alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 10 Actions Activity

Compare commits

base: alexlebens:ffd7ef9e1f4076cb8a9c116f635356e0cc4b7798
Branches Tags
alexlebens:main alexlebens:renovate/unified-isponsorblocktv alexlebens:renovate/unified-seerr-chart alexlebens:renovate/major-unified-loki alexlebens:renovate/unified-stalwartlabs alexlebens:manifests alexlebens:renovate/unified-secrets-store-csi-driver alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:renovate/unified-renovate alexlebens:renovate/unified-directus
...
compare: alexlebens:7f07d1a3733417d98836342bc75e51c1dc8bbdf9
Branches Tags
alexlebens:renovate/unified-isponsorblocktv alexlebens:renovate/unified-seerr-chart alexlebens:renovate/major-unified-loki alexlebens:renovate/unified-stalwartlabs alexlebens:manifests alexlebens:renovate/unified-secrets-store-csi-driver alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:renovate/unified-renovate alexlebens:main alexlebens:renovate/unified-directus

5 Commits
ffd7ef9e1f ... 7f07d1a373

Author SHA1 Message Date
Alex Lebens
7f07d1a373 add vaultwarden 2025-03-03 18:31:18 -06:00
Alex Lebens
ed76743643 add tubearchivist 2025-03-03 18:30:28 -06:00
Alex Lebens
c4497ab846 add roundcube 2025-03-03 18:28:31 -06:00
Alex Lebens
103fa63fc3 add tdarr 2025-03-03 18:26:03 -06:00
Alex Lebens
b894b81689 add tautulli 2025-03-03 18:24:15 -06:00
24 changed files with 1331 additions and 6 deletions
Expand all files Collapse all files

8
clusters/cl01tl/applications/roundcube/values.yaml
View File

@@ -207,7 +207,7 @@ roundcube:
mountPropagation: None
subPath: default.conf
postgres-17-cluster:
mode: recovery
mode: standalone
cluster:
walStorage:
storageClass: local-path
@@ -215,12 +215,8 @@ postgres-17-cluster:
storageClass: local-path
monitoring:
enabled: true
recovery:
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/roundcube/roundcube-postgresql-17-cluster
endpointCredentials: roundcube-postgresql-17-cluster-backup-secret
backup:
enabled: false
enabled: true
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/roundcube/roundcube-postgresql-17-cluster
endpointCredentials: roundcube-postgresql-17-cluster-backup-secret

21
clusters/cl01tl/applications/tautulli/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: tautulli
version: 1.0.0
description: Tautulli
keywords:
- tautulli
- plex
home: https://wiki.alexlebens.dev/doc/tautulli-7FKi7SM33K
sources:
- https://github.com/Tautulli/Tautulli
- https://github.com/Tautulli/Tautulli/pkgs/container/tautulli
- https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: tautulli
repository: https://bjw-s.github.io/helm-charts/
version: 3.7.1
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/tautulli.png
appVersion: v2.15.0

57
clusters/cl01tl/applications/tautulli/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,57 @@
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: tautulli-config-backup-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: tautulli-config-backup-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# target:
# template:
# mergePolicy: Merge
# engineVersion: v2
# data:
# RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/tautulli/tautulli-config"
# data:
# - secretKey: BUCKET_ENDPOINT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: S3_BUCKET_ENDPOINT
# - secretKey: RESTIC_PASSWORD
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: RESTIC_PASSWORD
# - secretKey: AWS_DEFAULT_REGION
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: AWS_DEFAULT_REGION
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: access_key
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: secret_key

30
clusters/cl01tl/applications/tautulli/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-tautulli
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-tautulli
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- tautulli.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: tautulli
port: 80
weight: 100

27
clusters/cl01tl/applications/tautulli/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,27 @@
# apiVersion: volsync.backube/v1alpha1
# kind: ReplicationSource
# metadata:
# name: tautulli-config-backup-source
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: tautulli-config-backup-source
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# sourcePVC: tautulli-config
# trigger:
# schedule: 0 0 */3 * *
# restic:
# pruneIntervalDays: 14
# repository: tautulli-config-backup-secret
# retain:
# hourly: 1
# daily: 1
# weekly: 1
# monthly: 2
# yearly: 4
# copyMethod: Snapshot
# storageClassName: ceph-block
# volumeSnapshotClassName: ceph-blockpool-snapshot

149
clusters/cl01tl/applications/tautulli/values.yaml Normal file
View File

@@ -0,0 +1,149 @@
tautulli:
controllers:
main:
type: deployment
annotations:
reloader.stakater.com/auto: "true"
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/tautulli/tautulli
tag: v2.15.1
pullPolicy: IfNotPresent
env:
- name: PUID
value: 1001
- name: GUID
value: 1001
- name: TZ
value: US/Central
resources:
requests:
cpu: 10m
memory: 128Mi
serviceAccount:
create: true
configMaps:
scripts:
enabled: true
data:
select_tmdb_poster.py: |
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
Description: Selects the default TMDB poster if no poster is selected
or the current poster is from Gracenote.
Author: /u/SwiftPanda16
Requires: plexapi
Usage:
* Change the posters for an entire library:
python select_tmdb_poster.py --library "Movies"
* Change the poster for a specific item:
python select_tmdb_poster.py --rating_key 1234
* By default locked posters are skipped. To update locked posters:
python select_tmdb_poster.py --library "Movies" --include_locked
Tautulli script trigger:
* Notify on recently added
Tautulli script conditions:
* Filter which media to select the poster. Examples:
[ Media Type | is | movie ]
Tautulli script arguments:
* Recently Added:
--rating_key {rating_key}
'''
import argparse
import os
import plexapi.base
from plexapi.server import PlexServer
plexapi.base.USER_DONT_RELOAD_FOR_KEYS.add('fields')
# Environmental Variables
PLEX_URL = os.getenv('PLEX_URL')
PLEX_TOKEN = os.getenv('PLEX_TOKEN')
def select_tmdb_poster_library(library, include_locked=False):
for item in library.all(includeGuids=False):
# Only reload for fields
item.reload(**{k: 0 for k, v in item._INCLUDES.items()})
select_tmdb_poster_item(item, include_locked=include_locked)
def select_tmdb_poster_item(item, include_locked=False):
if item.isLocked('thumb') and not include_locked: # PlexAPI 4.5.10
print(f"Locked poster for {item.title}. Skipping.")
return
posters = item.posters()
selected_poster = next((p for p in posters if p.selected), None)
if selected_poster is None:
print(f"WARNING: No poster selected for {item.title}.")
else:
skipping = ' Skipping.' if selected_poster.provider != 'gracenote' else ''
print(f"Poster provider is '{selected_poster.provider}' for {item.title}.{skipping}")
if posters and (selected_poster is None or selected_poster.provider == 'gracenote'):
# Fallback to first poster if no TMDB posters are available
tmdb_poster = next((p for p in posters if p.provider == 'tmdb'), posters[0])
# Selecting the poster automatically locks it
tmdb_poster.select()
print(f"Selected {tmdb_poster.provider} poster for {item.title}.")
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--rating_key', type=int)
parser.add_argument('--library')
parser.add_argument('--include_locked', action='store_true')
opts = parser.parse_args()
plex = PlexServer(PLEX_URL, PLEX_TOKEN)
if opts.rating_key:
item = plex.fetchItem(opts.rating_key)
select_tmdb_poster_item(item, opts.include_locked)
elif opts.library:
library = plex.library.section(opts.library)
select_tmdb_poster_library(library, opts.include_locked)
else:
print("No --rating_key or --library specified. Exiting.")
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 8181
protocol: HTTP
persistence:
config:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
retain: true
advancedMounts:
main:
main:
- path: /config
readOnly: false
scripts:
enabled: true
type: configMap
name: tautulli-scripts
advancedMounts:
main:
main:
- path: /config/scripts/select_tmdb_poster.py
readOnly: true
mountPropagation: None
subPath: select_tmdb_poster.py

29
clusters/cl01tl/applications/tdarr/Chart.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v2
name: tdarr
version: 1.0.0
description: Tdarr
keywords:
- tdarr
- video
- transcode
- healthchecks
home: https://wiki.alexlebens.dev/doc/tdarr-DlUb9r2tdL
sources:
- https://github.com/HaveAGitGat/Tdarr
- https://github.com/homeylab/tdarr-exporter
- https://github.com/haveagitgat/Tdarr/pkgs/container/tdarr
- https://hub.docker.com/r/homeylab/tdarr-exporter
- https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
- https://github.com/homeylab/helm-charts/tree/main/charts/tdarr-exporter
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: tdarr
repository: https://bjw-s.github.io/helm-charts/
version: 3.7.1
- name: tdarr-exporter
version: 1.1.7
repository: https://homeylab.github.io/helm-charts/
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/tdarr.png
appVersion: 2.27.02

116
clusters/cl01tl/applications/tdarr/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,116 @@
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: tdarr-config-backup-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: tdarr-config-backup-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# target:
# template:
# mergePolicy: Merge
# engineVersion: v2
# data:
# RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/tdarr/tdarr-config"
# data:
# - secretKey: BUCKET_ENDPOINT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: S3_BUCKET_ENDPOINT
# - secretKey: RESTIC_PASSWORD
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: RESTIC_PASSWORD
# - secretKey: AWS_DEFAULT_REGION
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: AWS_DEFAULT_REGION
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: access_key
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: secret_key
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: tdarr-server-backup-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: tdarr-server-backup-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# target:
# template:
# mergePolicy: Merge
# engineVersion: v2
# data:
# RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/tdarr/tdarr-server"
# data:
# - secretKey: BUCKET_ENDPOINT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: S3_BUCKET_ENDPOINT
# - secretKey: RESTIC_PASSWORD
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: RESTIC_PASSWORD
# - secretKey: AWS_DEFAULT_REGION
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: AWS_DEFAULT_REGION
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: access_key
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: secret_key

30
clusters/cl01tl/applications/tdarr/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-tdarr
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-tdarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- tdarr.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: tdarr-web
port: 8265
weight: 100

19
clusters/cl01tl/applications/tdarr/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tdarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: tdarr-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: tdarr-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/tdarr/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: tdarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: tdarr-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

56
clusters/cl01tl/applications/tdarr/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,56 @@
# apiVersion: volsync.backube/v1alpha1
# kind: ReplicationSource
# metadata:
# name: tdarr-config-backup-source
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: tdarr-config-backup-source
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# sourcePVC: tdarr-config
# trigger:
# schedule: 0 0 */3 * *
# restic:
# pruneIntervalDays: 14
# repository: tdarr-config-backup-secret
# retain:
# hourly: 1
# daily: 1
# weekly: 1
# monthly: 2
# yearly: 4
# copyMethod: Snapshot
# storageClassName: ceph-block
# volumeSnapshotClassName: ceph-blockpool-snapshot
# ---
# apiVersion: volsync.backube/v1alpha1
# kind: ReplicationSource
# metadata:
# name: tdarr-server-backup-source
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: tdarr-server-backup-source
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# sourcePVC: tdarr-server
# trigger:
# schedule: 0 0 */3 * *
# restic:
# pruneIntervalDays: 14
# repository: tdarr-server-backup-secret
# retain:
# hourly: 1
# daily: 1
# weekly: 1
# monthly: 2
# yearly: 4
# copyMethod: Snapshot
# storageClassName: ceph-block
# volumeSnapshotClassName: ceph-blockpool-snapshot

159
clusters/cl01tl/applications/tdarr/values.yaml Normal file
View File

@@ -0,0 +1,159 @@
tdarr:
controllers:
server:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/haveagitgat/tdarr
tag: 2.35.02
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: PUID
value: "1001"
- name: PGID
value: "1001"
- name: UMASK_SET
value: "002"
- name: ffmpegVersion
value: "6"
- name: internalNode
value: "false"
- name: inContainer
value: "true"
- name: nodeName
value: tdarr-server
- name: serverIP
value: 0.0.0.0
- name: serverPort
value: "8266"
- name: webUIPort
value: "8265"
resources:
requests:
cpu: 200m
memory: 1Gi
node:
type: daemonset
revisionHistoryLimit: 3
pod:
nodeSelector:
intel.feature.node.kubernetes.io/gpu: "true"
containers:
main:
image:
repository: ghcr.io/haveagitgat/tdarr_node
tag: 2.35.02
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: PUID
value: "1001"
- name: PGID
value: "1001"
- name: UMASK_SET
value: "002"
- name: ffmpegVersion
value: "6"
- name: inContainer
value: "true"
- name: nodeName
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: serverIP
value: tdarr-api
- name: serverPort
value: "8266"
resources:
limits:
gpu.intel.com/i915: 1
cpu: 2000m
requests:
gpu.intel.com/i915: 1
cpu: 10m
memory: 512Mi
serviceAccount:
create: true
service:
api:
controller: server
ports:
http:
port: 8266
targetPort: 8266
protocol: HTTP
web:
controller: server
ports:
http:
port: 8265
targetPort: 8265
protocol: HTTP
persistence:
config:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 50Gi
retain: true
advancedMounts:
server:
main:
- path: /app/configs
readOnly: false
server:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 50Gi
retain: true
advancedMounts:
server:
main:
- path: /app/server
readOnly: false
server-cache:
type: emptyDir
advancedMounts:
server:
main:
- path: /tcache
readOnly: false
node-cache:
type: emptyDir
advancedMounts:
node:
main:
- path: /tcache
readOnly: false
media:
existingClaim: tdarr-nfs-storage
advancedMounts:
server:
main:
- path: /mnt/store
readOnly: true
node:
main:
- path: /mnt/store
readOnly: true
tdarr-exporter:
image:
name: homeylab/tdarr-exporter
tag: 1.4.2
metrics:
serviceMonitor:
enabled: true
settings:
config:
url: http://tdarr-web.tdarr:8265
verify_ssl: false
resources:
requests:
cpu: 100m
memory: 256Mi

34
clusters/cl01tl/applications/tubearchivist/Chart.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: v2
name: tubearchivist
version: 1.0.0
description: Tube Archivist
keywords:
- tubearchivist
- download
- video
- youtube
home: https://wiki.alexlebens.dev/doc/tube-archivist-Bv6xCDKPM5
sources:
- https://github.com/tubearchivist/tubearchivist
- https://github.com/elastic/elasticsearch
- https://github.com/redis/redis
- https://hub.docker.com/r/bbilly1/tubearchivist
- https://hub.docker.com/r/redis/redis-stack-server
- https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
- https://github.com/bitnami/charts/tree/main/bitnami/redis
- https://github.com/bitnami/charts/tree/main/bitnami/elasticsearch
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: tubearchivist
repository: https://bjw-s.github.io/helm-charts/
version: 3.7.1
- name: elasticsearch
version: 21.4.6
repository: https://charts.bitnami.com/bitnami
- name: redis
version: 19.6.4
repository: https://charts.bitnami.com/bitnami
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/tube-archivist.png
appVersion: v0.4.11

80
clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tubearchivist-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ELASTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/tubearchivist/env
metadataPolicy: None
property: ELASTIC_PASSWORD
- secretKey: TA_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/tubearchivist/env
metadataPolicy: None
property: TA_PASSWORD
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tubearchivist-elasticsearch-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ELASTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/tubearchivist/env
metadataPolicy: None
property: ELASTIC_PASSWORD
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tubearchivist-wireguard-conf
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: tubearchivist-wireguard-conf
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: private-key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /protonvpn/conf/cl01tl
metadataPolicy: None
property: private-key

30
clusters/cl01tl/applications/tubearchivist/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-tubearchivist
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-tubearchivist
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- tubearchivist.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: tubearchivist
port: 80
weight: 100

8
clusters/cl01tl/applications/tubearchivist/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: tubearchivist
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

19
clusters/cl01tl/applications/tubearchivist/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tubearchivist-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: tubearchivist-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: tubearchivist-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/tubearchivist/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: tubearchivist-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: tubearchivist-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/YouTube
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

168
clusters/cl01tl/applications/tubearchivist/values.yaml Normal file
View File

@@ -0,0 +1,168 @@
tubearchivist:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: bbilly1/tubearchivist
tag: v0.4.13
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: HOST_UID
value: 1000
- name: HOST_GID
value: 1000
- name: ES_URL
value: http://tubearchivist-elasticsearch:9200
- name: REDIS_HOST
value: tubearchivist-redis-headless
- name: TA_HOST
value: tubearchivist.alexlebens.net tubearchivist.tubearchivist
- name: TA_PORT
value: 24000
- name: TA_USERNAME
value: admin
envFrom:
- secretRef:
name: tubearchivist-config-secret
probes:
liveness:
enabled: false
custom: true
spec:
exec:
command:
- /usr/bin/env
- bash
- -c
- curl --fail http://localhost:8000/health
failureThreshold: 5
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 1Gi
gluetun:
image:
repository: ghcr.io/qdm12/gluetun
tag: v3.40.0@sha256:2b42bfa046757145a5155acece417b65b4443c8033fb88661a8e9dcf7fda5a00
pullPolicy: IfNotPresent
env:
- name: VPN_SERVICE_PROVIDER
value: protonvpn
- name: VPN_TYPE
value: wireguard
- name: WIREGUARD_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: tubearchivist-wireguard-conf
key: private-key
- name: VPN_PORT_FORWARDING
value: "on"
- name: PORT_FORWARD_ONLY
value: "on"
- name: FIREWALL_OUTBOUND_SUBNETS
value: 10.0.0.0/8
- name: FIREWALL_INPUT_PORTS
value: 80,8000,24000
- name: DOT
value: off
- name: DNS_KEEP_NAMESERVER
value: on
- name: DNS_PLAINTEXT_ADDRESS
value: 10.96.0.10
securityContext:
privileged: True
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
resources:
requests:
squat.ai/tun: "1"
cpu: 10m
memory: 128Mi
limits:
squat.ai/tun: "1"
serviceAccount:
create: true
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 24000
protocol: HTTP
persistence:
data:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 20Gi
retain: true
advancedMounts:
main:
main:
- path: /cache
readOnly: false
youtube:
existingClaim: tubearchivist-nfs-storage
advancedMounts:
main:
main:
- path: /youtube
readOnly: false
redis:
image:
repository: redis/redis-stack-server
tag: 7.2.0-v13
architecture: standalone
auth:
enabled: false
commonConfiguration: |-
# Enable AOF https://redis.io/topics/persistence#append-only-file
appendonly yes
# Disable RDB persistence, AOF persistence already enabled.
save ""
# Enable Redis Json module
loadmodule /opt/redis-stack/lib/rejson.so
elasticsearch:
global:
storageClass: ceph-block
extraEnvVars:
- name: discovery.type
value: single-node
- name: xpack.security.enabled
value: "true"
extraEnvVarsSecret: tubearchivist-elasticsearch-secret
extraConfig:
path:
repo: /usr/share/elasticsearch/data/snapshot
extraVolumes:
- name: snapshot
nfs:
path: /volume2/Storage/TubeArchivist
server: synologybond.alexlebens.net
extraVolumeMounts:
- name: snapshot
mountPath: /usr/share/elasticsearch/data/snapshot
snapshotRepoPath: /usr/share/elasticsearch/data/snapshot
master:
masterOnly: false
replicaCount: 1
data:
replicaCount: 0
coordinating:
replicaCount: 0
ingest:
enabled: false
replicaCount: 0

34
clusters/cl01tl/applications/vaultwarden/Chart.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: v2
name: vaultwarden
version: 1.0.0
description: Vaultwarden
keywords:
- vaultwarden
- bitwarden
- password
home: https://wiki.alexlebens.dev/doc/vaultwarden-HFX1rsTgMD
sources:
- https://github.com/dani-garcia/vaultwarden
- https://github.com/cloudflare/cloudflared
- https://github.com/cloudnative-pg/cloudnative-pg
- https://hub.docker.com/r/vaultwarden/server
- https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
- https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
- https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: vaultwarden
repository: https://bjw-s.github.io/helm-charts/
version: 3.7.1
- name: cloudflared
alias: cloudflared
repository: http://alexlebens.github.io/helm-charts
version: 1.14.0
- name: postgres-cluster
alias: postgres-17-cluster
version: 4.2.0
repository: http://alexlebens.github.io/helm-charts
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/vaultwarden.png
appVersion: 1.32.6

114
clusters/cl01tl/applications/vaultwarden/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,114 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vaultwarden-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vaultwarden-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/vaultwarden
metadataPolicy: None
property: token
# ---
# apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret
# metadata:
# name: vaultwarden-data-backup-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vaultwarden-data-backup-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# target:
# template:
# mergePolicy: Merge
# engineVersion: v2
# data:
# RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/vaultwarden/vaultwarden-data"
# data:
# - secretKey: BUCKET_ENDPOINT
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: S3_BUCKET_ENDPOINT
# - secretKey: RESTIC_PASSWORD
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: RESTIC_PASSWORD
# - secretKey: AWS_DEFAULT_REGION
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/volsync/restic/config
# metadataPolicy: None
# property: AWS_DEFAULT_REGION
# - secretKey: AWS_ACCESS_KEY_ID
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: access_key
# - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /digital-ocean/home-infra/volsync-backups
# metadataPolicy: None
# property: secret_key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vaultwarden-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vaultwarden-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret

27
clusters/cl01tl/applications/vaultwarden/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,27 @@
# apiVersion: volsync.backube/v1alpha1
# kind: ReplicationSource
# metadata:
# name: vaultwarden-data-backup-source
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: vaultwarden-data-backup-source
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: backup
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# sourcePVC: vaultwarden-data
# trigger:
# schedule: 0 0 */3 * *
# restic:
# pruneIntervalDays: 14
# repository: vaultwarden-data-backup-secret
# retain:
# hourly: 1
# daily: 1
# weekly: 1
# monthly: 2
# yearly: 4
# copyMethod: Snapshot
# storageClassName: ceph-block
# volumeSnapshotClassName: ceph-blockpool-snapshot

72
clusters/cl01tl/applications/vaultwarden/values.yaml Normal file
View File

@@ -0,0 +1,72 @@
vaultwarden:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: vaultwarden/server
tag: 1.33.2
pullPolicy: IfNotPresent
env:
- name: DOMAIN
value: https://passwords.alexlebens.dev
- name: SIGNUPS_ALLOWED
value: "false"
- name: INVITATIONS_ALLOWED
value: "false"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: vaultwarden-postgresql-17-cluster-app
key: uri
resources:
requests:
cpu: 10m
memory: 128Mi
serviceAccount:
create: true
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 80
protocol: HTTP
persistence:
data:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
retain: true
advancedMounts:
main:
main:
- path: /data
readOnly: false
cloudflared:
existingSecretName: vaultwarden-cloudflared-secret
postgres-17-cluster:
mode: recovery
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
recovery:
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/vaultwarden/vaultwarden-postgresql-17-cluster
endpointCredentials: vaultwarden-postgresql-17-cluster-backup-secret
recoveryIndex: 2
backup:
enabled: false
endpointURL: https://nyc3.digitaloceanspaces.com
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/vaultwarden/vaultwarden-postgresql-17-cluster
endpointCredentials: vaultwarden-postgresql-17-cluster-backup-secret
backupIndex: 3