alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions 1 Activity

Compare commits

base: alexlebens:main
Branches Tags
alexlebens:main alexlebens:auto/update-manifests alexlebens:renovate/major-unified-loki alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:manifests
..
compare: alexlebens:405346929ecaff9e8a376dfb9ab24986b0dc2caf
Branches Tags
alexlebens:auto/update-manifests alexlebens:renovate/major-unified-loki alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:main

1 Commits
main ... 405346929e

Author SHA1 Message Date
Renovate Bot
405346929e chore(deps): update vault to v2
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 25s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 21s
Details
2026-04-25 01:12:54 +00:00
79 changed files with 1200 additions and 1325 deletions
Expand all files Collapse all files

4
.gitea/workflows/renovate.yaml
View File

@@ -12,8 +12,8 @@ on:
jobs: jobs:
renovate: renovate:
runs-on: ubuntu-js runs-on: ubuntu-latest
container: ghcr.io/renovatebot/renovate:43.144.0@sha256:d6c68d8226a0b4f1fc00942f1c14b33d5135c6c52e8c9d29a2588b46f199c14f container: ghcr.io/renovatebot/renovate:43.141.5@sha256:8fb9e3cfdadc0994fb87f57be624d1c1940c41c1c53c074465caff85a2b6d3a4
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

7
clusters/cl01tl/helm/actual/Chart.lock
View File

@@ -2,8 +2,5 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2 version: 4.6.2
- name: volsync-target digest: sha256:1c04c187e6cf768117f7f91f3a3b082937ad5854c1cf6a681ad7c02687cd543d
repository: oci://harbor.alexlebens.net/helm-charts generated: "2026-04-18T20:15:22.778699-05:00"
version: 1.0.0
digest: sha256:ee1ff98af82f76ddf0b672abf9f4973ae41faff3cd61d81849f496c089cfdbd3
generated: "2026-04-26T14:57:34.863614-05:00"

108
clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
View File

@@ -1,108 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: haproxy
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: haproxy
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: HAProxyHighHTTP4xxErrorRateBackend
expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyHighHTTP5xxErrorRateBackend
expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyHighHTTP4xxErrorRateServer
expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyHighHTTP5xxErrorRateServer
expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyServerResponseErrors
expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyBackendConnectionErrors
expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyServerConnectionErrors
expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
for: 0m
labels:
severity: critical
annotations:
summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyBackendMaxActiveSession>80%
expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyPendingRequests
expr: sum by (proxy) (haproxy_backend_current_queue) > 0
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyRetryHigh
expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyFrontendSecurityBlockedRequests
expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
description: "HAProxy is blocking requests for security reason\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyServerHealthcheckFailure
expr: increase(haproxy_server_check_failures_total[1m]) > 2
for: 0m
labels:
severity: warning
annotations:
summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

8
clusters/cl01tl/helm/audiobookshelf/Chart.lock
View File

@@ -4,9 +4,9 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: volsync-target - name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 1.0.0 version: 0.8.0
- name: volsync-target - name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 1.0.0 version: 0.8.0
digest: sha256:c6af4b1dd96410281d53ff8f63235bc79bd9a1d493d6da097d9e4ff088e09538 digest: sha256:7ee4cfdf7f908401c39b3cda0cf8783b25dcb9cf93e7c911609bab9e303ec5bf
generated: "2026-04-26T14:57:40.219612-05:00" generated: "2026-03-06T01:05:03.534042627Z"

2
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -23,7 +23,7 @@ audiobookshelf:
apprise-api: apprise-api:
image: image:
repository: ghcr.io/caronc/apprise repository: ghcr.io/caronc/apprise
tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

44
clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: cert-manager
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cert-manager
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: Cert-ManagerAbsent
expr: absent(up{job="cert-manager"})
for: 10m
labels:
severity: critical
annotations:
summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: Cert-ManagerCertificateExpiringSoon
expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
for: 1h
labels:
severity: warning
annotations:
summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: Cert-ManagerCertificateNotReady
expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
for: 10m
labels:
severity: critical
annotations:
summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: Cert-ManagerHittingACMERateLimits
expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
for: 5m
labels:
severity: critical
annotations:
summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

10
clusters/cl01tl/helm/cloudnative-pg/Chart.lock
View File

@@ -5,11 +5,5 @@ dependencies:
- name: plugin-barman-cloud - name: plugin-barman-cloud
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
version: 0.6.0 version: 0.6.0
- name: rclone-bucket digest: sha256:48241acb753e635a01b306b90cfbce13ed3c0105a33ec7d36f159e3a7fe607f3
repository: oci://harbor.alexlebens.net/helm-charts generated: "2026-04-14T09:03:10.332065288Z"
version: 0.4.3
- name: rclone-bucket
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
digest: sha256:75d7078b7009082521a1bb8b49141e20b442343dabe7f76f5e7a16a352cfe205
generated: "2026-04-26T15:36:31.678086-05:00"

9
clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
View File

@@ -13,7 +13,6 @@ sources:
- https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
- https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
- https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -23,14 +22,6 @@ dependencies:
- name: plugin-barman-cloud - name: plugin-barman-cloud
version: 0.6.0 version: 0.6.0
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
- name: rclone-bucket
alias: rclone-postgres-backups-remote
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
- name: rclone-bucket
alias: rclone-postgres-backups-external
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
# renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
appVersion: 1.29.0 appVersion: 1.29.0

59
clusters/cl01tl/helm/cloudnative-pg/values.yaml
View File

@@ -14,62 +14,3 @@ plugin-barman-cloud:
requests: requests:
cpu: 1m cpu: 1m
memory: 20Mi memory: 20Mi
rclone-postgres-backups-remote:
nameOverride: postgres-backups-remote-rclone
cronJob:
suspend: false
schedule: 0 6 * * 6
rclone:
source:
bucketName: postgres-backups
destination:
bucketName: postgres-backups
prune:
enabled: true
ageToPrune: 45d
include: "/cl01tl/*/*/*/base/**"
exclude: "**/walls/**"
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/postgres-backups
config:
path: /garage/config
destination:
credentials:
path: /garage/home-infra/postgres-backups
config:
path: /garage/config
rclone-postgres-backups-external:
nameOverride: postgres-backups-external-rclone
cronJob:
suspend: true
schedule: 0 6 * * 6
rclone:
source:
bucketName: openbao-backups
destination:
bucketName: postgres-backups-ecc1010276b61716
providerType: DigitalOcean
prune:
enabled: true
ageToPrune: 45d
include: "/cl01tl/*/*/*/base/**"
exclude: "**/walls/**"
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/postgres-backups
config:
path: /garage/config
destination:
credentials:
path: /digital-ocean/home-infra/postgres-backups
keyIdProperty: AWS_ACCESS_KEY_ID
secretKeyProperty: AWS_SECRET_ACCESS_KEY
regionProperty: AWS_REGION
config:
path: /digital-ocean/config
endpointProperty: ENDPOINT

2
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -42,4 +42,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich # renovate: datasource=github-releases depName=Freika/dawarich
appVersion: 1.7.0 appVersion: 1.6.1

8
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -8,7 +8,7 @@ dawarich:
main: main:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62 tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
command: command:
- "web-entrypoint.sh" - "web-entrypoint.sh"
args: args:
@@ -111,7 +111,7 @@ dawarich:
sidekiq: sidekiq:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62 tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
command: command:
- "sidekiq-entrypoint.sh" - "sidekiq-entrypoint.sh"
args: args:
@@ -161,12 +161,12 @@ dawarich:
- name: OIDC_CLIENT_ID - name: OIDC_CLIENT_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: dawarich-oidc-authentik name: dawarich-oidc-secret
key: client key: client
- name: OIDC_CLIENT_SECRET - name: OIDC_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: dawarich-oidc-authentik name: dawarich-oidc-secret
key: secret key: secret
- name: OIDC_PROVIDER_NAME - name: OIDC_PROVIDER_NAME
value: Authentik value: Authentik

3
clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
View File

@@ -47,8 +47,6 @@ democratic-csi:
fsType: ext4 fsType: ext4
node: node:
hostPID: true hostPID: true
rbac:
enabled: true
driver: driver:
extraEnv: extraEnv:
- name: ISCSIADM_HOST_STRATEGY - name: ISCSIADM_HOST_STRATEGY
@@ -61,4 +59,3 @@ democratic-csi:
image: image:
registry: registry.k8s.io/sig-storage/csi-node-driver-registrar registry: registry.k8s.io/sig-storage/csi-node-driver-registrar
tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70 tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70
enablePSP: true

7
clusters/cl01tl/helm/directus/Chart.lock
View File

@@ -8,8 +8,5 @@ dependencies:
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.6.1 version: 0.6.1
- name: rclone-bucket digest: sha256:e3d9d7bc069b79ec37769f77d691cda3b8bd92e37a9d1dd2ef8279dc6d2b6cde
repository: oci://harbor.alexlebens.net/helm-charts generated: "2026-04-24T21:50:43.755575922Z"
version: 0.4.3
digest: sha256:df3b79c6b8868d749d98d232741fef4a26b73894bce3bf4588581340c15fc3da
generated: "2026-04-26T21:06:27.85398357Z"

5
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -12,7 +12,6 @@ sources:
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -28,10 +27,6 @@ dependencies:
alias: valkey alias: valkey
version: 0.6.1 version: 0.6.1
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: rclone-bucket
alias: rclone-directus-assets-remote
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
# renovate: datasource=github-releases depName=directus/directus # renovate: datasource=github-releases depName=directus/directus
appVersion: 11.17.3 appVersion: 11.17.3

21
clusters/cl01tl/helm/directus/values.yaml
View File

@@ -214,24 +214,3 @@ valkey:
# https://github.com/valkey-io/valkey-helm/issues/135 # https://github.com/valkey-io/valkey-helm/issues/135
metrics: metrics:
enabled: false enabled: false
rclone-directus-assets-remote:
cronJob:
suspend: false
schedule: 0 0 * * *
rclone:
source:
bucketName: directus-assets
destination:
bucketName: directus-assets
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/directus-assets
config:
path: /garage/config
destination:
credentials:
path: /garage/home-infra/directus-assets
config:
path: /garage/config

20
clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
View File

@@ -1,5 +1,25 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ClusterSecretStore kind: ClusterSecretStore
metadata:
name: vault
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault
{{- include "custom.labels" . | nindent 4 }}
spec:
provider:
vault:
server: http://vault-internal.vault:8200
path: secret
auth:
tokenSecretRef:
namespace: vault
name: vault-token
key: token
---
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata: metadata:
name: openbao name: openbao
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}

4
clusters/cl01tl/helm/foldergram/templates/_helpers.tpl
View File

@@ -16,6 +16,6 @@ app.kubernetes.io/part-of: {{ .Release.Name }}
{{/* {{/*
NFS names NFS names
*/}} */}}
{{- define "custom.storageMiaNfsName" -}} {{- define "custom.storageNfsName" -}}
foldergram-pictures-collection-mia-nfs-storage foldergram-pictures-collections-nfs-storage
{{- end -}} {{- end -}}

6
clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml
View File

@@ -1,13 +1,13 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "custom.storageMiaNfsName" . }} name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.storageMiaNfsName" . }} app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }} {{- include "custom.labels" . | nindent 4 }}
spec: spec:
volumeName: {{ include "custom.storageMiaNfsName" . }} volumeName: {{ include "custom.storageNfsName" . }}
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany

6
clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: {{ include "custom.storageMiaNfsName" . }} name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.storageMiaNfsName" . }} app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }} {{- include "custom.labels" . | nindent 4 }}
spec: spec:
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
@@ -14,7 +14,7 @@ spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
nfs: nfs:
path: '/volume2/Storage/Pictures/Collections/Minneapolis Institute of Art' path: /volume2/Storage/Pictures/Collections
server: synologybond.alexlebens.net server: synologybond.alexlebens.net
mountOptions: mountOptions:
- vers=4 - vers=4

8
clusters/cl01tl/helm/foldergram/values.yaml
View File

@@ -17,7 +17,7 @@ foldergram:
- name: IMAGE_DETAIL_SOURCE - name: IMAGE_DETAIL_SOURCE
value: original value: original
- name: DERIVATIVE_MODE - name: DERIVATIVE_MODE
value: lazy value: eager
- name: DATA_ROOT - name: DATA_ROOT
value: ./data value: ./data
- name: GALLERY_ROOT - name: GALLERY_ROOT
@@ -76,12 +76,12 @@ foldergram:
main: main:
- path: /app/data - path: /app/data
readOnly: false readOnly: false
pictures-mia: pictures:
existingClaim: foldergram-pictures-collection-mia-nfs-storage existingClaim: foldergram-pictures-collections-nfs-storage
advancedMounts: advancedMounts:
main: main:
main: main:
- path: '/gallery/Minneapolis Institute of Art' - path: /gallery
readOnly: true readOnly: true
volsync-target-db: volsync-target-db:
pvcTarget: foldergram-db pvcTarget: foldergram-db

28
clusters/cl01tl/helm/gitea/templates/prometheus-rule.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: meilisearch
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: meilisearch
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: MeilisearchIndexIsEmpty
expr: meilisearch_index_docs_count == 0
for: 0m
labels:
severity: warning
annotations:
summary: Meilisearch index is empty (instance {{ `{{ $labels.instance }}` }})
description: "Meilisearch index {{ `{{ $labels.index }}` }} has zero documents\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: MeilisearchHttpResponseTime
expr: meilisearch_http_response_time_seconds > 0.5
for: 0m
labels:
severity: warning
annotations:
summary: Meilisearch http response time (instance {{ `{{ $labels.instance }}` }})
description: "Meilisearch http response time is too high\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

5
clusters/cl01tl/helm/gitea/values.yaml
View File

@@ -194,7 +194,7 @@ gitea-actions:
registry: docker.io registry: docker.io
repository: gitea/act_runner repository: gitea/act_runner
# renovate: datasource=docker depName=gitea/act_runner # renovate: datasource=docker depName=gitea/act_runner
tag: 0.5.0@sha256:9946000491cf19c3ed487c23e5da4f0c287010d791f495796c756e41e7a79cbe tag: 0.4.1@sha256:696a59b51ad3d149521e3beb0229d5fb88f87295e1616f940199793274415b56
extraVolumeMounts: extraVolumeMounts:
- name: workspace-vol - name: workspace-vol
mountPath: /workspace mountPath: /workspace
@@ -206,8 +206,9 @@ gitea-actions:
runner: runner:
labels: labels:
- "ubuntu-latest:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04" - "ubuntu-latest:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04"
- "ubuntu-latest-slim:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04-slim"
- "ubuntu-js:docker://harbor.alexlebens.net/proxy-ghcr.io/catthehacker/ubuntu:js-24.04" - "ubuntu-js:docker://harbor.alexlebens.net/proxy-ghcr.io/catthehacker/ubuntu:js-24.04"
- "ubuntu-24.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-24.04"
- "ubuntu-22.04:docker://harbor.alexlebens.net/proxy-hub.docker/gitea/runner-images:ubuntu-22.04"
dind: dind:
registry: docker.io registry: docker.io
repository: docker repository: docker

2
clusters/cl01tl/helm/grimmory/Chart.yaml
View File

@@ -28,4 +28,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grimmory.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grimmory.png
# renovate: datasource=github-releases depName=grimmory-tools/grimmory # renovate: datasource=github-releases depName=grimmory-tools/grimmory
appVersion: v3.0.2 appVersion: v3.0.0

2
clusters/cl01tl/helm/grimmory/values.yaml
View File

@@ -12,7 +12,7 @@ grimmory:
main: main:
image: image:
repository: ghcr.io/grimmory-tools/grimmory repository: ghcr.io/grimmory-tools/grimmory
tag: v3.0.2@sha256:4557a78321add7d70bef7c0b89c2617c8c023246ae39698bc2cbe636f8c97f9b tag: v3.0.0@sha256:0130c338d4c1186f2f6b6acdc4a7ee56388dfdab9cb0b9a23ac0fc91b79e7d75
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

6
clusters/cl01tl/helm/isponsorblocktv/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
digest: sha256:65da71c32b4576a11e590f059d97dae22137448cb71049258d018cf5b7bb4a92
generated: "2026-04-26T14:59:16.326539-05:00"

28
clusters/cl01tl/helm/jellyfin/templates/prometheus-rule.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: meilisearch
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: meilisearch
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: MeilisearchIndexIsEmpty
expr: meilisearch_index_docs_count == 0
for: 0m
labels:
severity: warning
annotations:
summary: Meilisearch index is empty (instance {{ `{{ $labels.instance }}` }})
description: "Meilisearch index {{ `{{ $labels.index }}` }} has zero documents\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: MeilisearchHttpResponseTime
expr: meilisearch_http_response_time_seconds > 0.5
for: 0m
labels:
severity: warning
annotations:
summary: Meilisearch http response time (instance {{ `{{ $labels.instance }}` }})
description: "Meilisearch http response time is too high\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

7
clusters/cl01tl/helm/karakeep/Chart.lock
View File

@@ -11,8 +11,5 @@ dependencies:
- name: volsync-target - name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 1.0.0 version: 1.0.0
- name: rclone-bucket digest: sha256:7e04fb96a89630d96605e1a6dec951191709af377560357f002af33365618c06
repository: oci://harbor.alexlebens.net/helm-charts generated: "2026-04-24T22:52:57.309438139Z"
version: 0.4.3
digest: sha256:376ee64d93cc959afc02c5cf5b308bbf12a0b5dfb339a6a853b3243e6033604c
generated: "2026-04-26T21:07:05.718924873Z"

5
clusters/cl01tl/helm/karakeep/Chart.yaml
View File

@@ -15,7 +15,6 @@ sources:
- https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -33,10 +32,6 @@ dependencies:
alias: volsync-target-data alias: volsync-target-data
version: 1.0.0 version: 1.0.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: rclone-bucket
alias: rclone-karakeep-assets-remote
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/karakeep.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/karakeep.png
# renovate: datasource=github-releases depName=karakeep-app/karakeep # renovate: datasource=github-releases depName=karakeep-app/karakeep
appVersion: 0.31.0 appVersion: 0.31.0

28
clusters/cl01tl/helm/karakeep/templates/prometheus-rule.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: meilisearch
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: meilisearch
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: MeilisearchIndexIsEmpty
expr: meilisearch_index_docs_count == 0
for: 0m
labels:
severity: warning
annotations:
summary: Meilisearch index is empty (instance {{ `{{ $labels.instance }}` }})
description: "Meilisearch index {{ `{{ $labels.index }}` }} has zero documents\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: MeilisearchHttpResponseTime
expr: meilisearch_http_response_time_seconds > 0.5
for: 0m
labels:
severity: warning
annotations:
summary: Meilisearch http response time (instance {{ `{{ $labels.instance }}` }})
description: "Meilisearch http response time is too high\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

21
clusters/cl01tl/helm/karakeep/values.yaml
View File

@@ -172,24 +172,3 @@ volsync-target-data:
external: external:
enabled: true enabled: true
schedule: 30 10 * * * schedule: 30 10 * * *
rclone-karakeep-assets-remote:
cronJob:
suspend: false
schedule: 10 0 * * *
rclone:
source:
bucketName: karakeep-assets
destination:
bucketName: karakeep-assets
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/karakeep-assets
config:
path: /garage/config
destination:
credentials:
path: /garage/home-infra/karakeep-assets
config:
path: /garage/config

6
clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
View File

@@ -1,7 +1,7 @@
dependencies: dependencies:
- name: kube-prometheus-stack - name: kube-prometheus-stack
repository: oci://ghcr.io/prometheus-community/charts repository: oci://ghcr.io/prometheus-community/charts
version: 84.3.0 version: 84.0.1
- name: prometheus-operator-crds - name: prometheus-operator-crds
repository: oci://ghcr.io/prometheus-community/charts repository: oci://ghcr.io/prometheus-community/charts
version: 28.0.1 version: 28.0.1
@@ -11,5 +11,5 @@ dependencies:
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.6.1 version: 0.6.1
digest: sha256:88beedf9486adb9cb27b36c24021759401fcff106fc0e0cadbb3282d7e57d03c digest: sha256:2714de1082a27491925ba1b7adfba884a5ca9e674df22df96e8f6ccf56a54a6e
generated: "2026-04-27T19:03:58.288039768Z" generated: "2026-04-24T17:03:37.423427661Z"

2
clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
View File

@@ -20,7 +20,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: kube-prometheus-stack - name: kube-prometheus-stack
version: 84.3.0 version: 84.0.1
repository: oci://ghcr.io/prometheus-community/charts repository: oci://ghcr.io/prometheus-community/charts
- name: prometheus-operator-crds - name: prometheus-operator-crds
version: 28.0.1 version: 28.0.1

6
clusters/cl01tl/helm/kube-prometheus-stack/values.yaml
View File

@@ -98,8 +98,8 @@ kube-prometheus-stack:
namespace: traefik namespace: traefik
prometheusSpec: prometheusSpec:
scrapeInterval: 30s scrapeInterval: 30s
retention: 60d retention: 45d
retentionSize: 450GiB retentionSize: 240GiB
externalUrl: https://prometheus.alexlebens.net externalUrl: https://prometheus.alexlebens.net
ruleSelectorNilUsesHelmValues: false ruleSelectorNilUsesHelmValues: false
serviceMonitorSelectorNilUsesHelmValues: false serviceMonitorSelectorNilUsesHelmValues: false
@@ -112,7 +112,7 @@ kube-prometheus-stack:
accessModes: ["ReadWriteOnce"] accessModes: ["ReadWriteOnce"]
resources: resources:
requests: requests:
storage: 500Gi storage: 250Gi
ntfy-alertmanager: ntfy-alertmanager:
global: global:
fullnameOverride: ntfy-alertmanager fullnameOverride: ntfy-alertmanager

2
clusters/cl01tl/helm/medialyze/Chart.yaml
View File

@@ -24,4 +24,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://raw.githubusercontent.com/frederikemmer/MediaLyze/d8f69c0628bac7c047b90f91a66341648029c273/frontend/public/favicon.svg icon: https://raw.githubusercontent.com/frederikemmer/MediaLyze/d8f69c0628bac7c047b90f91a66341648029c273/frontend/public/favicon.svg
# renovate: datasource=github-releases depName=frederikemmer/MediaLyze # renovate: datasource=github-releases depName=frederikemmer/MediaLyze
appVersion: 0.9.0 appVersion: 0.8.3

2
clusters/cl01tl/helm/medialyze/values.yaml
View File

@@ -12,7 +12,7 @@ medialyze:
main: main:
image: image:
repository: ghcr.io/frederikemmer/medialyze repository: ghcr.io/frederikemmer/medialyze
tag: 0.9.0@sha256:3d88b4f4a3e6cf2489a5236e5174d58d6274e99008ce2ddd4159d1389744473f tag: 0.8.3@sha256:ef21e989f3d04c99f0fee4c992a92308156c746e26fb98672a3fa714fc630367
env: env:
- name: HOST_PORT - name: HOST_PORT
value: 8080 value: 8080

2
clusters/cl01tl/helm/music-grabber/Chart.yaml
View File

@@ -24,4 +24,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/music-grabber.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/music-grabber.png
# renovate: datasource=docker depName=g33kphr33k/musicgrabber # renovate: datasource=docker depName=g33kphr33k/musicgrabber
appVersion: 2.6.6 appVersion: 2.6.5

10
clusters/cl01tl/helm/music-grabber/values.yaml
View File

@@ -12,7 +12,7 @@ music-grabber:
main: main:
image: image:
repository: g33kphr33k/musicgrabber repository: g33kphr33k/musicgrabber
tag: 2.6.6@sha256:dad8dec4e32671ef7326d31f58ea626fa4622571e65c6bb34459bc2648f1fead tag: 2.6.5@sha256:5d276415a764a56955207ae41fe2df3341a152812fdf8a87e7c0b7e4e1fb681d
env: env:
- name: MUSIC_DIR - name: MUSIC_DIR
value: /mnt/store/Music Grabber/ value: /mnt/store/Music Grabber/
@@ -25,24 +25,24 @@ music-grabber:
- name: NAVIDROME_USER - name: NAVIDROME_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: music-grabber-config name: music-grabber-config-secret
key: navidrome-user key: navidrome-user
- name: NAVIDROME_PASS - name: NAVIDROME_PASS
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: music-grabber-config name: music-grabber-config-secret
key: navidrome-password key: navidrome-password
- name: SLSKD_URL - name: SLSKD_URL
value: http://slskd.slskd:5030 value: http://slskd.slskd:5030
- name: SLSKD_USER - name: SLSKD_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: music-grabber-config name: music-grabber-config-secret
key: slskd-user key: slskd-user
- name: SLSKD_PASS - name: SLSKD_PASS
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: music-grabber-config name: music-grabber-config-secret
key: slskd-password key: slskd-password
- name: SLSKD_DOWNLOADS_PATH - name: SLSKD_DOWNLOADS_PATH
value: /mnt/store/slskd/Downloads value: /mnt/store/slskd/Downloads

7
clusters/cl01tl/helm/ntfy/Chart.lock
View File

@@ -5,8 +5,5 @@ dependencies:
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1 version: 7.12.1
- name: rclone-bucket digest: sha256:1f4cf54fc4c52a2ef6fff3aae0f8af39b059d46a6e257add049310766ebc0a22
repository: oci://harbor.alexlebens.net/helm-charts generated: "2026-04-24T21:55:36.889797295Z"
version: 0.4.3
digest: sha256:97ce7f765707305cb7ccf7020c3a0945a19cda7d7d54cb75ff341acdbf000a23
generated: "2026-04-26T21:07:46.221034664Z"

5
clusters/cl01tl/helm/ntfy/Chart.yaml
View File

@@ -10,7 +10,6 @@ sources:
- https://github.com/binwiederhier/ntfy - https://github.com/binwiederhier/ntfy
- https://hub.docker.com/r/binwiederhier/ntfy - https://hub.docker.com/r/binwiederhier/ntfy
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -22,10 +21,6 @@ dependencies:
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.12.1 version: 7.12.1
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: rclone-bucket
alias: rclone-ntfy-attachments-remote
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ntfy.png
# renovate: datasource=github-releases depName=binwiederhier/ntfy # renovate: datasource=github-releases depName=binwiederhier/ntfy
appVersion: 2.22.0 appVersion: 2.22.0

21
clusters/cl01tl/helm/ntfy/values.yaml
View File

@@ -124,24 +124,3 @@ postgres-18-cluster:
immediate: true immediate: true
schedule: "0 15 14 * * *" schedule: "0 15 14 * * *"
backupName: garage-local backupName: garage-local
rclone-ntfy-attachments-remote:
cronJob:
suspend: false
schedule: 50 0 * * *
rclone:
source:
bucketName: ntfy-attachments
destination:
bucketName: ntfy-attachments
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/ntfy-attachments
config:
path: /garage/config
destination:
credentials:
path: /garage/home-infra/ntfy-attachments
config:
path: /garage/config

12
clusters/cl01tl/helm/openbao/Chart.lock
View File

@@ -1,15 +1,9 @@
dependencies: dependencies:
- name: openbao - name: openbao
repository: https://openbao.github.io/openbao-helm repository: https://openbao.github.io/openbao-helm
version: 0.27.2 version: 0.27.1
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2 version: 4.6.2
- name: rclone-bucket digest: sha256:2a48dda8dad91d967fceeec4c50d3358f58b0255ba823e04bea726bf187f8f40
repository: oci://harbor.alexlebens.net/helm-charts generated: "2026-04-15T19:55:47.720376-05:00"
version: 0.4.3
- name: rclone-bucket
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
digest: sha256:cbb61cd27ce6f613cd0fb07a3b9d380008732ed9e933eed45eda2d7e379fe279
generated: "2026-04-26T21:08:16.543052937Z"

9
clusters/cl01tl/helm/openbao/Chart.yaml
View File

@@ -15,7 +15,6 @@ sources:
- https://github.com/lrstanley/vault-unseal/pkgs/container/vault-unseal - https://github.com/lrstanley/vault-unseal/pkgs/container/vault-unseal
- https://github.com/openbao/openbao-helm/tree/main/charts/openbao - https://github.com/openbao/openbao-helm/tree/main/charts/openbao
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -26,14 +25,6 @@ dependencies:
alias: unseal alias: unseal
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2 version: 4.6.2
- name: rclone-bucket
alias: rclone-openbao-backups-remote
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
- name: rclone-bucket
alias: rclone-openbao-backups-external
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.3
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/openbao.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/openbao.png
# renovate: datasource=github-releases depName=openbao/openbao # renovate: datasource=github-releases depName=openbao/openbao
appVersion: v2.5.3 appVersion: v2.5.3

92
clusters/cl01tl/helm/openbao/values.yaml
View File

@@ -120,52 +120,20 @@ openbao:
prometheusRules: prometheusRules:
enabled: true enabled: true
rules: rules:
- alert: openBao-HighResponseTime - alert: vault-HighResponseTime
annotations: annotations:
message: The response time of OpenBao is over 500ms on average over the last 5 minutes. message: The response time of Vault is over 500ms on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500
for: 5m for: 5m
labels: labels:
severity: warning severity: warning
- alert: openBao-HighResponseTime - alert: vault-HighResponseTime
annotations: annotations:
message: The response time of OpenBao is over 1s on average over the last 5 minutes. message: The response time of Vault is over 1s on average over the last 5 minutes.
expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000
for: 5m for: 5m
labels: labels:
severity: critical severity: critical
- alert: openBao-Sealed
expr: vault_core_unsealed == 0
for: 1m
labels:
severity: critical
annotations:
summary: OpenBao sealed (instance {{ $labels.instance }})
description: "OpenBao instance is sealed on {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: OpenBao-TooManyPendingTokens
expr: avg(vault_token_create_count - vault_token_store_count) > 0
for: 5m
labels:
severity: warning
annotations:
summary: OpenBao too many pending tokens (instance {{ $labels.instance }})
description: "Too many pending tokens on {{ $labels.instance }}: {{ $value }} tokens created but not yet stored.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: OpenBao-TooManyInfinityTokens
expr: vault_token_count_by_ttl{creation_ttl="+Inf"} > 3
for: 5m
labels:
severity: warning
annotations:
summary: OpenBao too many infinity tokens (instance {{ $labels.instance }})
description: "Too many non-expiring tokens on {{ $labels.instance }}: {{ $value }} tokens with infinite TTL.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: OpenBao-ClusterHealth
expr: sum(vault_core_active) / count(vault_core_active) <= 0.5 and count(vault_core_active) > 0
for: 0m
labels:
severity: critical
annotations:
summary: OpenBao cluster health (instance {{ $labels.instance }})
description: "OpenBao cluster is not healthy: only {{ $value | humanizePercentage }} of nodes are active.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
snapshotAgent: snapshotAgent:
enabled: true enabled: true
schedule: 0 4 * * * schedule: 0 4 * * *
@@ -239,55 +207,3 @@ unseal:
requests: requests:
cpu: 1m cpu: 1m
memory: 10Mi memory: 10Mi
rclone-openbao-backups-remote:
nameOverride: openbao-backups-remote-rclone
cronJob:
suspend: false
schedule: 0 1 * * *
rclone:
source:
bucketName: openbao-backups
destination:
bucketName: openbao-backups
prune:
enabled: true
ageToPrune: 90d
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/openbao-backups
config:
path: /garage/config
destination:
credentials:
path: /garage/home-infra/openbao-backups
config:
path: /garage/config
rclone-openbao-backups-external:
nameOverride: openbao-backups-external-rclone
cronJob:
suspend: false
schedule: 10 1 * * *
rclone:
source:
bucketName: openbao-backups
destination:
bucketName: openbao-backups-6e088aad5fad110b
providerType: DigitalOcean
prune:
enabled: true
ageToPrune: 90d
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/openbao-backups
config:
path: /garage/config
destination:
credentials:
path: /digital-ocean/home-infra/openbao-backups
config:
path: /digital-ocean/config
endpointProperty: ENDPOINT

2
clusters/cl01tl/helm/outline/Chart.yaml
View File

@@ -38,4 +38,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/outline.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/outline.png
# renovate: datasource=github-releases depName=outline/outline # renovate: datasource=github-releases depName=outline/outline
appVersion: 1.7.0 appVersion: 1.6.1

2
clusters/cl01tl/helm/outline/values.yaml
View File

@@ -11,7 +11,7 @@ outline:
main: main:
image: image:
repository: outlinewiki/outline repository: outlinewiki/outline
tag: 1.7.0@sha256:b13ccd15653513a79eb66283bfa91287f5e3d0944d8cb056d5288b8565992de5 tag: 1.6.1@sha256:a750f764080ce28d4a7393176011c8e2e4170b41689a8f6d91327dadf4904eb6
env: env:
- name: NODE_ENV - name: NODE_ENV
value: production value: production

2
clusters/cl01tl/helm/paperless-ngx/Chart.yaml
View File

@@ -48,4 +48,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/paperless-ngx.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/paperless-ngx.png
# renovate: datasource=github-releases depName=paperless-ngx/paperless-ngx # renovate: datasource=github-releases depName=paperless-ngx/paperless-ngx
appVersion: 2.20.15 appVersion: 2.20.14

2
clusters/cl01tl/helm/paperless-ngx/values.yaml
View File

@@ -8,7 +8,7 @@ paperless-ngx:
main: main:
image: image:
repository: ghcr.io/paperless-ngx/paperless-ngx repository: ghcr.io/paperless-ngx/paperless-ngx
tag: 2.20.15@sha256:6c86cad803970ea782683a8e80e7403444c5bf3cf70de63b4d3c8e87500db92f tag: 2.20.14@sha256:b89f83345532cfba72690185257eb6c4f92fc2a782332a42abe19c07b7a6595f
env: env:
- name: PAPERLESS_REDIS - name: PAPERLESS_REDIS
value: redis://paperless-ngx-valkey.paperless-ngx:6379 value: redis://paperless-ngx-valkey.paperless-ngx:6379

2
clusters/cl01tl/helm/plex/Chart.yaml
View File

@@ -20,4 +20,4 @@ dependencies:
version: 4.6.2 version: 4.6.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/plex.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/plex.png
# renovate: datasource=github-releases depName=linuxserver/docker-plex # renovate: datasource=github-releases depName=linuxserver/docker-plex
appVersion: 1.43.1.10611-1e34174b1-ls303 appVersion: 1.43.1.10611-1e34174b1-ls302

2
clusters/cl01tl/helm/plex/values.yaml
View File

@@ -22,7 +22,7 @@ plex:
main: main:
image: image:
repository: ghcr.io/linuxserver/plex repository: ghcr.io/linuxserver/plex
tag: 1.43.1.10611-1e34174b1-ls303@sha256:b785bdd60e781662f16e0526a6b54c07856739df95ab558a674a3c084dbde423 tag: 1.43.1.10611-1e34174b1-ls302@sha256:e5c7c283b242966416a4bed2d666acf6f3fb8f957c704be8333f8dc987364825
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

2
clusters/cl01tl/helm/qbittorrent/values.yaml
View File

@@ -168,7 +168,7 @@ qbittorrent:
apprise-api: apprise-api:
image: image:
repository: ghcr.io/caronc/apprise repository: ghcr.io/caronc/apprise
tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

10
clusters/cl01tl/helm/rclone/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: rclone-bucket - name: app-template
repository: oci://harbor.alexlebens.net/helm-charts repository: https://bjw-s-labs.github.io/helm-charts/
version: 0.4.3 version: 4.6.2
digest: sha256:7203c46d1617837cfaad5fc500277ff1ed8d5e310b3af65500f3fbbd3166abd6 digest: sha256:8ed5a7025cbfee661770c4f525b6e1376f412114a7ab88cea1ab1de538eea500
generated: "2026-04-26T21:08:47.555855644Z" generated: "2026-03-11T18:19:57.681245-05:00"

11
clusters/cl01tl/helm/rclone/Chart.yaml
View File

@@ -9,14 +9,15 @@ keywords:
home: https://docs.alexlebens.dev/applications/rclone/ home: https://docs.alexlebens.dev/applications/rclone/
sources: sources:
- https://github.com/rclone/rclone - https://github.com/rclone/rclone
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket - https://hub.docker.com/r/rclone/rclone
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: rclone-bucket - name: app-template
alias: rclone-web-assets-remote alias: rclone
repository: oci://harbor.alexlebens.net/helm-charts repository: https://bjw-s-labs.github.io/helm-charts/
version: 0.4.3 version: 4.6.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
# renovate: datasource=github-releases depName=rclone/rclone # renovate: datasource=github-releases depName=rclone/rclone
appVersion: v1.73.5 appVersion: v1.73.5

270
clusters/cl01tl/helm/rclone/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,270 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-directus-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-directus-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_SECRET_KEY
- secretKey: SRC_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-karakeep-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-karakeep-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/karakeep-assets
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/karakeep-assets
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/karakeep-assets
property: ACCESS_SECRET_KEY
- secretKey: SRC_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-talos-backups-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-talos-backups-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/talos-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/talos-backups
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/talos-backups
property: ACCESS_SECRET_KEY
- secretKey: SRC_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-web-assets-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-web-assets-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/web-assets
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/web-assets
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/web-assets
property: ACCESS_SECRET_KEY
- secretKey: SRC_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-postgres-backups-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-postgres-backups-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_SECRET_KEY
- secretKey: SRC_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-ntfy-attachments-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ntfy-attachments-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/ntfy-attachments
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/ntfy-attachments
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/ntfy-attachments
property: ACCESS_SECRET_KEY
- secretKey: SRC_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: DEST_ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-openbao-backups-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-openbao-backups-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/openbao-backups
property: ACCESS_SECRET_KEY
- secretKey: ENDPOINT_LOCAL
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL
- secretKey: ENDPOINT_REMOTE
remoteRef:
key: /garage/config
property: ENDPOINT_REMOTE
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: external-openbao-backups-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: external-openbao-backups-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /digital-ocean/home-infra/openbao-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_REGION
remoteRef:
key: /digital-ocean/home-infra/openbao-backups
property: ACCESS_REGION
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /digital-ocean/home-infra/openbao-backups
property: ACCESS_SECRET_KEY

682
clusters/cl01tl/helm/rclone/values.yaml
View File

@@ -1,5 +1,358 @@
rclone: rclone:
controllers: controllers:
directus-assets:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 0 0 * * *
backoffLimit: 3
parallelism: 1
containers:
sync:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- sync
- src:directus-assets
- dest:directus-assets
- --s3-no-check-bucket
- --verbose
env:
- name: RCLONE_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_TYPE
value: s3
- name: RCLONE_CONFIG_SRC_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_ENV_AUTH
value: false
- name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: SRC_ENDPOINT
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-directus-secret
key: DEST_ENDPOINT
- name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
value: true
karakeep-assets:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 10 0 * * *
backoffLimit: 3
parallelism: 1
containers:
sync:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- sync
- src:karakeep-assets
- dest:karakeep-assets
- --s3-no-check-bucket
- --verbose
env:
- name: RCLONE_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_TYPE
value: s3
- name: RCLONE_CONFIG_SRC_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_ENV_AUTH
value: false
- name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: SRC_ENDPOINT
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-karakeep-secret
key: DEST_ENDPOINT
- name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
value: true
talos-backups:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 20 0 * * *
backoffLimit: 3
parallelism: 1
containers:
sync:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- sync
- src:talos-backups
- dest:talos-backups
- --s3-no-check-bucket
- --max-age
- 90d
- --verbose
env:
- name: RCLONE_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_TYPE
value: s3
- name: RCLONE_CONFIG_SRC_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_ENV_AUTH
value: false
- name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: SRC_ENDPOINT
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: DEST_ENDPOINT
- name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
value: true
prune:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- delete
- dest:talos-backups
- --min-age
- 90d
- --verbose
env:
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-talos-backups-secret
key: DEST_ENDPOINT
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
web-assets:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 30 0 * * *
backoffLimit: 3
parallelism: 1
containers:
sync:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- sync
- src:web-assets
- dest:web-assets
- --s3-no-check-bucket
- --verbose
env:
- name: RCLONE_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_TYPE
value: s3
- name: RCLONE_CONFIG_SRC_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_ENV_AUTH
value: false
- name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: SRC_ENDPOINT
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-web-assets-secret
key: DEST_ENDPOINT
- name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
value: true
postgres-backups: postgres-backups:
type: cronjob type: cronjob
cronjob: cronjob:
@@ -123,24 +476,313 @@ rclone:
key: DEST_ENDPOINT key: DEST_ENDPOINT
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true value: true
rclone-web-assets-remote: ntfy-attachments:
cronJob: type: cronjob
cronjob:
suspend: false suspend: false
schedule: 30 0 * * * timeZone: America/Chicago
rclone: schedule: 50 0 * * *
source: backoffLimit: 3
bucketName: web-assets parallelism: 1
destination: containers:
bucketName: web-assets sync:
secret: image:
externalSecret: repository: rclone/rclone
source: tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
credentials: args:
path: /garage/home-infra/web-assets - sync
config: - src:ntfy-attachments
path: /garage/config - dest:ntfy-attachments
destination: - --s3-no-check-bucket
credentials: - --verbose
path: /garage/home-infra/web-assets env:
config: - name: RCLONE_S3_PROVIDER
path: /garage/config value: Other
- name: RCLONE_CONFIG_SRC_TYPE
value: s3
- name: RCLONE_CONFIG_SRC_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_ENV_AUTH
value: false
- name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: SRC_ENDPOINT
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-ntfy-attachments-secret
key: DEST_ENDPOINT
- name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
value: true
openbao-backups-remote:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 0 1 * * *
backoffLimit: 3
parallelism: 1
containers:
sync:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- sync
- src:openbao-backups
- dest:openbao-backups
- --s3-no-check-bucket
- --max-age
- 90d
- --verbose
env:
- name: RCLONE_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_TYPE
value: s3
- name: RCLONE_CONFIG_SRC_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_ENV_AUTH
value: false
- name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ENDPOINT_LOCAL
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ENDPOINT_REMOTE
- name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
value: true
prune:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- delete
- dest:openbao-backups
- --min-age
- 90d
- --verbose
env:
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: Other
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ENDPOINT_REMOTE
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
openbao-backups-external:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 10 1 * * *
backoffLimit: 3
parallelism: 1
containers:
sync:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- sync
- src:openbao-backups
- dest:openbao-backups-6e088aad5fad110b
- --s3-no-check-bucket
- --max-age
- 90d
- --verbose
env:
- name: RCLONE_S3_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_TYPE
value: s3
- name: RCLONE_CONFIG_SRC_PROVIDER
value: Other
- name: RCLONE_CONFIG_SRC_ENV_AUTH
value: false
- name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_SRC_REGION
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_SRC_ENDPOINT
valueFrom:
secretKeyRef:
name: garage-openbao-backups-secret
key: ENDPOINT_LOCAL
- name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
value: true
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: DigitalOcean
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: external-openbao-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: external-openbao-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: external-openbao-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
value: https://nyc3.digitaloceanspaces.com
- name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
value: true
prune:
image:
repository: rclone/rclone
tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
args:
- delete
- dest:openbao-backups-6e088aad5fad110b
- --min-age
- 90d
- --verbose
env:
- name: RCLONE_CONFIG_DEST_TYPE
value: s3
- name: RCLONE_CONFIG_DEST_PROVIDER
value: DigitalOcean
- name: RCLONE_CONFIG_DEST_ENV_AUTH
value: false
- name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: external-openbao-backups-secret
key: ACCESS_KEY_ID
- name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: external-openbao-backups-secret
key: ACCESS_SECRET_KEY
- name: RCLONE_CONFIG_DEST_REGION
valueFrom:
secretKeyRef:
name: external-openbao-backups-secret
key: ACCESS_REGION
- name: RCLONE_CONFIG_DEST_ENDPOINT
value: https://nyc3.digitaloceanspaces.com
- name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE
value: true

156
clusters/cl01tl/helm/rybbit/templates/prometheus-rule.yaml
View File

@@ -1,156 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: clickhouse
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: clickhouse
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: ClickHouseNodeDown
expr: up{job="clickhouse"} == 0
for: 2m
labels:
severity: critical
annotations:
summary: ClickHouse node down (instance {{ `{{ $labels.instance }}` }})
description: "No metrics received from ClickHouse exporter for over 2 minutes.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseMemoryUsageCritical
expr: ClickHouseAsyncMetrics_CGroupMemoryUsed / ClickHouseAsyncMetrics_CGroupMemoryTotal * 100 > 90 and ClickHouseAsyncMetrics_CGroupMemoryTotal > 0
for: 5m
labels:
severity: critical
annotations:
summary: ClickHouse Memory Usage Critical (instance {{ `{{ $labels.instance }}` }})
description: "Memory usage is critically high, over 90%.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseMemoryUsageWarning
expr: ClickHouseAsyncMetrics_CGroupMemoryUsed / ClickHouseAsyncMetrics_CGroupMemoryTotal * 100 > 80 and ClickHouseAsyncMetrics_CGroupMemoryTotal > 0
for: 5m
labels:
severity: warning
annotations:
summary: ClickHouse Memory Usage Warning (instance {{ `{{ $labels.instance }}` }})
description: "Memory usage is over 80%.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseDiskSpaceLowOnDefault
expr: ClickHouseAsyncMetrics_DiskAvailable_default / (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) * 100 < 20 and (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) > 0
for: 2m
labels:
severity: warning
annotations:
summary: ClickHouse Disk Space Low on Default (instance {{ `{{ $labels.instance }}` }})
description: "Disk space on default is below 20%.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseDiskSpaceCriticalOnDefault
expr: ClickHouseAsyncMetrics_DiskAvailable_default / (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) * 100 < 10 and (ClickHouseAsyncMetrics_DiskAvailable_default + ClickHouseAsyncMetrics_DiskUsed_default) > 0
for: 2m
labels:
severity: critical
annotations:
summary: ClickHouse Disk Space Critical on Default (instance {{ `{{ $labels.instance }}` }})
description: "Disk space on default disk is critically low, below 10%.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseDiskSpaceLowOnBackups
expr: ClickHouseAsyncMetrics_DiskAvailable_backups / (ClickHouseAsyncMetrics_DiskAvailable_backups + ClickHouseAsyncMetrics_DiskUsed_backups) * 100 < 20 and (ClickHouseAsyncMetrics_DiskAvailable_backups + ClickHouseAsyncMetrics_DiskUsed_backups) > 0
for: 2m
labels:
severity: warning
annotations:
summary: ClickHouse Disk Space Low on Backups (instance {{ `{{ $labels.instance }}` }})
description: "Disk space on backups is below 20%.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseReplicaErrors
expr: ClickHouseErrorMetric_ALL_REPLICAS_ARE_STALE == 1 or ClickHouseErrorMetric_ALL_REPLICAS_LOST == 1
for: 0m
labels:
severity: critical
annotations:
summary: ClickHouse Replica Errors (instance {{ `{{ $labels.instance }}` }})
description: "Critical replica errors detected, either all replicas are stale or lost.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseNoAvailableReplicas
expr: ClickHouseErrorMetric_NO_AVAILABLE_REPLICA == 1
for: 0m
labels:
severity: critical
annotations:
summary: ClickHouse No Available Replicas (instance {{ `{{ $labels.instance }}` }})
description: "No available replicas in ClickHouse.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseNoLiveReplicas
expr: ClickHouseErrorMetric_TOO_FEW_LIVE_REPLICAS == 1
for: 0m
labels:
severity: critical
annotations:
summary: ClickHouse No Live Replicas (instance {{ `{{ $labels.instance }}` }})
description: "There are too few live replicas available, risking data loss and service disruption.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseHighTCPConnections
expr: ClickHouseMetrics_TCPConnection > 400
for: 5m
labels:
severity: warning
annotations:
summary: ClickHouse High TCP Connections (instance {{ `{{ $labels.instance }}` }})
description: "High number of TCP connections, indicating heavy client or inter-cluster communication.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseInterserverConnectionIssues
expr: ClickHouseMetrics_InterserverConnection > 50
for: 5m
labels:
severity: warning
annotations:
summary: ClickHouse Interserver Connection Issues (instance {{ `{{ $labels.instance }}` }})
description: "High number of interserver connections may indicate replication or distributed query handling issues.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseZooKeeperConnectionIssues
expr: ClickHouseMetrics_ZooKeeperSession != 1
for: 3m
labels:
severity: warning
annotations:
summary: ClickHouse ZooKeeper Connection Issues (instance {{ `{{ $labels.instance }}` }})
description: "ClickHouse is experiencing issues with ZooKeeper connections, which may affect cluster state and coordination.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseAuthenticationFailures
expr: increase(ClickHouseErrorMetric_AUTHENTICATION_FAILED[5m]) > 3
for: 0m
labels:
severity: info
annotations:
summary: ClickHouse Authentication Failures (instance {{ `{{ $labels.instance }}` }})
description: "Authentication failures detected, indicating potential security issues or misconfiguration.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseAccessDeniedErrors
expr: increase(ClickHouseErrorMetric_RESOURCE_ACCESS_DENIED[5m]) > 3
for: 0m
labels:
severity: info
annotations:
summary: ClickHouse Access Denied Errors (instance {{ `{{ $labels.instance }}` }})
description: "Access denied errors have been logged, which could indicate permission issues or unauthorized access attempts.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseRejectedInsertQueries
expr: increase(ClickHouseProfileEvents_RejectedInserts[1m]) > 2
for: 1m
labels:
severity: warning
annotations:
summary: ClickHouse rejected insert queries (instance {{ `{{ $labels.instance }}` }})
description: "INSERTs rejected due to too many active data parts. Reduce insert frequency.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseDelayedInsertQueries
expr: increase(ClickHouseProfileEvents_DelayedInserts[5m]) > 10
for: 2m
labels:
severity: warning
annotations:
summary: ClickHouse delayed insert queries (instance {{ `{{ $labels.instance }}` }})
description: "INSERTs delayed due to high number of active parts.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseZookeeperHardwareException
expr: increase(ClickHouseProfileEvents_ZooKeeperHardwareExceptions[1m]) > 0
for: 1m
labels:
severity: critical
annotations:
summary: ClickHouse zookeeper hardware exception (instance {{ `{{ $labels.instance }}` }})
description: "Zookeeper hardware exception: network issues communicating with ZooKeeper\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ClickHouseDistributedRejectedInserts
expr: increase(ClickHouseProfileEvents_DistributedRejectedInserts[5m]) > 3
for: 2m
labels:
severity: critical
annotations:
summary: ClickHouse distributed rejected inserts (instance {{ `{{ $labels.instance }}` }})
description: "INSERTs into Distributed tables rejected due to pending bytes limit.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

31
clusters/cl01tl/helm/rybbit/values.yaml
View File

@@ -151,7 +151,6 @@ rybbit:
network.xml: | network.xml: |
<clickhouse> <clickhouse>
<listen_host>0.0.0.0</listen_host> <listen_host>0.0.0.0</listen_host>
<http_port>8123</http_port>
</clickhouse> </clickhouse>
enable_json.xml: | enable_json.xml: |
<clickhouse> <clickhouse>
@@ -186,17 +185,6 @@ rybbit:
</default> </default>
</profiles> </profiles>
</clickhouse> </clickhouse>
metrics.xml: |
<clickhouse>
<prometheus>
<endpoint>/metrics</endpoint>
<port>9363</port>
<metrics>true</metrics>
<events>true</events>
<asynchronous_metrics>true</asynchronous_metrics>
<errors>true</errors>
</prometheus>
</clickhouse>
service: service:
backend: backend:
controller: backend controller: backend
@@ -216,21 +204,6 @@ rybbit:
http: http:
port: 8123 port: 8123
targetPort: 8123 targetPort: 8123
metrics:
port: 9363
targetPort: 9363
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: rybbit-clickhouse
app.kubernetes.io/instance: rybbit-clickhouse
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
persistence: persistence:
clickhouse: clickhouse:
forceRename: clickhouse-data forceRename: clickhouse-data
@@ -265,10 +238,6 @@ rybbit:
readOnly: true readOnly: true
mountPropagation: None mountPropagation: None
subPath: user_logging.xml subPath: user_logging.xml
- path: /etc/clickhouse-server/config.d/metrics.xml
readOnly: true
mountPropagation: None
subPath: metrics.xml
postgres-18-cluster: postgres-18-cluster:
mode: recovery mode: recovery
recovery: recovery:

4
clusters/cl01tl/helm/secrets-store-csi-driver/values.yaml
View File

@@ -3,12 +3,12 @@ secrets-store-csi-driver:
enabled: true enabled: true
image: image:
repository: registry.k8s.io/csi-secrets-store/driver repository: registry.k8s.io/csi-secrets-store/driver
tag: v1.6.0@sha256:110344819630bfd41e0c6d3f215d325ad1a4d5d5b1d298f8af7d0edf4df64a4e tag: v1.5.6@sha256:6df2b3b3817136d2ade3d53306dbbd98385c1c01e8b3c373192c0e5b8d183f7b
crds: crds:
enabled: true enabled: true
image: image:
repository: registry.k8s.io/csi-secrets-store/driver-crds repository: registry.k8s.io/csi-secrets-store/driver-crds
tag: v1.6.0@sha256:2419b318a1c17bd741686bf1994cd37cee7162039c019435b8f534f2846fe488 tag: v1.5.6@sha256:d40d9212beb62ee0f9f09b75d024ed807816879f38e75eca309497c3df89568c
driver: driver:
resources: resources:
limits: limits:

2
clusters/cl01tl/helm/site-documentation/values.yaml
View File

@@ -10,7 +10,7 @@ site-documentation:
main: main:
image: image:
repository: harbor.alexlebens.net/images/site-documentation repository: harbor.alexlebens.net/images/site-documentation
tag: 0.27.1@sha256:a9e8659827375e7ee65ea8bc8550f4c0604316b48f39da7fa255fa9f3b5a17d6 tag: 0.27.0@sha256:dafa3c8aa9401009c299bb274d140acc10d8531dd40c8253783b1f8ed8519d76
resources: resources:
requests: requests:
cpu: 10m cpu: 10m

2
clusters/cl01tl/helm/site-profile/values.yaml
View File

@@ -10,7 +10,7 @@ site-profile:
main: main:
image: image:
repository: harbor.alexlebens.net/images/site-profile repository: harbor.alexlebens.net/images/site-profile
tag: 3.18.7@sha256:d2e31d00b58aa8e843eeaa5ba75d1bb73dd9d1587185b82e5451a585285de6a0 tag: 3.18.5@sha256:2ad5cbbdbf1011f74c5fa804584236ffea266c37f046f837625af79a97bc0b56
resources: resources:
requests: requests:
cpu: 10m cpu: 10m

2
clusters/cl01tl/helm/site-saralebens/values.yaml
View File

@@ -10,7 +10,7 @@ site-saralebens:
main: main:
image: image:
repository: harbor.alexlebens.net/images/site-saralebens repository: harbor.alexlebens.net/images/site-saralebens
tag: 1.1.2@sha256:53389e7b38dd543eb453ddbfa3a25cb77aada734cb403a29c3e9f5ab77f57996 tag: 1.1.1@sha256:b1a92f492127dd0e6b1756dd6798e72fbc991c7b334c0bec87ba39cb9bb14ee3
resources: resources:
requests: requests:
cpu: 10m cpu: 10m

2
clusters/cl01tl/helm/sonarr-4k/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
# renovate: datasource=github-releases depName=linuxserver/docker-sonarr # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
appVersion: 4.0.17.2952-ls309 appVersion: 4.0.17.2952-ls308

2
clusters/cl01tl/helm/sonarr-4k/values.yaml
View File

@@ -13,7 +13,7 @@ sonarr-4k:
main: main:
image: image:
repository: ghcr.io/linuxserver/sonarr repository: ghcr.io/linuxserver/sonarr
tag: 4.0.17.2952-ls309@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020 tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

2
clusters/cl01tl/helm/sonarr-anime/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
# renovate: datasource=github-releases depName=linuxserver/docker-sonarr # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
appVersion: 4.0.17.2952-ls309 appVersion: 4.0.17.2952-ls308

2
clusters/cl01tl/helm/sonarr-anime/values.yaml
View File

@@ -13,7 +13,7 @@ sonarr-anime:
main: main:
image: image:
repository: ghcr.io/linuxserver/sonarr repository: ghcr.io/linuxserver/sonarr
tag: 4.0.17.2952-ls309@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020 tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

2
clusters/cl01tl/helm/sonarr/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/sonarr.png
# renovate: datasource=github-releases depName=linuxserver/docker-sonarr # renovate: datasource=github-releases depName=linuxserver/docker-sonarr
appVersion: 4.0.17.2952-ls309 appVersion: 4.0.17.2952-ls308

2
clusters/cl01tl/helm/sonarr/values.yaml
View File

@@ -12,7 +12,7 @@ sonarr:
main: main:
image: image:
repository: ghcr.io/linuxserver/sonarr repository: ghcr.io/linuxserver/sonarr
tag: 4.0.17.2952-ls309@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020 tag: 4.0.17.2952-ls308@sha256:e6c9a091735fede0c2a205c69e7d4c2f0188eaf2bec7e42d8a26c017e5f2a910
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

169
clusters/cl01tl/helm/stalwart/templates/prometheus-rule.yaml
View File

@@ -1,169 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: elasticsearch
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: elasticsearch
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: ElasticsearchExporter
rules:
- alert: ElasticsearchHeapUsageTooHigh
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 90 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch Heap Usage Too High (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHeapUsageWarning
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 80 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch Heap Usage warning (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskOutOfSpace
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 10 and elasticsearch_filesystem_data_size_bytes > 0
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch disk out of space (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskSpaceLow
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 20 and elasticsearch_filesystem_data_size_bytes > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch disk space low (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterRed
expr: elasticsearch_cluster_health_status{color="red"} == 1
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch Cluster Red (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Red status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterYellow
expr: elasticsearch_cluster_health_status{color="yellow"} == 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch Cluster Yellow (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Yellow status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyNodes
expr: elasticsearch_cluster_health_number_of_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyDataNodes
expr: elasticsearch_cluster_health_number_of_data_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Data Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing data node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShards
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch relocating shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is relocating shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShardsTooLong
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch relocating shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been relocating shards for 15min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShards
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch initializing shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is initializing shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShardsTooLong
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch initializing shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been initializing shards for 15 min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchUnassignedShards
expr: elasticsearch_cluster_health_unassigned_shards > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch unassigned shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has unassigned shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchPendingTasks
expr: elasticsearch_cluster_health_number_of_pending_tasks > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch pending tasks (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has pending tasks. Cluster works slowly.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchNoNewDocuments
expr: increase(elasticsearch_indices_indexing_index_total{es_data_node="true"}[10m]) < 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch no new documents (instance {{ `{{ $labels.instance }}` }})
description: "No new documents for 10 min!\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10ms (0.01s) per indexing operation is a rough default. Adjust based on your document size and cluster performance.
- alert: ElasticsearchHighIndexingLatency
expr: rate(elasticsearch_indices_indexing_index_time_seconds_total[5m]) / rate(elasticsearch_indices_indexing_index_total[5m]) > 0.01 and rate(elasticsearch_indices_indexing_index_total[5m]) > 0
for: 10m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Latency (instance {{ `{{ $labels.instance }}` }})
description: "The indexing latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10000 ops/s is a rough default. Adjust based on your cluster capacity and expected workload.
- alert: ElasticsearchHighIndexingRate
expr: sum(rate(elasticsearch_indices_indexing_index_total[1m]))> 10000
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Rate (instance {{ `{{ $labels.instance }}` }})
description: "The indexing rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 100 queries/s is very low for most production clusters. Adjust based on your expected query volume.
- alert: ElasticsearchHighQueryRate
expr: sum(rate(elasticsearch_indices_search_query_total[1m])) > 100
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Rate (instance {{ `{{ $labels.instance }}` }})
description: "The query rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHighQueryLatency
expr: rate(elasticsearch_indices_search_query_time_seconds[1m]) / rate(elasticsearch_indices_search_query_total[1m]) > 1 and rate(elasticsearch_indices_search_query_total[1m]) > 0
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Latency (instance {{ `{{ $labels.instance }}` }})
description: "The query latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

36
clusters/cl01tl/helm/stalwart/values.yaml
View File

@@ -1,7 +1,6 @@
stalwart: stalwart:
controllers: controllers:
main: main:
forceRename: stalwart
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
@@ -14,26 +13,9 @@ stalwart:
requests: requests:
cpu: 10m cpu: 10m
memory: 100Mi memory: 100Mi
metrics:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: quay.io/prometheuscommunity/elasticsearch-exporter
tag: v1.10.0@sha256:a6a4d4403f670faf6a94b8c7f9adbca3ead91f26dd64e5ccf95fa69025dc6e58
args:
- '--es.uri=https://elasticsearch-stalwart-es-http.tubearchivist:9200'
- '--es.ssl-skip-verify'
resources:
requests:
cpu: 1m
memory: 10Mi
service: service:
main: main:
controller: main controller: main
forceRename: stalwart
ports: ports:
http: http:
port: 80 port: 80
@@ -50,24 +32,6 @@ stalwart:
imaps: imaps:
port: 993 port: 993
targetPort: 993 targetPort: 993
metrics:
controller: metrics
ports:
metrics:
port: 9114
targetPort: 9114
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: stalwart-metrics
app.kubernetes.io/instance: stalwart-metrics
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
route: route:
main: main:
kind: HTTPRoute kind: HTTPRoute

10
clusters/cl01tl/helm/talos/templates/_helpers.tpl
View File

@@ -12,3 +12,13 @@ Selector labels
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }} {{- end }}
{{/*
ServiceAccount names
*/}}
{{- define "custom.serviceAccountName" -}}
talos-backup
{{- end -}}
{{- define "custom.serviceAccountSecretsName" -}}
talos-backup-secrets
{{- end -}}

24
clusters/cl01tl/helm/talos/templates/external-secret.yaml
View File

@@ -19,14 +19,6 @@ spec:
remoteRef: remoteRef:
key: /garage/home-infra/talos-backups key: /garage/home-infra/talos-backups
property: ACCESS_SECRET_KEY property: ACCESS_SECRET_KEY
- secretKey: AWS_REGION
remoteRef:
key: /garage/home-infra/talos-backups
property: ACCESS_REGION
- secretKey: BUCKET_NAME
remoteRef:
key: /garage/home-infra/talos-backups
property: BUCKET
- secretKey: BUCKET - secretKey: BUCKET
remoteRef: remoteRef:
key: /garage/home-infra/talos-backups key: /garage/home-infra/talos-backups
@@ -58,14 +50,6 @@ spec:
remoteRef: remoteRef:
key: /garage/home-infra/talos-backups key: /garage/home-infra/talos-backups
property: ACCESS_SECRET_KEY property: ACCESS_SECRET_KEY
- secretKey: AWS_REGION
remoteRef:
key: /garage/home-infra/talos-backups
property: ACCESS_REGION
- secretKey: BUCKET_NAME
remoteRef:
key: /garage/home-infra/talos-backups
property: BUCKET
- secretKey: BUCKET - secretKey: BUCKET
remoteRef: remoteRef:
key: /garage/home-infra/talos-backups key: /garage/home-infra/talos-backups
@@ -97,14 +81,6 @@ spec:
remoteRef: remoteRef:
key: /digital-ocean/home-infra/talos-backups key: /digital-ocean/home-infra/talos-backups
property: AWS_SECRET_ACCESS_KEY property: AWS_SECRET_ACCESS_KEY
- secretKey: AWS_REGION
remoteRef:
key: /digital-ocean/home-infra/talos-backups
property: AWS_REGION
- secretKey: BUCKET_NAME
remoteRef:
key: /digital-ocean/home-infra/talos-backups
property: BUCKET
- secretKey: BUCKET - secretKey: BUCKET
remoteRef: remoteRef:
key: /digital-ocean/home-infra/talos-backups key: /digital-ocean/home-infra/talos-backups

8
clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml
View File

@@ -10,7 +10,7 @@ spec:
provider: openbao provider: openbao
parameters: parameters:
baoAddress: "http://openbao-internal.openbao:8200" baoAddress: "http://openbao-internal.openbao:8200"
roleName: talos-backup roleName: {{ include "custom.serviceAccountName" . }}
objects: | objects: |
- objectName: .s3cfg - objectName: .s3cfg
fileName: .s3cfg fileName: .s3cfg
@@ -30,7 +30,7 @@ spec:
provider: openbao provider: openbao
parameters: parameters:
baoAddress: "http://openbao-internal.openbao:8200" baoAddress: "http://openbao-internal.openbao:8200"
roleName: talos-backup roleName: {{ include "custom.serviceAccountName" . }}
objects: | objects: |
- objectName: .s3cfg - objectName: .s3cfg
fileName: .s3cfg fileName: .s3cfg
@@ -50,7 +50,7 @@ spec:
provider: openbao provider: openbao
parameters: parameters:
baoAddress: "http://openbao-internal.openbao:8200" baoAddress: "http://openbao-internal.openbao:8200"
roleName: talos-backup roleName: {{ include "custom.serviceAccountName" . }}
objects: | objects: |
- objectName: .s3cfg - objectName: .s3cfg
fileName: .s3cfg fileName: .s3cfg
@@ -70,7 +70,7 @@ spec:
provider: openbao provider: openbao
parameters: parameters:
baoAddress: "http://openbao-internal.openbao:8200" baoAddress: "http://openbao-internal.openbao:8200"
roleName: talos-defrag roleName: {{ include "custom.serviceAccountName" . }}
objects: | objects: |
- objectName: config - objectName: config
fileName: config fileName: config

34
clusters/cl01tl/helm/talos/templates/service-account.yaml
View File

@@ -1,31 +1,21 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "custom.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
{{- include "custom.labels" . | nindent 4 }}
---
apiVersion: talos.dev/v1alpha1 apiVersion: talos.dev/v1alpha1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: talos-backup-secrets name: {{ include "custom.serviceAccountSecretsName" . }}
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: talos-backup-secrets app.kubernetes.io/name: {{ include "custom.serviceAccountSecretsName" . }}
{{- include "custom.labels" . | nindent 4 }} {{- include "custom.labels" . | nindent 4 }}
spec: spec:
roles: roles:
- os:etcd:backup - os:etcd:backup
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: talos-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-backup
{{- include "custom.labels" . | nindent 4 }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: talos-defrag
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-defrag
{{- include "custom.labels" . | nindent 4 }}

36
clusters/cl01tl/helm/talos/values.yaml
View File

@@ -47,17 +47,11 @@ etcd-backup:
name: talos-etcd-backup-local-config name: talos-etcd-backup-local-config
key: AWS_SECRET_ACCESS_KEY key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION - name: AWS_REGION
valueFrom: value: us-east-1
secretKeyRef:
name: talos-etcd-backup-local-config
key: AWS_REGION
- name: CUSTOM_S3_ENDPOINT - name: CUSTOM_S3_ENDPOINT
value: http://garage-main.garage:3900 value: http://garage-main.garage:3900
- name: BUCKET - name: BUCKET
valueFrom: value: talos-backups
secretKeyRef:
name: talos-etcd-backup-local-config
key: BUCKET_NAME
- name: S3_PREFIX - name: S3_PREFIX
value: "cl01tl/etcd" value: "cl01tl/etcd"
- name: CLUSTER_NAME - name: CLUSTER_NAME
@@ -135,17 +129,11 @@ etcd-backup:
name: talos-etcd-backup-remote-config name: talos-etcd-backup-remote-config
key: AWS_SECRET_ACCESS_KEY key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION - name: AWS_REGION
valueFrom: value: us-east-1
secretKeyRef:
name: talos-etcd-backup-remote-config
key: AWS_REGION
- name: CUSTOM_S3_ENDPOINT - name: CUSTOM_S3_ENDPOINT
value: https://garage-ps10rp.boreal-beaufort.ts.net:3900 value: https://garage-ps10rp.boreal-beaufort.ts.net:3900
- name: BUCKET - name: BUCKET
valueFrom: value: talos-backups
secretKeyRef:
name: talos-etcd-backup-remote-config
key: BUCKET_NAME
- name: S3_PREFIX - name: S3_PREFIX
value: "cl01tl/etcd" value: "cl01tl/etcd"
- name: CLUSTER_NAME - name: CLUSTER_NAME
@@ -223,17 +211,11 @@ etcd-backup:
name: talos-etcd-backup-external-config name: talos-etcd-backup-external-config
key: AWS_SECRET_ACCESS_KEY key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION - name: AWS_REGION
valueFrom: value: nyc3
secretKeyRef:
name: talos-etcd-backup-external-config
key: AWS_REGION
- name: CUSTOM_S3_ENDPOINT - name: CUSTOM_S3_ENDPOINT
value: https://nyc3.digitaloceanspaces.com value: https://nyc3.digitaloceanspaces.com
- name: BUCKET - name: BUCKET
valueFrom: value: talos-backups-bee8585f7b8a4d0239c9b823
secretKeyRef:
name: talos-etcd-backup-external-config
key: BUCKET_NAME
- name: S3_PREFIX - name: S3_PREFIX
value: "cl01tl/etcd" value: "cl01tl/etcd"
- name: CLUSTER_NAME - name: CLUSTER_NAME
@@ -399,8 +381,6 @@ etcd-defrag:
schedule: 0 0 * * 0 schedule: 0 0 * * 0
backoffLimit: 3 backoffLimit: 3
parallelism: 1 parallelism: 1
serviceAccount:
name: talos-defrag
containers: containers:
main: main:
image: image:
@@ -429,8 +409,6 @@ etcd-defrag:
schedule: 10 0 * * 0 schedule: 10 0 * * 0
backoffLimit: 3 backoffLimit: 3
parallelism: 1 parallelism: 1
serviceAccount:
name: talos-defrag
containers: containers:
main: main:
image: image:
@@ -459,8 +437,6 @@ etcd-defrag:
schedule: 20 0 * * 0 schedule: 20 0 * * 0
backoffLimit: 3 backoffLimit: 3
parallelism: 1 parallelism: 1
serviceAccount:
name: talos-defrag
containers: containers:
main: main:
image: image:

169
clusters/cl01tl/helm/tubearchivist/templates/prometheus-rule.yaml
View File

@@ -1,169 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: elasticsearch
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: elasticsearch
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: ElasticsearchExporter
rules:
- alert: ElasticsearchHeapUsageTooHigh
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 90 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch Heap Usage Too High (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHeapUsageWarning
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 80 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch Heap Usage warning (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskOutOfSpace
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 10 and elasticsearch_filesystem_data_size_bytes > 0
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch disk out of space (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskSpaceLow
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 20 and elasticsearch_filesystem_data_size_bytes > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch disk space low (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterRed
expr: elasticsearch_cluster_health_status{color="red"} == 1
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch Cluster Red (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Red status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterYellow
expr: elasticsearch_cluster_health_status{color="yellow"} == 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch Cluster Yellow (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Yellow status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyNodes
expr: elasticsearch_cluster_health_number_of_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyDataNodes
expr: elasticsearch_cluster_health_number_of_data_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Data Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing data node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShards
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch relocating shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is relocating shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShardsTooLong
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch relocating shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been relocating shards for 15min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShards
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch initializing shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is initializing shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShardsTooLong
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch initializing shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been initializing shards for 15 min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchUnassignedShards
expr: elasticsearch_cluster_health_unassigned_shards > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch unassigned shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has unassigned shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchPendingTasks
expr: elasticsearch_cluster_health_number_of_pending_tasks > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch pending tasks (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has pending tasks. Cluster works slowly.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchNoNewDocuments
expr: increase(elasticsearch_indices_indexing_index_total{es_data_node="true"}[10m]) < 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch no new documents (instance {{ `{{ $labels.instance }}` }})
description: "No new documents for 10 min!\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10ms (0.01s) per indexing operation is a rough default. Adjust based on your document size and cluster performance.
- alert: ElasticsearchHighIndexingLatency
expr: rate(elasticsearch_indices_indexing_index_time_seconds_total[5m]) / rate(elasticsearch_indices_indexing_index_total[5m]) > 0.01 and rate(elasticsearch_indices_indexing_index_total[5m]) > 0
for: 10m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Latency (instance {{ `{{ $labels.instance }}` }})
description: "The indexing latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10000 ops/s is a rough default. Adjust based on your cluster capacity and expected workload.
- alert: ElasticsearchHighIndexingRate
expr: sum(rate(elasticsearch_indices_indexing_index_total[1m]))> 10000
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Rate (instance {{ `{{ $labels.instance }}` }})
description: "The indexing rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 100 queries/s is very low for most production clusters. Adjust based on your expected query volume.
- alert: ElasticsearchHighQueryRate
expr: sum(rate(elasticsearch_indices_search_query_total[1m])) > 100
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Rate (instance {{ `{{ $labels.instance }}` }})
description: "The query rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHighQueryLatency
expr: rate(elasticsearch_indices_search_query_time_seconds[1m]) / rate(elasticsearch_indices_search_query_total[1m]) > 1 and rate(elasticsearch_indices_search_query_total[1m]) > 0
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Latency (instance {{ `{{ $labels.instance }}` }})
description: "The query latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

36
clusters/cl01tl/helm/tubearchivist/values.yaml
View File

@@ -1,7 +1,6 @@
tubearchivist: tubearchivist:
controllers: controllers:
main: main:
forceRename: tubearchivist
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
@@ -97,48 +96,13 @@ tubearchivist:
devic.es/tun: "1" devic.es/tun: "1"
requests: requests:
devic.es/tun: "1" devic.es/tun: "1"
metrics:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: quay.io/prometheuscommunity/elasticsearch-exporter
tag: v1.10.0@sha256:a6a4d4403f670faf6a94b8c7f9adbca3ead91f26dd64e5ccf95fa69025dc6e58
args:
- '--es.uri=https://elasticsearch-tubearchivist-es-http.tubearchivist:9200'
- '--es.ssl-skip-verify'
resources:
requests:
cpu: 1m
memory: 10Mi
service: service:
main: main:
controller: main controller: main
forceRename: tubearchivist
ports: ports:
http: http:
port: 80 port: 80
targetPort: 24000 targetPort: 24000
metrics:
controller: metrics
ports:
metrics:
port: 9114
targetPort: 9114
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: tubearchivist-metrics
app.kubernetes.io/instance: tubearchivist-metrics
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
route: route:
main: main:
kind: HTTPRoute kind: HTTPRoute

122
clusters/cl01tl/helm/vault/templates/config-map.yaml
View File

@@ -9,29 +9,59 @@ metadata:
data: data:
snapshot.sh: | snapshot.sh: |
DATE=$(date +"%Y%m%d-%H-%M") DATE=$(date +"%Y%m%d-%H-%M")
MAX_RETRIES=5
SUCCESS=false
echo " " echo " "
echo ">> Running Vault Snapshot Script ..." echo ">> Running Vault Snapshot Script ..."
echo " " echo " "
echo ">> Fetching Vault token ..." echo ">> Verifying required commands ..."
export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID) echo " "
if [ -z "$VAULT_TOKEN" ]; then for i in $(seq 1 "$MAX_RETRIES"); do
echo ">> ERROR: Failed to fetch Vault token! Exiting..." if apk update 2>&1 >/dev/null; then
exit 1 echo ">> Attempt $i: Repositories are reachable";
SUCCESS=true;
break;
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
sleep 5;
fi;
done;
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
exit 1;
fi fi
echo " " echo " "
echo ">> Taking Vault snapshot ..."
if ! command -v jq 2>&1 >/dev/null; then
echo ">> Command jq could not be found, installing";
apk add --no-cache -q jq;
if [ $? -eq 0 ]; then
echo ">> Installation successful";
else
echo ">> Installation failed with exit code $?";
exit 1;
fi;
fi;
echo " ";
echo ">> Fetching Vault token ...";
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
echo " ";
echo ">> Taking Vault snapsot ...";
vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap
echo " " echo " ";
echo ">> Setting ownership of Vault snapshot ..." echo ">> Setting ownership of Vault snapsot ...";
chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap
echo " " echo " ";
echo ">> Completed Vault snapshot" echo ">> Completed Vault snapshot";
--- ---
apiVersion: v1 apiVersion: v1
@@ -47,3 +77,75 @@ data:
echo " "; echo " ";
echo ">> Running S3 backup for Vault snapshot"; echo ">> Running S3 backup for Vault snapshot";
OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1) OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
STATUS=$?
if [ $STATUS -ne 0 ]; then
if echo "$OUTPUT" | grep -q "403 Forbidden"; then
MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
elif echo "$OUTPUT" | grep -q "404 Not Found"; then
MESSAGE="404 Error: The bucket or folder does not exist"
elif echo "$OUTPUT" | grep -q "Connection refused"; then
MESSAGE="Network Error: Cannot reach the S3 endpoint"
else
MESSAGE="Unknown Error"
echo " ";
echo ">> Unknown Error, output:"
echo " "
echo "$OUTPUT"
fi
MAX_RETRIES=5
SUCCESS=false
echo " "
echo ">> Sending message to ntfy using curl ..."
echo " "
echo ">> Verifying required commands ..."
for i in $(seq 1 "$MAX_RETRIES"); do
if apk update 2>&1 >/dev/null; then
echo ">> Attempt $i: Repositories are reachable";
SUCCESS=true;
break;
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
sleep 5;
fi;
done;
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
exit 1;
fi
if ! command -v curl 2>&1 >/dev/null; then
echo ">> Command curl could not be found, installing";
apk add --no-cache -q curl;
if [ $? -eq 0 ]; then
echo ">> Installation successful";
else
echo ">> Installation failed with exit code $?";
exit 1;
fi;
fi;
echo " "
echo ">> Sending to NTFY ..."
echo ">> Message: $MESSAGE"
HTTP_STATUS=$(curl \
--silent \
--write-out '%{http_code}' \
-H "Authorization: Bearer ${NTFY_TOKEN}" \
-H "X-Priority: 5" \
-H "X-Tags: warning" \
-H "X-Title: Vault Backup Failed for ${TARGET}" \
-d "$MESSAGE" \
${NTFY_ENDPOINT}/${NTFY_TOPIC}
)
echo ">> HTTP Status Code: $HTTP_STATUS"
else
echo " ";
echo ">> S3 Sync succeeded"
fi

2
clusters/cl01tl/helm/vaultwarden/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/vaultwarden.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/vaultwarden.png
# renovate: datasource=github-releases depName=dani-garcia/vaultwarden # renovate: datasource=github-releases depName=dani-garcia/vaultwarden
appVersion: 1.35.8 appVersion: 1.35.7

2
clusters/cl01tl/helm/vaultwarden/values.yaml
View File

@@ -8,7 +8,7 @@ vaultwarden:
main: main:
image: image:
repository: ghcr.io/dani-garcia/vaultwarden repository: ghcr.io/dani-garcia/vaultwarden
tag: 1.35.8@sha256:c4f6056fe0c288a052a223cecd263a90d1dda1a0177bb5b054a363a6c7b211d9 tag: 1.35.7@sha256:9a8eec71f4a52411cc43edc7a50f33e9b6f62b5baca0dd95f0c6e7fd60f1a341
env: env:
- name: DOMAIN - name: DOMAIN
value: https://passwords.alexlebens.dev value: https://passwords.alexlebens.dev

18
renovate.json
View File

@@ -138,7 +138,8 @@
"matchPackageNames": [ "matchPackageNames": [
"excalidraw/excalidraw", "excalidraw/excalidraw",
"searxng/searxng", "searxng/searxng",
"d3fk/s3cmd" "d3fk/s3cmd",
"ghcr.io/linuxserver/lidarr"
], ],
"addLabels": [ "addLabels": [
"automerge" "automerge"
@@ -159,17 +160,7 @@
"minimumReleaseAge": "3 days" "minimumReleaseAge": "3 days"
}, },
{ {
"description": "Disable automerge for ghcr docker dependencies, unsupported release age", "description": "Automerge images, specific packages",
"matchDatasources": [
"docker"
],
"matchPackageNames": [
"/^ghcr\\.io//"
],
"automerge": false
},
{
"description": "Automerge images, specific packages, without release age",
"matchUpdateTypes": [ "matchUpdateTypes": [
"minor" "minor"
], ],
@@ -181,7 +172,8 @@
"{{{datasource}}}", "{{{datasource}}}",
"automerge" "automerge"
], ],
"automerge": true "automerge": true,
"minimumReleaseAge": "3 days"
} }
] ]
} }