
||||
- name: TZ
|
||||
value: America/Chicago
|
||||
@@ -27,7 +27,7 @@ grimmory:
|
||||
- name: DATABASE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: grimmory-database-config
|
||||
name: grimmory-database-secret
|
||||
key: password
|
||||
- name: GRIMMORY_PORT
|
||||
value: 6060
|
||||
@@ -98,7 +98,7 @@ mariadb-cluster:
|
||||
mariadb:
|
||||
rootPasswordSecretKeyRef:
|
||||
generate: false
|
||||
name: grimmory-database-config
|
||||
name: grimmory-database-secret
|
||||
key: password
|
||||
storage:
|
||||
size: 5Gi
|
||||
|
||||
@@ -21,5 +21,5 @@ spec:
|
||||
property: user
|
||||
- secretKey: password
|
||||
remoteRef:
|
||||
key: /cl01tl/jellystat/cconfig
|
||||
key: /cl01tl/jellystat/config
|
||||
property: password
|
||||
|
||||
@@ -13,7 +13,7 @@ spec:
|
||||
data:
|
||||
- secretKey: ntfy_password
|
||||
remoteRef:
|
||||
key: / cl01tl/ntfy/users/cl01tl
|
||||
key: /cl01tl/ntfy/users/cl01tl
|
||||
property: password
|
||||
|
||||
---
|
||||
|
||||
@@ -26,4 +26,4 @@ dependencies:
|
||||
repository: oci://harbor.alexlebens.net/helm-charts
|
||||
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/libation.png
|
||||
# renovate: datasource=github-releases depName=rmcrackan/Libation
|
||||
appVersion: 13.3.4
|
||||
appVersion: 13.3.5
|
||||
|
||||
@@ -12,7 +12,7 @@ libation:
|
||||
main:
|
||||
image:
|
||||
repository: rmcrackan/libation
|
||||
tag: 13.3.4@sha256:eb0357e8a880ed0049dffd2a99a9d2eda322ed33b3b9e16f4fb93eb15275f396
|
||||
tag: 13.3.5@sha256:fcfeaa406a3567e3de89d85bf761d17868029c6e8a127922672770cb812b9be8
|
||||
env:
|
||||
- name: SLEEP_TIME
|
||||
value: "-1"
|
||||
|
||||
@@ -16,22 +16,102 @@ spec:
|
||||
fileName: config.yaml
|
||||
secretPath: secret/data/cl01tl/matrix-synapse/config
|
||||
secretKey: config.yaml
|
||||
|
||||
---
|
||||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: matrix-synapse-oidc-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: matrix-synapse-oidc-config
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
provider: openbao
|
||||
parameters:
|
||||
baoAddress: "http://openbao-internal.openbao:8200"
|
||||
roleName: matrix-synapse
|
||||
objects: |
|
||||
- objectName: oidc.yaml
|
||||
fileName: oidc.yaml
|
||||
secretPath: secret/data/cl01tl/matrix-synapse/config
|
||||
secretKey: oidc.yaml
|
||||
|
||||
---
|
||||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: matrix-synapse-hookshot-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: matrix-synapse-hookshot-config
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
provider: openbao
|
||||
parameters:
|
||||
baoAddress: "http://openbao-internal.openbao:8200"
|
||||
roleName: matrix-synapse
|
||||
objects: |
|
||||
- objectName: hookshot-registration.yaml
|
||||
fileName: hookshot-registration.yaml
|
||||
secretPath: secret/data/cl01tl/matrix-synapse/hookshot
|
||||
secretKey: hookshot-registration.yaml
|
||||
|
||||
---
|
||||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: matrix-synapse-mautrix-discord-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: matrix-synapse-mautrix-discord-config
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
provider: openbao
|
||||
parameters:
|
||||
baoAddress: "http://openbao-internal.openbao:8200"
|
||||
roleName: matrix-synapse
|
||||
objects: |
|
||||
- objectName: mautrix-discord-registration.yaml
|
||||
fileName: mautrix-discord-registration.yaml
|
||||
secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord
|
||||
secretKey: mautrix-discord-registration.yaml
|
||||
|
||||
---
|
||||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: matrix-synapse-mautrix-whatsapp-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: matrix-synapse-mautrix-whatsapp-config
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
provider: openbao
|
||||
parameters:
|
||||
baoAddress: "http://openbao-internal.openbao:8200"
|
||||
roleName: matrix-synapse
|
||||
objects: |
|
||||
- objectName: mautrix-whatsapp-registration.yaml
|
||||
fileName: mautrix-whatsapp-registration.yaml
|
||||
secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp
|
||||
secretKey: mautrix-whatsapp-registration.yaml
|
||||
|
||||
---
|
||||
apiVersion: secrets-store.csi.x-k8s.io/v1
|
||||
kind: SecretProviderClass
|
||||
metadata:
|
||||
name: matrix-synapse-double-puppet-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: matrix-synapse-double-puppet-config
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
provider: openbao
|
||||
parameters:
|
||||
baoAddress: "http://openbao-internal.openbao:8200"
|
||||
roleName: matrix-synapse
|
||||
objects: |
|
||||
- objectName: double-puppet-registration.yaml
|
||||
fileName: double-puppet-registration.yaml
|
||||
secretPath: secret/data/cl01tl/matrix-synapse/double-puppet
|
||||
|
||||
@@ -43,11 +43,67 @@ matrix-synapse:
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: matrix-synapse-config
|
||||
- name: oidc-config
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: matrix-synapse-oidc-config
|
||||
- name: hookshot-config
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: matrix-synapse-hookshot-config
|
||||
- name: mautrix-discord-config
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: matrix-synapse-mautrix-discord-config
|
||||
- name: mautrix-whatsapp-config
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: matrix-synapse-mautrix-whatsapp-config
|
||||
- name: double-puppet-config
|
||||
csi:
|
||||
driver: secrets-store.csi.k8s.io
|
||||
readOnly: true
|
||||
volumeAttributes:
|
||||
secretProviderClass: matrix-synapse-double-puppet-config
|
||||
extraVolumeMounts:
|
||||
- name: config
|
||||
mountPath: /synapse/config/conf.d
|
||||
mountPath: /synapse/config/conf.d/config.yaml
|
||||
mountPropagation: None
|
||||
readOnly: true
|
||||
subPath: config.yaml
|
||||
- name: oidc-config
|
||||
mountPath: /synapse/config/conf.d/oidc.yaml
|
||||
mountPropagation: None
|
||||
readOnly: true
|
||||
subPath: oidc.yaml
|
||||
- name: hookshot-config
|
||||
mountPath: /synapse/config/conf.d/hookshot-registration.yaml
|
||||
mountPropagation: None
|
||||
readOnly: true
|
||||
subPath: hookshot-registration.yaml
|
||||
- name: mautrix-discord-config
|
||||
mountPath: /synapse/config/conf.d/mautrix-discord-registration.yaml
|
||||
mountPropagation: None
|
||||
readOnly: true
|
||||
subPath: mautrix-discord-registration.yaml
|
||||
- name: mautrix-whatsapp-config
|
||||
mountPath: /synapse/config/conf.d/mautrix-whatsapp-registration.yaml
|
||||
mountPropagation: None
|
||||
readOnly: true
|
||||
subPath: mautrix-whatsapp-registration.yaml
|
||||
- name: double-puppet-config
|
||||
mountPath: /synapse/config/conf.d/double-puppet-registration.yaml
|
||||
mountPropagation: None
|
||||
readOnly: true
|
||||
subPath: double-puppet-registration.yaml
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
@@ -118,6 +174,8 @@ matrix-hookshot:
|
||||
type: deployment
|
||||
replicas: 1
|
||||
strategy: Recreate
|
||||
serviceAccount:
|
||||
name: matrix-synapse
|
||||
containers:
|
||||
main:
|
||||
image:
|
||||
|
||||
@@ -127,7 +127,7 @@ ollama:
|
||||
- name: WEBUI_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ollama-key
|
||||
name: open-webui-key
|
||||
key: key
|
||||
- name: DATABASE_URL
|
||||
valueFrom:
|
||||
|
||||
@@ -19,7 +19,7 @@ maintainers:
|
||||
- name: alexlebens
|
||||
dependencies:
|
||||
- name: openbao
|
||||
version: 0.27.1
|
||||
version: 0.27.2
|
||||
repository: https://openbao.github.io/openbao-helm
|
||||
- name: app-template
|
||||
alias: unseal
|
||||
|
||||
@@ -9,7 +9,7 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: AWS_ACCESS_KEY_ID
|
||||
remoteRef:
|
||||
@@ -40,24 +40,20 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ENVIRONMENT
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: ENVIRONMENT
|
||||
property: environment
|
||||
- secretKey: NODES
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: NODES
|
||||
property: nodes
|
||||
- secretKey: TOKENS
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: TOKENS_1
|
||||
- secretKey: NOTIFY_QUEUE_URLS
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: NOTIFY_QUEUE_URLS
|
||||
property: tokens-1
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
@@ -71,24 +67,20 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ENVIRONMENT
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: ENVIRONMENT
|
||||
property: environment
|
||||
- secretKey: NODES
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: NODES
|
||||
property: nodes
|
||||
- secretKey: TOKENS
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: TOKENS_2
|
||||
- secretKey: NOTIFY_QUEUE_URLS
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: NOTIFY_QUEUE_URLS
|
||||
property: tokens-2
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
@@ -102,61 +94,46 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ENVIRONMENT
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: ENVIRONMENT
|
||||
property: environment
|
||||
- secretKey: NODES
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: NODES
|
||||
property: nodes
|
||||
- secretKey: TOKENS
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: TOKENS_3
|
||||
- secretKey: NOTIFY_QUEUE_URLS
|
||||
remoteRef:
|
||||
key: /cl01tl/openbao/unseal
|
||||
property: NOTIFY_QUEUE_URLS
|
||||
property: tokens-3
|
||||
|
||||
# ---
|
||||
# apiVersion: external-secrets.io/v1
|
||||
# kind: ExternalSecret
|
||||
# metadata:
|
||||
# name: openbao-token
|
||||
# namespace: {{ .Release.Namespace }}
|
||||
# labels:
|
||||
# app.kubernetes.io/name: openbao-token
|
||||
# app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
# app.kubernetes.io/part-of: {{ .Release.Name }}
|
||||
# spec:
|
||||
# secretStoreRef:
|
||||
# kind: ClusterSecretStore
|
||||
# name: openbao
|
||||
# data:
|
||||
# - secretKey: token
|
||||
# remoteRef:
|
||||
# key: /cl01tl/openbao/token
|
||||
# property: token
|
||||
# - secretKey: unseal_key_1
|
||||
# remoteRef:
|
||||
# key: /cl01tl/openbao/token
|
||||
# property: unseal_key_1
|
||||
# - secretKey: unseal_key_2
|
||||
# remoteRef:
|
||||
# key: /cl01tl/openbao/token
|
||||
# property: unseal_key_2
|
||||
# - secretKey: unseal_key_3
|
||||
# remoteRef:
|
||||
# key: /cl01tl/openbao/token
|
||||
# property: unseal_key_3
|
||||
# - secretKey: unseal_key_4
|
||||
# remoteRef:
|
||||
# key: /cl01tl/openbao/token
|
||||
# property: unseal_key_4
|
||||
# - secretKey: unseal_key_5
|
||||
# remoteRef:
|
||||
# key: /cl01tl/openbao/token
|
||||
# property: unseal_key_5
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: openbao-ntfy-unseal-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: openbao-ntfy-unseal-config
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: openbao
|
||||
target:
|
||||
template:
|
||||
mergePolicy: Merge
|
||||
engineVersion: v2
|
||||
data:
|
||||
NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed"
|
||||
data:
|
||||
- secretKey: endpoint
|
||||
remoteRef:
|
||||
key: /cl01tl/ntfy/users/cl01tl
|
||||
property: internal-endpoint-credential
|
||||
- secretKey: topic
|
||||
remoteRef:
|
||||
key: /cl01tl/ntfy/topics
|
||||
property: openbao
|
||||
|
||||
@@ -160,6 +160,8 @@ unseal:
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: openbao-unseal-config-1
|
||||
- secretRef:
|
||||
name: openbao-ntfy-unseal-config
|
||||
resources:
|
||||
requests:
|
||||
cpu: 1m
|
||||
@@ -176,6 +178,8 @@ unseal:
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: openbao-unseal-config-2
|
||||
- secretRef:
|
||||
name: openbao-ntfy-unseal-config
|
||||
resources:
|
||||
requests:
|
||||
cpu: 1m
|
||||
@@ -192,6 +196,8 @@ unseal:
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: openbao-unseal-config-3
|
||||
- secretRef:
|
||||
name: openbao-ntfy-unseal-config
|
||||
resources:
|
||||
requests:
|
||||
cpu: 1m
|
||||
|
||||
@@ -55,5 +55,5 @@ spec:
|
||||
data:
|
||||
- secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS
|
||||
remoteRef:
|
||||
key: /authentik/oidc/paperless-ngx
|
||||
key: /cl01tl/authentik/oidc/paperless-ngx
|
||||
property: PAPERLESS_SOCIALACCOUNT_PROVIDERS
|
||||
|
||||
@@ -71,9 +71,9 @@ qbittorrent:
|
||||
name: protonvpn-wireguard-conf
|
||||
key: private-key
|
||||
- name: FIREWALL_OUTBOUND_SUBNETS
|
||||
value: 192.168.1.0/24,10.244.0.0/16
|
||||
value: 192.168.1.0/24,10.0.0.0/8
|
||||
- name: FIREWALL_INPUT_PORTS
|
||||
value: 5030,50300
|
||||
value: 8080,9022
|
||||
- name: VPN_PORT_FORWARDING
|
||||
value: 'on'
|
||||
- name: VPN_PORT_FORWARDING_UP_COMMAND
|
||||
|
||||
@@ -44,7 +44,7 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ACCESS_KEY_ID
|
||||
remoteRef:
|
||||
@@ -79,7 +79,7 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ACCESS_KEY_ID
|
||||
remoteRef:
|
||||
@@ -114,7 +114,7 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ACCESS_KEY_ID
|
||||
remoteRef:
|
||||
@@ -149,7 +149,7 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ACCESS_KEY_ID
|
||||
remoteRef:
|
||||
@@ -184,7 +184,7 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: ACCESS_KEY_ID
|
||||
remoteRef:
|
||||
|
||||
@@ -9,7 +9,7 @@ metadata:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: vault
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: metrics-password
|
||||
remoteRef:
|
||||
|
||||
@@ -73,7 +73,7 @@ slskd:
|
||||
name: protonvpn-wireguard-conf
|
||||
key: private-key
|
||||
- name: FIREWALL_OUTBOUND_SUBNETS
|
||||
value: 192.168.1.0/24,10.244.0.0/16
|
||||
value: 192.168.1.0/24,10.0.0.0/8
|
||||
- name: FIREWALL_INPUT_PORTS
|
||||
value: 5030,50300
|
||||
- name: DNS_UPSTREAM_RESOLVER_TYPE
|
||||
|
||||
@@ -62,7 +62,7 @@ tubearchivist:
|
||||
name: protonvpn-wireguard-conf
|
||||
key: private-key
|
||||
- name: FIREWALL_OUTBOUND_SUBNETS
|
||||
value: 192.168.1.0/24,10.244.0.0/16
|
||||
value: 192.168.1.0/24,10.0.0.0/8
|
||||
- name: FIREWALL_INPUT_PORTS
|
||||
value: 80,8000,24000
|
||||
- name: DNS_UPSTREAM_RESOLVER_TYPE
|
||||
|
||||
@@ -1,5 +1,24 @@
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: vault-token
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: vault-token
|
||||
{{- include "custom.labels" . | nindent 4 }}
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: openbao
|
||||
data:
|
||||
- secretKey: token
|
||||
remoteRef:
|
||||
key: /cl01tl/vault/token
|
||||
property: root
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: vault-snapshot-agent-role
|
||||
namespace: {{ .Release.Namespace }}
|
||||
@@ -74,7 +93,7 @@ spec:
|
||||
data:
|
||||
- secretKey: BUCKET
|
||||
remoteRef:
|
||||
key: /digital-ocean/home-infra/vault-backup
|
||||
key: /digital-ocean/home-infra/vault-backups
|
||||
property: BUCKET_PATH
|
||||
|
||||
---
|
||||
@@ -174,12 +193,12 @@ spec:
|
||||
data:
|
||||
- secretKey: NTFY_TOKEN
|
||||
remoteRef:
|
||||
key: /ntfy/user/cl01tl
|
||||
key: /cl01tl/ntfy/users/cl01tl
|
||||
property: token
|
||||
- secretKey: NTFY_ENDPOINT
|
||||
remoteRef:
|
||||
key: /ntfy/user/cl01tl
|
||||
property: endpoint
|
||||
key: /cl01tl/ntfy/config
|
||||
property: internal-endpoint
|
||||
- secretKey: NTFY_TOPIC
|
||||
remoteRef:
|
||||
key: /cl01tl/ntfy/topics
|
||||
|
||||
@@ -14,7 +14,7 @@ spec:
|
||||
- secretKey: SECRET
|
||||
remoteRef:
|
||||
key: /cl01tl/yamtrack/config
|
||||
property: SECRET
|
||||
property: secret
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
|
||||
Reference in New Issue
Block a user