alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Activity

Compare commits

base: alexlebens:main
Branches Tags
alexlebens:main alexlebens:renovate/vault-0.x alexlebens:renovate/authentik-2025.x alexlebens:renovate/garethgeorge-backrest-1.x alexlebens:manifests
..
compare: alexlebens:6242c529c118d802d35c433993d2e32b7200db37
Branches Tags
alexlebens:renovate/vault-0.x alexlebens:renovate/authentik-2025.x alexlebens:renovate/garethgeorge-backrest-1.x alexlebens:manifests alexlebens:main

1 Commits
main ... 6242c529c1

Author SHA1 Message Date
Renovate Bot
6242c529c1 Update postgres-cluster Docker tag to v6.16.1
Some checks are pending
renovate/stability-days Updates have not met minimum release age requirement
Details
lint-test-helm / helm-lint (pull_request) Successful in 2m41s
Details
2025-12-03 06:18:13 +00:00
567 changed files with 12939 additions and 9044 deletions
Expand all files Collapse all files

86
.gitea/workflows/lint-test-docker-pull.yaml Normal file
View File

@@ -0,0 +1,86 @@
name: lint-test-docker
on:
pull_request:
branches:
- main
paths:
- 'hosts/**'
jobs:
docker-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check Branch Exists
id: check-branch-exists
uses: GuillaumeFalourd/branch-exists@v1.1
with:
branch: "${{ github.base_ref }}"
- name: Branch Does Not Exist
if: steps.check-branch-exists.outputs.exists == 'false'
run: echo "Branch ${{ github.base_ref }} was not found, likely already merged"
- name: Set up Node.js
if: steps.check-branch-exists.outputs.exists == 'true'
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Lint Docker Compose
if: steps.check-branch-exists.outputs.exists == 'true'
run: |
set -e # Exit immediately if a command exits with a non-zero status.
TARGET_BRANCH="origin/${{ github.base_ref }}"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'hosts/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with compose.yaml).
# Then, create a unique list of those directories.
CHANGED_COMPOSE=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/compose.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_COMPOSE" ]]; then
echo ">> Could not determine changed compose files. This will happen if only files outside a compose file were changed."
exit 0
fi
echo ">> Running dclint on changed compose files:"
echo "$CHANGED_COMPOSE"
echo "$CHANGED_COMPOSE" | while read -r compose; do
echo ">> Linting $compose ..."
npx dclint $compose
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Docker linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-pull.yaml", "clear": true}]'
image: true

74
.gitea/workflows/lint-test-docker-push.yaml Normal file
View File

@@ -0,0 +1,74 @@
name: lint-test-docker
on:
push:
branches:
- main
paths:
- 'hosts/**'
jobs:
docker-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Lint Docker Compose
run: |
set -e # Exit immediately if a command exits with a non-zero status.
TARGET_BRANCH="origin/main"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'hosts/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with compose.yaml).
# Then, create a unique list of those directories.
CHANGED_COMPOSE=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/compose.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_COMPOSE" ]]; then
echo ">> Could not determine changed compose files. This will happen if only files outside a compose file were changed."
exit 0
fi
echo ">> Running dclint on changed compose files:"
echo "$CHANGED_COMPOSE"
echo "$CHANGED_COMPOSE" | while read -r compose; do
echo ">> Linting $compose ..."
npx dclint $compose
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Docker linting on Push for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-push.yaml", "clear": true}]'
image: true

141
.gitea/workflows/lint-test-docker.yaml
View File

@@ -1,141 +0,0 @@
name: lint-test-docker
on:
pull_request:
branches:
- main
paths:
- 'hosts/**'
push:
branches:
- main
paths:
- 'hosts/**'
env:
BASE_BRANCH: "origin/${{ gitea.base_ref }}"
jobs:
lint-docker-compose:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check Branch Exists
id: check-branch-exists
if: github.event_name == 'pull_request'
uses: GuillaumeFalourd/branch-exists@v1.1
with:
branch: "${{ github.base_ref }}"
- name: Report Branch Exists
id: branch-exists
if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
run: |
if [ ${{ github.event_name == 'push' }} ]; then
echo ">> Action is from a push event, will continue with linting"
else
echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
fi
echo "----"
echo "exists=true" >> $GITEA_OUTPUT
- name: Set up Node.js
if: steps.branch-exists.outputs.exists == 'true'
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Check Directories for Changes
id: check-dir-changes
if: steps.branch-exists.outputs.exists == 'true'
run: |
CHANGED_COMPOSE=()
echo ">> Target branch for diff is: ${BASE_BRANCH}"
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo ""
echo ">> Checking for changes in a pull request ..."
GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
else
echo ""
echo ">> Checking for changes from a push ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
fi
if [ -n "${GIT_DIFF}" ]; then
echo ""
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
if echo "$path" | grep -q -E "hosts/[^/]+/[^/]+"; then
echo ""
echo ">> Adding path: $path"
CHANGED_COMPOSE+=$(echo "$path")
CHANGED_COMPOSE+=$(echo " ")
fi
done
else
echo ""
echo ">> No changes detected"
fi
if [ -n "${CHANGED_COMPOSE}" ]; then
echo ""
echo ">> Compose to Lint:"
echo "$(echo "${CHANGED_COMPOSE}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "compose-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${CHANGED_COMPOSE}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo ""
echo ">> Did not find any docker compose files to lint"
echo "----"
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Lint Docker Compose
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }}
run: |
echo ">> Running dclint on changed compose files:"
echo "$CHANGED_COMPOSE"
for compose in $CHANGED_COMPOSE; do
echo ">> Linting $compose ..."
npx dclint $compose
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Docker linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-pull.yaml", "clear": true}]'
image: true

94
.gitea/workflows/lint-test-helm-pull.yaml Normal file
View File

@@ -0,0 +1,94 @@
name: lint-test-helm
on:
pull_request:
branches:
- main
paths:
- 'clusters/**'
jobs:
helm-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check Branch Exists
id: check-branch-exists
uses: GuillaumeFalourd/branch-exists@v1.1
with:
branch: ${{ github.base_ref }}
- name: Branch Does Not Exist
if: steps.check-branch-exists.outputs.exists == 'false'
run: echo "Branch ${{ github.base_ref }} was not found, likely already merged"
- name: Set up Helm
if: steps.check-branch-exists.outputs.exists == 'true'
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.19.2
- name: Lint Helm Chart
if: steps.check-branch-exists.outputs.exists == 'true'
run: |
set -e # Exit immediately if a command exits with a non-zero status.
TARGET_BRANCH="origin/${{ github.base_ref }}"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'clusters/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with Chart.yaml).
# Then, create a unique list of those directories.
CHANGED_CHARTS=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/Chart.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_CHARTS" ]]; then
echo ">> Could not determine changed charts. This could happen if only files outside a chart were changed."
exit 0
fi
echo ">> Running helm lint on changed charts:"
echo "$CHANGED_CHARTS"
echo "$CHANGED_CHARTS" | while read -r chart; do
helm dependency list --max-col-width 120 $chart 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do echo "$cmd" | sh; done || true
echo ">> Building dependency for "$chart" ..."
helm dependency build "$chart"
echo ">> Linting $chart..."
helm lint "$chart"
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Helm linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-pull.yaml", "clear": true}]'
image: true

80
.gitea/workflows/lint-test-helm-push.yaml Normal file
View File

@@ -0,0 +1,80 @@
name: lint-test-helm
on:
push:
branches:
- main
paths:
- 'clusters/**'
jobs:
helm-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.19.2
- name: Lint Helm Chart
run: |
TARGET_BRANCH="origin/main"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'clusters/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with Chart.yaml).
# Then, create a unique list of those directories.
CHANGED_CHARTS=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/Chart.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_CHARTS" ]]; then
echo ">> Could not determine changed charts. This could happen if only files outside a chart were changed."
exit 0
fi
echo ">> Running helm lint on changed charts:"
echo "$CHANGED_CHARTS"
echo "$CHANGED_CHARTS" | while read -r chart; do
helm dependency list --max-col-width 120 $chart 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do echo "$cmd" | sh; done || true
echo ">> Building dependency for "$chart" ..."
helm dependency build "$chart"
echo ">> Linting $chart..."
helm lint "$chart"
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Helm linting on Push for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-push.yaml", "clear": true}]'
image: true

188
.gitea/workflows/lint-test-helm.yaml
View File

@@ -1,188 +0,0 @@
name: lint-test-helm
on:
pull_request:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
push:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
env:
CLUSTER: cl01tl
BASE_BRANCH: "origin/${{ gitea.base_ref }}"
jobs:
lint-helm:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check Branch Exists
id: check-branch-exists
if: github.event_name == 'pull_request'
uses: GuillaumeFalourd/branch-exists@v1.1
with:
branch: ${{ gitea.base_ref }}
- name: Report Branch Exists
id: branch-exists
if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
run: |
if [ ${{ github.event_name == 'push' }} ]; then
echo ">> Action is from a push event, will continue with linting"
else
echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
fi
echo "----"
echo "exists=true" >> $GITEA_OUTPUT
- name: Set up Helm
if: steps.branch-exists.outputs.exists == 'true'
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.19.2
cache: true
- name: Check Directories for Changes
id: check-dir-changes
if: steps.branch-exists.outputs.exists == 'true'
run: |
CHANGED_CHARTS=()
echo ">> Target branch for diff is: ${BASE_BRANCH}"
if [ "${{ github.event_name }}" == "pull_request" ]; then
echo ""
echo ">> Checking for changes in a pull request ..."
GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
else
echo ""
echo ">> Checking for changes from a push ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
fi
if [ -n "${GIT_DIFF}" ]; then
echo ""
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
if echo "$path" | grep -q -E "clusters/[^/]+/helm/[^/]+"; then
echo ""
echo ">> Adding path: $path"
CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
CHANGED_CHARTS+=$(echo "\n")
fi
done
else
echo ""
echo ">> No changes detected"
fi
if [ -n "${CHANGED_CHARTS}" ]; then
echo ""
echo ">> Chart to Lint:"
echo "$(echo "${CHANGED_CHARTS}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "chart-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${CHANGED_CHARTS}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo ""
echo ">> Did not find any helm charts files to lint"
echo "----"
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
run: |
echo ">> Adding repositories for chart dependencies ..."
for dir in ${CHANGED_CHARTS}; do
helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo ">> Command: $cmd"
echo "$cmd" | sh;
fi
done || true
done
if helm repo list | tail +2 | read -r; then
echo ""
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Lint Helm Chart
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
run: |
echo ">> Running linting on changed charts ..."
for dir in ${CHANGED_CHARTS}; do
chart_path=clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
if [ -f "$chart_path/Chart.yaml" ]; then
cd $chart_path
echo ""
echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Helm linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-pull.yaml", "clear": true}]'
image: true

109
.gitea/workflows/render-manifests-automerge.yaml → .gitea/workflows/render-manfiest-automerge.yaml
View File

@@ -1,4 +1,4 @@
name: render-manifests-automerge name: render-manfiest-automerge
on: on:
pull_request: pull_request:
@@ -17,7 +17,7 @@ env:
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs: jobs:
render-manifests-automerge: render-manfiest-automerge:
runs-on: ubuntu-js runs-on: ubuntu-js
if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }} if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }}
steps: steps:
@@ -38,13 +38,6 @@ jobs:
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743 version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch - name: Prepare Manifest Branch
id: prepare-manifest-branch id: prepare-manifest-branch
@@ -71,15 +64,14 @@ jobs:
RENDER_DIR=() RENDER_DIR=()
echo ">> Checking for changes from HEAD^..HEAD ..." echo ">> Checking for changes ..."
GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+") GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep "clusters/cl01tl/helm/")
if [ -n "${GIT_DIFF}" ]; then if [ -n $GIT_DIFF ]; then
echo ">> Changes detected:" echo ">> Changes detected:"
echo "$GIT_DIFF" echo "$GIT_DIFF"
for path in $GIT_DIFF; do for path in $GIT_DIFF; do
RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}') RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
RENDER_DIR+=$(echo " ")
done done
else else
@@ -87,15 +79,15 @@ jobs:
fi fi
if [ -n "${RENDER_DIR}" ]; then if [ -n $RENDER_DIR ]; then
echo ">> Directories to Render:" echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)" echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)"
echo "----" echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT echo "EOF" >> $GITEA_OUTPUT
else else
echo "changes-detected=false" >> $GITEA_OUTPUT echo "changes-detected=false" >> $GITEA_OUTPUT
@@ -113,20 +105,9 @@ jobs:
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \ helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \ | tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \ | awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do | while read cmd; do echo "$cmd" | sh; done || true
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done done
if helm repo list | tail +2 | read -r; then
echo ">> Update repository cache ..."
helm repo update
fi
echo "----" echo "----"
- name: Remove Changed Manifest Files - name: Remove Changed Manifest Files
@@ -161,26 +142,18 @@ jobs:
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path") chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name" echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path" echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
cd $chart_path cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo "" echo ""
echo ">> Building helm dependency ..." echo ">> Building helm dependency ..."
helm dependency build --skip-refresh helm dependency build
echo "" echo ""
echo ">> Linting helm ..." echo ">> Linting helm ..."
@@ -188,36 +161,10 @@ jobs:
echo "" echo ""
echo ">> Rendering templates ..." echo ">> Rendering templates ..."
case "$chart_name" in helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
"stack")
echo ""
echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
*)
echo ""
echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
esac
echo "" echo ""
echo ">> Formating rendered template ..." echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo "" echo ""
else else
echo "" echo ""
@@ -234,16 +181,13 @@ jobs:
run: | run: |
cd ${MANIFEST_DIR} cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain) if git status --porcelain | grep -q .; then
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected" echo ">> Changes detected"
git status --porcelain git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT echo "changes-detected=true" >> $GITEA_OUTPUT
else else
echo ">> No changes detected, skipping PR creation" echo ">> No changes detected, skipping PR creation"
exit 0
fi fi
echo "----" echo "----"
@@ -283,9 +227,9 @@ jobs:
PAYLOAD=$( jq -n \ PAYLOAD=$( jq -n \
--arg head "${BRANCH_NAME}" \ --arg head "${BRANCH_NAME}" \
--arg base "${BASE_BRANCH}" \ --arg base "${BASE_BRANCH}" \
--arg title "Automated Manifest Update - Automerge" \ --arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \ --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \
'{head: $head, base: $base, title: $title, body: $body}' ) '{head: $head, base: $base, title: $title, body: $body'} )
echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}" echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}"
echo ">> With Endpoint of:" echo ">> With Endpoint of:"
@@ -317,15 +261,10 @@ jobs:
if [ "$HTTP_STATUS" == "201" ]; then if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!" echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url) PR_URL=$(cat response_body.json | jq -r .html_url)
echo ">> Pull Request URL: $PR_URL"
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
PR_NUMBER=$(cat response_body.json | jq -r .number) echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo ">> Pull Request Number: $PR_NUMBER"
echo "pull-request-number=${PR_NUMBER}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then elif [ "$HTTP_STATUS" == "422" ]; then
@@ -348,17 +287,18 @@ jobs:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }} GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }} GITEA_URL: ${{ secrets.REPO_URL }}
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }} BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }} PR_ID: ${{ steps.prepare-manifest-branch.outputs.pull-request-id }}
run: | run: |
cd ${MANIFEST_DIR} cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge" API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_ID}/merge"
PAYLOAD=$( jq -n \ PAYLOAD=$( jq -n \
--arg Do "merge" \ --arg Do "merge" \
'{Do: $Do}' ) --arg delete_branch_after_merge "true" \
'{Do: $Do, delete_branch_after_merge: $delete_branch_after_merge'} )
echo ">> Merging PR with ID: ${PR_NUMBER}" echo ">> Merging PR with ID: ${PR_ID}"
echo ">> With Endpoint of:" echo ">> With Endpoint of:"
echo "$API_ENDPOINT" echo "$API_ENDPOINT"
echo ">> With Payload of:" echo ">> With Payload of:"
@@ -423,6 +363,7 @@ jobs:
details: "Automerge Manifest rendering for Infrastructure!" details: "Automerge Manifest rendering for Infrastructure!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png" icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]' actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
image: true
- name: ntfy Failed - name: ntfy Failed
uses: niniyas/ntfy-action@master uses: niniyas/ntfy-action@master

390
.gitea/workflows/render-manifests-dispatch.yaml
View File

@@ -1,390 +0,0 @@
name: render-manifests-dispatch
on:
schedule:
- cron: '0 3 * * *'
workflow_dispatch:
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-dispatch:
runs-on: ubuntu-js
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch
run: |
cd ${MANIFEST_DIR}
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Checking if PR branch exists ..."
if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b $BRANCH_NAME
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd ${MAIN_DIR}
RENDER_DIR=()
echo ">> Triggered on dispatch, will check all paths ..."
RENDER_DIR+=$(ls clusters/cl01tl/helm/)
if [ -n "${RENDER_DIR}" ]; then
echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Adding repositories for chart dependencies ..."
for dir in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done
if helm repo list | tail +2 | read -r; then
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Rendering Manifests ..."
for dir in ${RENDER_DIR}; do
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo ""
echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
echo ""
echo ">> Rendering templates ..."
case "$chart_name" in
"stack")
echo ""
echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
*)
echo ""
echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
esac
echo ""
echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain)
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ">> Pushing changes to $REPO_URL ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
echo "push=true" >> $GITEA_OUTPUT
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

425
.gitea/workflows/render-manifests-merge.yaml
View File

@@ -1,425 +0,0 @@
name: render-manifests-merge
on:
pull_request:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
types:
- closed
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-merge:
runs-on: ubuntu-js
if: ${{ (github.event.pull_request.merged == true) && !(contains(github.event.pull_request.labels.*.name, 'automerge')) }}
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch
run: |
cd ${MANIFEST_DIR}
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Checking if PR branch exists ..."
if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b $BRANCH_NAME
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd ${MAIN_DIR}
RENDER_DIR=()
echo ">> Checking for changes from HEAD^..HEAD ..."
GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
if [ -n "${GIT_DIFF}" ]; then
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
RENDER_DIR+=$(echo " ")
done
else
echo ">> No changes detected"
fi
if [ -n "${RENDER_DIR}" ]; then
echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Adding repositories for chart dependencies ..."
for dir in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done
if helm repo list | tail +2 | read -r; then
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MANIFEST_DIR}
echo ">> Remove manfiest files and rebuild from source ..."
for dir in ${RENDER_DIR}; do
chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
echo "$chart_path"
rm -rf $chart_path/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Rendering Manifests ..."
for dir in ${RENDER_DIR}; do
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo ""
echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
echo ""
echo ">> Rendering templates ..."
case "$chart_name" in
"stack")
echo ""
echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
*)
echo ""
echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
esac
echo ""
echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain)
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ">> Pushing changes to $REPO_URL ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
echo "push=true" >> $GITEA_OUTPUT
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

115
.gitea/workflows/render-manifests-push.yaml → .gitea/workflows/render-manifests.yaml
View File

@@ -1,4 +1,4 @@
name: render-manifests-push name: render-manifests
on: on:
push: push:
@@ -7,6 +7,8 @@ on:
paths: paths:
- 'clusters/cl01tl/helm/**' - 'clusters/cl01tl/helm/**'
workflow_dispatch:
env: env:
CLUSTER: cl01tl CLUSTER: cl01tl
BASE_BRANCH: manifests BASE_BRANCH: manifests
@@ -16,9 +18,8 @@ env:
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs: jobs:
render-manifests-push: render-manifests:
runs-on: ubuntu-js runs-on: ubuntu-js
if: gitea.event.commits[0].author.username != 'renovate-bot'
steps: steps:
- name: Checkout Main - name: Checkout Main
uses: actions/checkout@v6 uses: actions/checkout@v6
@@ -37,13 +38,6 @@ jobs:
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743 version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch - name: Prepare Manifest Branch
run: | run: |
@@ -74,31 +68,36 @@ jobs:
RENDER_DIR=() RENDER_DIR=()
echo ">> Checking for changes ..." if [ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]; then
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+") echo ">> Triggered on dispatch, will check all paths ..."
RENDER_DIR+=$(ls clusters/cl01tl/helm/)
if [ -n "${GIT_DIFF}" ]; then
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
RENDER_DIR+=$(echo " ")
done
else else
echo ">> No changes detected" echo ">> Checking for changes ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep "clusters/cl01tl/helm/")
if [ -n "${GIT_DIFF}" ]; then
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
done
else
echo ">> No changes detected"
fi
fi fi
if [ -n "${RENDER_DIR}" ]; then if [ -n "${RENDER_DIR}" ]; then
echo ">> Directories to Render:" echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)" echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)"
echo "----" echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT echo "$(printf "%s\n" "${RENDER_DIR[@]}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT echo "EOF" >> $GITEA_OUTPUT
else else
echo "changes-detected=false" >> $GITEA_OUTPUT echo "changes-detected=false" >> $GITEA_OUTPUT
@@ -116,13 +115,7 @@ jobs:
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \ helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \ | tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \ | awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do | while read cmd; do echo "$cmd" | sh; done || true
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done done
if helm repo list | tail +2 | read -r; then if helm repo list | tail +2 | read -r; then
@@ -164,23 +157,15 @@ jobs:
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path") chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name" echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path" echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
cd $chart_path cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo "" echo ""
echo ">> Building helm dependency ..." echo ">> Building helm dependency ..."
helm dependency build --skip-refresh helm dependency build --skip-refresh
@@ -191,36 +176,36 @@ jobs:
echo "" echo ""
echo ">> Rendering templates ..." echo ">> Rendering templates ..."
case "$chart_name" in case "$chart_name" in
"stack") "stack")
echo "" echo ">> Special Rendering for stack ..."
echo ">> Special Rendering for stack into argocd namespace ..." helm template stack ./ --namespace argocd --include-crds > "$OUTPUT_FILE"
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;; ;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds") "cilium")
echo "" echo ">> Special Rendering for cilium ..."
echo ">> Special Rendering for $chart_name into kube-system namespace ..." helm template cilium ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") ;;
"coredns")
echo ">> Special Rendering for coredns ..."
helm template coredns ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
;;
"metrics-server")
echo ">> Special Rendering for metrics-server ..."
helm template metrics-server ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
;;
"prometheus-operator-crds")
echo ">> Special Rendering for prometheus-operator-crds ..."
helm template prometheus-operator-crds ./ --namespace kube-system --include-crds > "$OUTPUT_FILE"
;; ;;
*) *)
echo ""
echo ">> Standard Rendering for $chart_name ..." echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
;; ;;
esac esac
echo "" echo ""
echo ">> Formating rendered template ..." echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo "" echo ""
else else
echo "" echo ""
@@ -237,16 +222,13 @@ jobs:
run: | run: |
cd ${MANIFEST_DIR} cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain) if git status --porcelain | grep -q .; then
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected" echo ">> Changes detected"
git status --porcelain git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT echo "changes-detected=true" >> $GITEA_OUTPUT
else else
echo ">> No changes detected, skipping PR creation" echo ">> No changes detected, skipping PR creation"
exit 0
fi fi
echo "----" echo "----"
@@ -342,7 +324,7 @@ jobs:
--arg assignee "${ASSIGNEE}" \ --arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \ --arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \ --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' ) '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body'} )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}" echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:" echo ">> With Endpoint of:"
@@ -403,9 +385,10 @@ jobs:
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!" details: "Manifest rendering for Infrastructure has created a new Pull Request!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png" icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]' actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
image: true
- name: ntfy Failed - name: ntfy Failed
uses: niniyas/ntfy-action@master uses: niniyas/ntfy-action@master

1
.gitignore vendored
View File

@@ -1,4 +1,3 @@
/**/archive/ /**/archive/
/**/charts/ /**/charts/
/**/manifests/ /**/manifests/
/**/tmpcharts*/

6
README.md
View File

@@ -2,12 +2,6 @@
GitOps definied infrastrucutre for the alexlebens.net domain. GitOps definied infrastrucutre for the alexlebens.net domain.
## Stack-cl01tl
https://argocd.alexlebens.net/api/badge?name=stack-cl01tl&revision=true&showAppName=true
App-of-Apps Application for cl01tl
## License ## License
This project is licensed under the terms of the Apache 2.0 License license. This project is licensed under the terms of the Apache 2.0 License license.

9
clusters/cl01tl/helm/actual/Chart.lock
View File

@@ -1,9 +1,6 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target digest: sha256:b5d823171e1b4dc1d3856f782f0c67cbb5d49e4fa170df2f21b06303c7aff7f5
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-11-30T21:05:19.732832-06:00"
version: 0.7.0
digest: sha256:ab1b7688f41127681b66c0673c713b651c58ac7c06f123d53ea871b6df9cda9f
generated: "2026-01-07T16:02:51.781699411Z"

9
clusters/cl01tl/helm/actual/Chart.yaml
View File

@@ -16,11 +16,6 @@ dependencies:
- name: app-template - name: app-template
alias: actual alias: actual
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target
alias: volsync-target-data
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
# renovate: github=actualbudget/actual appVersion: 25.11.0
appVersion: 25.12.0

55
clusters/cl01tl/helm/actual/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: actual-data-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: actual-data-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/actual/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-actual
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-actual
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- actual.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: actual
port: 80
weight: 100

25
clusters/cl01tl/helm/actual/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: actual-data-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: actual-data-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: actual-data
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: actual-data-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

33
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -9,7 +9,7 @@ actual:
main: main:
image: image:
repository: ghcr.io/actualbudget/actual repository: ghcr.io/actualbudget/actual
tag: 26.1.0 tag: 25.11.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -42,27 +42,6 @@ actual:
port: 80 port: 80
targetPort: 5006 targetPort: 5006
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- actual.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: actual
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
data: data:
forceRename: actual-data forceRename: actual-data
@@ -75,13 +54,3 @@ actual:
main: main:
- path: /data - path: /data
readOnly: false readOnly: false
volsync-target-data:
pvcTarget: actual-data
local:
enabled: true
schedule: 0 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 0 9 * * *

10
clusters/cl01tl/helm/argo-workflows/Chart.lock
View File

@@ -1,12 +1,12 @@
dependencies: dependencies:
- name: argo-workflows - name: argo-workflows
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 0.47.0 version: 0.45.28
- name: argo-events - name: argo-events
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 2.4.19 version: 2.4.17
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.4.5 version: 6.16.1
digest: sha256:c36845d5688e28e6f6c6b6f2e17b40514f2adb937f2c6077deadfec9e6b294fe digest: sha256:d5a4e03eb73fefbb9da82b0ae3f7a1ccf3bcabd2a26adc522f798d9b5122fc47
generated: "2026-01-14T21:30:10.440164554Z" generated: "2025-12-03T06:10:23.754624004Z"

11
clusters/cl01tl/helm/argo-workflows/Chart.yaml
View File

@@ -18,15 +18,14 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: argo-workflows - name: argo-workflows
version: 0.47.0 version: 0.45.28
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
- name: argo-events - name: argo-events
version: 2.4.19 version: 2.4.17
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-17-cluster
version: 7.4.5 version: 6.16.1
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: github=argoproj/argo-workflows appVersion: v3.6.7
appVersion: v3.7.6

67
clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml
View File

@@ -26,3 +26,70 @@ spec:
key: /authentik/oidc/argo-workflows key: /authentik/oidc/argo-workflows
metadataPolicy: None metadataPolicy: None
property: client property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

4
clusters/cl01tl/helm/argo-workflows/templates/http-route.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: gateway.networking.k8s.io/v1 apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute kind: HTTPRoute
metadata: metadata:
name: argo-workflows name: http-route-argo-workflows
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: argo-workflows app.kubernetes.io/name: http-route-argo-workflows
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:

14
clusters/cl01tl/helm/argo-workflows/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

72
clusters/cl01tl/helm/argo-workflows/values.yaml
View File

@@ -9,15 +9,15 @@ argo-workflows:
nodeStatusOffLoad: true nodeStatusOffLoad: true
archive: true archive: true
postgresql: postgresql:
host: argo-workflows-postgresql-18-cluster-rw host: argo-workflows-postgresql-17-cluster-rw
port: 5432 port: 5432
database: app database: app
tableName: app tableName: app
userNameSecret: userNameSecret:
name: argo-workflows-postgresql-18-cluster-app name: argo-workflows-postgresql-17-cluster-app
key: username key: username
passwordSecret: passwordSecret:
name: argo-workflows-postgresql-18-cluster-app name: argo-workflows-postgresql-17-cluster-app
key: password key: password
ssl: false ssl: false
sslMode: disable sslMode: disable
@@ -59,6 +59,20 @@ argo-workflows:
useStaticCredentials: true useStaticCredentials: true
artifactRepository: artifactRepository:
archiveLogs: false archiveLogs: false
s3: {}
# accessKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: accesskey
# secretKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: secretkey
# insecure: true
# bucket:
# endpoint:
# region:
# encryptionOptions:
# enableEncryption: true
argo-events: argo-events:
controller: controller:
resources: resources:
@@ -75,33 +89,53 @@ argo-events:
requests: requests:
cpu: 10m cpu: 10m
memory: 128Mi memory: 128Mi
postgres-18-cluster: postgres-17-cluster:
mode: recovery mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:
destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1 index: 1
endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
backup: backup:
objectStore: objectStore:
- name: garage-local - name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
index: 1 index: 1
destinationBucket: postgres-backups retentionPolicy: "30d"
externalSecretCredentialPath: /garage/home-infra/postgres-backups isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true isWALArchiver: true
# - name: garage-remote # - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
# index: 1 # index: 1
# destinationBucket: postgres-backups # endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# externalSecretCredentialPath: /garage/home-infra/postgres-backups # endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
# retentionPolicy: "90d" # endpointCredentialsIncludeRegion: true
# retentionPolicy: "30d"
# data: # data:
# compression: bzip2 # compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
@@ -109,11 +143,5 @@ postgres-18-cluster:
backupName: garage-local backupName: garage-local
# - name: weekly-backup # - name: weekly-backup
# suspend: true # suspend: true
# immediate: true
# schedule: "0 0 4 * * SAT" # schedule: "0 0 4 * * SAT"
# backupName: garage-remote # backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external

6
clusters/cl01tl/helm/argocd/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: argo-cd - name: argo-cd
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 9.3.4 version: 9.1.5
digest: sha256:006518c10fc1636a5b0398de90d4a7687ae6c0bf4626c41d11b2bc3ad48ff416 digest: sha256:07f7f6d369af426cdd213ddbc58373a4e5b4f54724efd4612662d7da0315232d
generated: "2026-01-14T23:02:04.617990687Z" generated: "2025-12-02T21:27:41.876154-06:00"

5
clusters/cl01tl/helm/argocd/Chart.yaml
View File

@@ -15,8 +15,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: argo-cd - name: argo-cd
version: 9.3.4 version: 9.1.5
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: github=argoproj/argo-cd appVersion: 3.0.0
appVersion: v3.2.1

72
clusters/cl01tl/helm/argocd/templates/external-secret.yaml
View File

@@ -50,39 +50,39 @@ spec:
metadataPolicy: None metadataPolicy: None
property: token property: token
--- # ---
apiVersion: external-secrets.io/v1 # apiVersion: external-secrets.io/v1
kind: ExternalSecret # kind: ExternalSecret
metadata: # metadata:
name: argocd-gitea-repo-infrastructure-secret # name: argocd-gitea-repo-infrastructure-secret
namespace: {{ .Release.Namespace }} # namespace: {{ .Release.Namespace }}
labels: # labels:
app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret # app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
app.kubernetes.io/instance: {{ .Release.Name }} # app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} # app.kubernetes.io/part-of: {{ .Release.Name }}
spec: # spec:
secretStoreRef: # secretStoreRef:
kind: ClusterSecretStore # kind: ClusterSecretStore
name: vault # name: vault
data: # data:
- secretKey: type # - secretKey: type
remoteRef: # remoteRef:
conversionStrategy: Default # conversionStrategy: Default
decodingStrategy: None # decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure # key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None # metadataPolicy: None
property: type # property: type
- secretKey: url # - secretKey: url
remoteRef: # remoteRef:
conversionStrategy: Default # conversionStrategy: Default
decodingStrategy: None # decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure # key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None # metadataPolicy: None
property: url # property: url
- secretKey: sshPrivateKey # - secretKey: sshPrivateKey
remoteRef: # remoteRef:
conversionStrategy: Default # conversionStrategy: Default
decodingStrategy: None # decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure # key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None # metadataPolicy: None
property: sshPrivateKey # property: sshPrivateKey

28
clusters/cl01tl/helm/argocd/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-argocd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-argocd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: argocd-server
port: 80
weight: 100

57
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -25,10 +25,21 @@ argo-cd:
id: authentik id: authentik
params: params:
server.insecure: true server.insecure: true
controller.diff.server.side: true
rbac: rbac:
policy.csv: | policy.csv: |
g, ArgoCD Admins, role:admin g, ArgoCD Admins, role:admin
cmp:
create: true
plugins:
cdk8s:
init:
command: [cdk8s]
args: [import]
generate:
command: [cdk8s, synth]
args: [--stdout]
discover:
fileName: "*.go"
controller: controller:
replicas: 1 replicas: 1
metrics: metrics:
@@ -49,7 +60,7 @@ argo-cd:
enabled: true enabled: true
auth: false auth: false
redisSecretInit: redisSecretInit:
enabled: false enabled: true
server: server:
replicas: 2 replicas: 2
extensions: extensions:
@@ -65,22 +76,34 @@ argo-cd:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
httproute: ingress:
enabled: true enabled: false
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
repoServer: repoServer:
replicas: 2 replicas: 2
extraContainers:
- name: cmp-cdk8s
command:
- /var/run/argocd/argocd-cmp-server
image: ghcr.io/akuity/cdk8s-cmp-typescript:1.0
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: cdk8s.yaml
name: argocd-cmp-cm
- mountPath: /tmp
name: cmp-tmp
volumes:
- name: argocd-cmp-cm
configMap:
name: argocd-cmp-cm
- name: cmp-tmp
emptyDir: {}
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -256,7 +279,7 @@ argo-cd:
- description: Application has degraded - description: Application has degraded
send: send:
- app-health-degraded - app-health-degraded
when: app.status.health.status == 'Degraded' when: app.status.health.status == 'Degraded' and time.Now().Sub(time.Parse(app.status.health.lastTransitionTime).Minutes() >= 15
trigger.on-sync-failed: | trigger.on-sync-failed: |
- description: Application syncing has failed - description: Application syncing has failed
send: send:

12
clusters/cl01tl/helm/audiobookshelf/Chart.lock
View File

@@ -1,12 +1,6 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target digest: sha256:f3a9990542f24965fadad0b5493059b78cdc3fae91c8214577fa6f41ca5f7de3
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-11-30T21:05:21.317114-06:00"
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:9ad54a69753a4bbfe53d1d7ed12551e89fe7bb8f90d96c1d3ff06ba200bc5202
generated: "2026-01-07T16:03:05.987463264Z"

13
clusters/cl01tl/helm/audiobookshelf/Chart.yaml
View File

@@ -18,15 +18,6 @@ dependencies:
- name: app-template - name: app-template
alias: audiobookshelf alias: audiobookshelf
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-metadata
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
# renovate: github=advplyr/audiobookshelf appVersion: 2.21.0
appVersion: 2.31.0

114
clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
View File

@@ -19,3 +19,117 @@ spec:
key: /cl01tl/audiobookshelf/apprise key: /cl01tl/audiobookshelf/apprise
metadataPolicy: None metadataPolicy: None
property: ntfy-url property: ntfy-url
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-metadata-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/audiobookshelf/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-audiobookshelf
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-audiobookshelf
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- audiobookshelf.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: audiobookshelf
port: 80
weight: 100

19
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
View File

@@ -1,5 +1,24 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata: metadata:
name: audiobookshelf-nfs-storage name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}

52
clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: audiobookshelf-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: audiobookshelf-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: audiobookshelf-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: audiobookshelf-metadata-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-metadata-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: audiobookshelf-metadata
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: audiobookshelf-metadata-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

19
clusters/cl01tl/helm/audiobookshelf/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: audiobookshelf-apprise
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-apprise
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
endpoints:
- port: apprise
interval: 30s
scrapeTimeout: 15s
path: /metrics
selector:
matchLabels:
app.kubernetes.io/name: audiobookshelf
app.kubernetes.io/instance: {{ .Release.Name }}

67
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -9,7 +9,7 @@ audiobookshelf:
main: main:
image: image:
repository: ghcr.io/advplyr/audiobookshelf repository: ghcr.io/advplyr/audiobookshelf
tag: 2.32.1 tag: 2.30.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -21,7 +21,7 @@ audiobookshelf:
apprise-api: apprise-api:
image: image:
repository: caronc/apprise repository: caronc/apprise
tag: 1.3.0 tag: 1.2.6
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -57,43 +57,8 @@ audiobookshelf:
port: 8000 port: 8000
targetPort: 8000 targetPort: 8000
protocol: HTTP protocol: HTTP
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: audiobookshelf
app.kubernetes.io/instance: audiobookshelf
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: apprise
scheme: http
path: /metrics
interval: 30s
scrapeTimeout: 15s
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- audiobookshelf.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: audiobookshelf
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: audiobookshelf-config
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 2Gi size: 2Gi
@@ -104,7 +69,6 @@ audiobookshelf:
- path: /config - path: /config
readOnly: false readOnly: false
metadata: metadata:
forceRename: audiobookshelf-metadata
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
@@ -114,6 +78,13 @@ audiobookshelf:
main: main:
- path: /metadata - path: /metadata
readOnly: false readOnly: false
backup:
existingClaim: audiobookshelf-nfs-storage-backup
advancedMounts:
main:
main:
- path: /metadata/backups
readOnly: false
audiobooks: audiobooks:
existingClaim: audiobookshelf-nfs-storage existingClaim: audiobookshelf-nfs-storage
advancedMounts: advancedMounts:
@@ -121,23 +92,3 @@ audiobookshelf:
main: main:
- path: /mnt/store/ - path: /mnt/store/
readOnly: false readOnly: false
volsync-target-config:
pvcTarget: audiobookshelf-config
local:
enabled: true
schedule: 2 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 2 9 * * *
volsync-target-metadata:
pvcTarget: audiobookshelf-metadata
local:
enabled: true
schedule: 4 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 4 9 * * *

13
clusters/cl01tl/helm/authentik/Chart.lock
View File

@@ -1,15 +1,12 @@
dependencies: dependencies:
- name: authentik - name: authentik
repository: https://charts.goauthentik.io/ repository: https://charts.goauthentik.io/
version: 2025.10.3 version: 2025.10.2
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.6 version: 1.23.0
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.4.5 version: 6.16.1
- name: redis-replication digest: sha256:c385274ae063630007ef2ea7e841b2813540f6f2468cbf82484106d8c4415702
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-03T06:10:50.377270812Z"
version: 1.0.1
digest: sha256:b9fe766e223b1f65430c64c02f94c1f97ad7149a5a9acc7bab8339615706293f
generated: "2026-01-08T23:01:41.173354097Z"

15
clusters/cl01tl/helm/authentik/Chart.yaml
View File

@@ -21,18 +21,15 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: authentik - name: authentik
version: 2025.10.3 version: 2025.10.2
repository: https://charts.goauthentik.io/ repository: https://charts.goauthentik.io/
- name: cloudflared - name: cloudflared
alias: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.6 version: 1.23.0
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-17-cluster
version: 7.4.5 version: 6.16.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: redis-replication
version: 1.0.1
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
# renovate: github=goauthentik/authentik appVersion: 2025.4.1
appVersion: 2025.10.2

90
clusters/cl01tl/helm/authentik/templates/external-secret.yaml
View File

@@ -19,3 +19,93 @@ spec:
key: /cl01tl/authentik/key key: /cl01tl/authentik/key
metadataPolicy: None metadataPolicy: None
property: key property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/authentik
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

28
clusters/cl01tl/helm/authentik/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- authentik.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: authentik-server
port: 80
weight: 100

32
clusters/cl01tl/helm/authentik/templates/redis-replication.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0

19
clusters/cl01tl/helm/authentik/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

90
clusters/cl01tl/helm/authentik/values.yaml
View File

@@ -9,22 +9,22 @@ authentik:
- name: AUTHENTIK_POSTGRESQL__HOST - name: AUTHENTIK_POSTGRESQL__HOST
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: host key: host
- name: AUTHENTIK_POSTGRESQL__NAME - name: AUTHENTIK_POSTGRESQL__NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: dbname key: dbname
- name: AUTHENTIK_POSTGRESQL__USER - name: AUTHENTIK_POSTGRESQL__USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: user key: user
- name: AUTHENTIK_POSTGRESQL__PASSWORD - name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: password key: password
authentik: authentik:
redis: redis:
@@ -36,23 +36,8 @@ authentik:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
route: ingress:
main: enabled: false
enabled: true
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
hostnames:
- authentik.alexlebens.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
httpsRedirect: false
matches:
- path:
type: PathPrefix
value: /
worker: worker:
name: worker name: worker
replicas: 1 replicas: 1
@@ -63,52 +48,61 @@ authentik:
enabled: false enabled: false
redis: redis:
enabled: false enabled: false
postgres-18-cluster: cloudflared:
existingSecretName: authentik-cloudflared-secret
postgres-17-cluster:
mode: recovery mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:
destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1 index: 1
endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
backup: backup:
objectStore: objectStore:
- name: garage-local - name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
index: 1 index: 1
destinationBucket: postgres-backups retentionPolicy: "30d"
externalSecretCredentialPath: /garage/home-infra/postgres-backups isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true isWALArchiver: true
# - name: garage-remote # - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
# index: 1 # index: 1
# destinationBucket: postgres-backups # endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# externalSecretCredentialPath: /garage/home-infra/postgres-backups # endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
# retentionPolicy: "90d" # retentionPolicy: "30d"
# data: # data:
# compression: bzip2 # compression: bzip2
# - name: external # jobs: 2
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 0 0 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup # - name: weekly-backup
# suspend: true # suspend: false
# immediate: true
# schedule: "0 0 4 * * SAT" # schedule: "0 0 4 * * SAT"
# backupName: garage-remote # backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external
redis-replication:
existingSecret:
enabled: false
redisReplication:
clusterSize: 3
sentinel:
enabled: true

12
clusters/cl01tl/helm/backrest/Chart.lock
View File

@@ -1,12 +1,6 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target digest: sha256:aa797b99d6d8b7aafe142811938408b7f234df6d429a7e076196337cc63876cb
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-01T20:25:09.888407-06:00"
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:816f9485a6ecce1710004fcf8b5422d519f7d7a02576ae5767bb3a6f365fcdcc
generated: "2026-01-07T16:03:18.566019576Z"

11
clusters/cl01tl/helm/backrest/Chart.yaml
View File

@@ -16,15 +16,6 @@ dependencies:
- name: app-template - name: app-template
alias: backrest alias: backrest
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
# renovate: github=garethgeorge/backrest
appVersion: v1.10.1 appVersion: v1.10.1

28
clusters/cl01tl/helm/backrest/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-backrest
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-backrest
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- backrest.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: backrest
port: 80
weight: 100

14
clusters/cl01tl/helm/backrest/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

43
clusters/cl01tl/helm/backrest/values.yaml
View File

@@ -33,30 +33,8 @@ backrest:
port: 80 port: 80
targetPort: 9898 targetPort: 9898
protocol: TCP protocol: TCP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- backrest.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: backrest
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
data: data:
forceRename: backrest-data
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
@@ -67,7 +45,6 @@ backrest:
- path: /data - path: /data
readOnly: false readOnly: false
config: config:
forceRename: backrest-config
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 1Gi size: 1Gi
@@ -105,23 +82,3 @@ backrest:
main: main:
- path: /mnt/share - path: /mnt/share
readOnly: true readOnly: true
volsync-target-data:
pvcTarget: backrest-data
local:
enabled: true
schedule: 6 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 6 9 * * *
volsync-target-config:
pvcTarget: backrest-config
local:
enabled: true
schedule: 8 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 8 9 * * *

9
clusters/cl01tl/helm/bazarr/Chart.lock
View File

@@ -1,9 +1,6 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target digest: sha256:c6f6d1f2fb9fedf54094920737a6f0bd1a2ab89f0a4122966ca98f6c9d3f11fa
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-11-30T21:05:22.694344-06:00"
version: 0.7.0
digest: sha256:de894b87644bc7fe271df181dc27c9c4aff6716c7d61afe897776a90c8d1156f
generated: "2026-01-07T16:03:30.651964699Z"

9
clusters/cl01tl/helm/bazarr/Chart.yaml
View File

@@ -18,11 +18,6 @@ dependencies:
- name: app-template - name: app-template
alias: bazarr alias: bazarr
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
# renovate: github=linuxserver/bazarr appVersion: 1.5.2
appVersion: 1.5.3

55
clusters/cl01tl/helm/bazarr/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: bazarr-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/bazarr/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-bazarr
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-bazarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- bazarr.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: bazarr
port: 80
weight: 100

30
clusters/cl01tl/helm/bazarr/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: bazarr-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: bazarr-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: bazarr-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

38
clusters/cl01tl/helm/bazarr/values.yaml
View File

@@ -15,7 +15,7 @@ bazarr:
main: main:
image: image:
repository: ghcr.io/linuxserver/bazarr repository: ghcr.io/linuxserver/bazarr
tag: 1.5.4@sha256:7d0a091a63889ce1e4ac4c90595ebd2c50ba5a5df7039a4f4d2be6c2aed6d4ae tag: 1.5.3@sha256:ec11e988e8e13411c994a4d9f43ed9b97409aa92c1da54d9f23926c3da7c2032
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -36,27 +36,6 @@ bazarr:
port: 80 port: 80
targetPort: 6767 targetPort: 6767
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- bazarr.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: bazarr
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: bazarr-config forceRename: bazarr-config
@@ -76,18 +55,3 @@ bazarr:
main: main:
- path: /mnt/store - path: /mnt/store
readOnly: false readOnly: false
volsync-target-config:
pvcTarget: bazarr-config
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
local:
enabled: true
schedule: 10 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 10 9 * * *

9
clusters/cl01tl/helm/blocky/Chart.lock
View File

@@ -1,9 +1,6 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: redis-replication digest: sha256:0009729bcf7f1941401b767fd4ae952b7a8d44f80053090b4a9224de912a14ef
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-01T20:25:13.511406-06:00"
version: 1.0.1
digest: sha256:e9dde2592347a72ab8b7154efcd12654fb0865c4e791c5bbea27f56b390a6b50
generated: "2026-01-08T15:47:39.239057-06:00"

8
clusters/cl01tl/helm/blocky/Chart.yaml
View File

@@ -16,10 +16,6 @@ dependencies:
- name: app-template - name: app-template
alias: blocky alias: blocky
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: redis-replication
version: 1.0.1
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
# renovate: github=0xerr0r/blocky appVersion: v0.25
appVersion: v0.28.2

32
clusters/cl01tl/helm/blocky/templates/redis-replication.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0

40
clusters/cl01tl/helm/blocky/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: {{ .Release.Name }}
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

46
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -96,9 +96,11 @@ blocky:
cl01tl-endpoint IN A 10.232.1.22 cl01tl-endpoint IN A 10.232.1.22
cl01tl-endpoint IN A 10.232.1.23 cl01tl-endpoint IN A 10.232.1.23
cl01tl-gateway IN A 10.232.1.200
traefik-cl01tl IN A 10.232.1.21 traefik-cl01tl IN A 10.232.1.21
blocky IN A 10.232.1.22 blocky IN A 10.232.1.22
cilium-cl01tl IN A 10.232.1.23 plex-lb IN A 10.232.1.23
;; Application Names ;; Application Names
actual IN CNAME traefik-cl01tl actual IN CNAME traefik-cl01tl
@@ -113,8 +115,6 @@ blocky:
ceph IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl
code-server IN CNAME traefik-cl01tl code-server IN CNAME traefik-cl01tl
ephemera IN CNAME traefik-cl01tl ephemera IN CNAME traefik-cl01tl
feishin IN CNAME traefik-cl01tl
fladder IN CNAME traefik-cl01tl
garage-s3 IN CNAME traefik-cl01tl garage-s3 IN CNAME traefik-cl01tl
garage-webui IN CNAME traefik-cl01tl garage-webui IN CNAME traefik-cl01tl
gatus IN CNAME traefik-cl01tl gatus IN CNAME traefik-cl01tl
@@ -125,23 +125,25 @@ blocky:
home IN CNAME traefik-cl01tl home IN CNAME traefik-cl01tl
home-assistant IN CNAME traefik-cl01tl home-assistant IN CNAME traefik-cl01tl
home-assistant-code-server IN CNAME traefik-cl01tl home-assistant-code-server IN CNAME traefik-cl01tl
hubble IN CNAME traefik-cl01tl hubble IN CNAME cl01tl-gateway
huntarr IN CNAME traefik-cl01tl huntarr IN CNAME traefik-cl01tl
immich IN CNAME traefik-cl01tl immich IN CNAME traefik-cl01tl
jellyfin IN CNAME traefik-cl01tl jellyfin IN CNAME traefik-cl01tl
jellystat IN CNAME traefik-cl01tl jellystat IN CNAME traefik-cl01tl
kiwix IN CNAME traefik-cl01tl kiwix IN CNAME traefik-cl01tl
komodo IN CNAME traefik-cl01tl komodo IN CNAME traefik-cl01tl
kronic IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl lidarr IN CNAME traefik-cl01tl
lidatube IN CNAME traefik-cl01tl lidatube IN CNAME traefik-cl01tl
listenarr IN CNAME traefik-cl01tl listenarr IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl mail IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl n8n IN CNAME traefik-cl01tl
ntfy IN CNAME traefik-cl01tl ntfy IN CNAME traefik-cl01tl
objects IN CNAME traefik-cl01tl objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl
overseerr IN CNAME traefik-cl01tl overseerr IN CNAME traefik-cl01tl
pgadmin IN CNAME traefik-cl01tl
photoview IN CNAME traefik-cl01tl photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl
postiz IN CNAME traefik-cl01tl postiz IN CNAME traefik-cl01tl
@@ -154,8 +156,6 @@ blocky:
radarr-anime IN CNAME traefik-cl01tl radarr-anime IN CNAME traefik-cl01tl
radarr-standup IN CNAME traefik-cl01tl radarr-standup IN CNAME traefik-cl01tl
searxng IN CNAME traefik-cl01tl searxng IN CNAME traefik-cl01tl
seerr IN CNAME traefik-cl01tl
shelfmark IN CNAME traefik-cl01tl
slskd IN CNAME traefik-cl01tl slskd IN CNAME traefik-cl01tl
sonarr IN CNAME traefik-cl01tl sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl sonarr-4k IN CNAME traefik-cl01tl
@@ -167,7 +167,6 @@ blocky:
vault IN CNAME traefik-cl01tl vault IN CNAME traefik-cl01tl
whodb IN CNAME traefik-cl01tl whodb IN CNAME traefik-cl01tl
yamtrack IN CNAME traefik-cl01tl yamtrack IN CNAME traefik-cl01tl
yubal-playlist IN CNAME traefik-cl01tl
blocking: blocking:
denylists: denylists:
@@ -183,47 +182,35 @@ blocky:
- https://v.firebog.net/hosts/Prigent-Ads.txt - https://v.firebog.net/hosts/Prigent-Ads.txt
mal: mal:
- https://v.firebog.net/hosts/Prigent-Crypto.txt - https://v.firebog.net/hosts/Prigent-Crypto.txt
- https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
pro: pro:
- https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt - https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt
oisd:
- https://big.oisd.nl/domainswild
allowlists: allowlists:
sus: sus:
- | - |
*.alexlebens.net *.alexlebens.net
*.alexlebens.dev *.alexlebens.dev
*.boreal-beaufort.ts.net *.boreal-beaufort.ts.net
*.discord.com
ads: ads:
- | - |
*.alexlebens.net *.alexlebens.net
*.alexlebens.dev *.alexlebens.dev
*.boreal-beaufort.ts.net *.boreal-beaufort.ts.net
*.discord.com
priv: priv:
- | - |
*.alexlebens.net *.alexlebens.net
*.alexlebens.dev *.alexlebens.dev
*.boreal-beaufort.ts.net *.boreal-beaufort.ts.net
*.discord.com
mal: mal:
- | - |
*.alexlebens.net *.alexlebens.net
*.alexlebens.dev *.alexlebens.dev
*.boreal-beaufort.ts.net *.boreal-beaufort.ts.net
*.discord.com
pro: pro:
- | - |
*.alexlebens.net *.alexlebens.net
*.alexlebens.dev *.alexlebens.dev
*.boreal-beaufort.ts.net *.boreal-beaufort.ts.net
*.discord.com
oisd:
- |
*.alexlebens.net
*.alexlebens.dev
*.boreal-beaufort.ts.net
*.discord.com
clientGroupsBlock: clientGroupsBlock:
default: default:
- sus - sus
@@ -231,7 +218,6 @@ blocky:
- priv - priv
- mal - mal
- pro - pro
- oisd
blockType: zeroIp blockType: zeroIp
blockTTL: 1m blockTTL: 1m
loading: loading:
@@ -303,19 +289,6 @@ blocky:
port: 4000 port: 4000
targetPort: 4000 targetPort: 4000
protocol: TCP protocol: TCP
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: blocky
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 30s
scrapeTimeout: 10s
persistence: persistence:
config: config:
enabled: true enabled: true
@@ -328,6 +301,3 @@ blocky:
readOnly: true readOnly: true
mountPropagation: None mountPropagation: None
subPath: config.yml subPath: config.yml
redis-replication:
redisReplication:
clusterSize: 1

14
clusters/cl01tl/helm/booklore/Chart.lock
View File

@@ -1,15 +1,9 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: mariadb-cluster - name: mariadb-cluster
repository: https://helm.mariadb.com/mariadb-operator repository: https://helm.mariadb.com/mariadb-operator
version: 25.10.4 version: 25.10.2
- name: volsync-target digest: sha256:264725306c1d1f38140293c0820abdc7e8aa4f39764b4d91e20200705ce2ec91
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-11-30T21:05:24.649316-06:00"
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:bce787056cbe11ac5291393a0e51f64e8e20bf665885580b8f6be79fd2be3e12
generated: "2026-01-08T21:50:26.303731301Z"

15
clusters/cl01tl/helm/booklore/Chart.yaml
View File

@@ -16,18 +16,9 @@ dependencies:
- name: app-template - name: app-template
alias: booklore alias: booklore
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: mariadb-cluster - name: mariadb-cluster
version: 25.10.4 version: 25.10.2
repository: https://helm.mariadb.com/mariadb-operator repository: https://helm.mariadb.com/mariadb-operator
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
# renovate: github=booklore-app/BookLore appVersion: v.1.10.0
appVersion: v1.13.2

228
clusters/cl01tl/helm/booklore/templates/external-secret.yaml
View File

@@ -43,6 +43,234 @@ spec:
metadataPolicy: None metadataPolicy: None
property: psk.txt property: psk.txt
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-local
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-local
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-remote
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-remote
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-remote
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-remote
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-external
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret

28
clusters/cl01tl/helm/booklore/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-booklore
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-booklore
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- booklore.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: booklore
port: 80
weight: 100

3
clusters/cl01tl/helm/booklore/templates/namespace.yaml
View File

@@ -8,6 +8,3 @@ metadata:
app.kubernetes.io/name: booklore app.kubernetes.io/name: booklore
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

112
clusters/cl01tl/helm/booklore/templates/replication-source.yaml
View File

@@ -15,3 +15,115 @@ spec:
keySecret: booklore-data-replication-secret keySecret: booklore-data-replication-secret
address: volsync-rsync-tls-dst-booklore-data-replication-destination address: volsync-rsync-tls-dst-booklore-data-replication-destination
copyMethod: Snapshot copyMethod: Snapshot
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: booklore-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 2 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-local
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-remote
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-remote
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 3 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-remote
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-external
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-external
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi

14
clusters/cl01tl/helm/booklore/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

93
clusters/cl01tl/helm/booklore/values.yaml
View File

@@ -9,7 +9,7 @@ booklore:
main: main:
image: image:
repository: ghcr.io/booklore-app/booklore repository: ghcr.io/booklore-app/booklore
tag: v1.17.0 tag: v1.12.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -39,30 +39,8 @@ booklore:
port: 80 port: 80
targetPort: 6060 targetPort: 6060
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- booklore.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: booklore
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: booklore-config
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
@@ -73,7 +51,6 @@ booklore:
- path: /app/data - path: /app/data
readOnly: false readOnly: false
data: data:
forceRename: booklore-data
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
@@ -108,21 +85,6 @@ mariadb-cluster:
replicas: 3 replicas: 3
galera: galera:
enabled: true enabled: true
bootstrapFrom:
s3:
bucket: mariadb-backups-b230a2f5aecf080a4b372c08
prefix: cl01tl/booklore
endpoint: nyc3.digitaloceanspaces.com
region: us-east-1
accessKeyIdSecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-external
key: access
secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-external
key: secret
tls:
enabled: true
backupContentType: Physical
databases: databases:
- name: booklore - name: booklore
characterSet: utf8 characterSet: utf8
@@ -157,8 +119,7 @@ mariadb-cluster:
suspend: false suspend: false
immediate: true immediate: true
compression: gzip compression: gzip
maxRetention: 2160h maxRetention: 720h
successfulJobsHistoryLimit: 1
storage: storage:
s3: s3:
bucket: mariadb-backups-b230a2f5aecf080a4b372c08 bucket: mariadb-backups-b230a2f5aecf080a4b372c08
@@ -173,28 +134,6 @@ mariadb-cluster:
key: secret key: secret
tls: tls:
enabled: true enabled: true
- name: backup-remote
schedule:
cron: "0 0 * * 0"
suspend: false
immediate: true
compression: gzip
maxRetention: 2160h
successfulJobsHistoryLimit: 1
storage:
s3:
bucket: mariadb-backups
prefix: cl01tl/booklore
endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
region: us-east-1
accessKeyIdSecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage
key: access
secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage
key: secret
tls:
enabled: true
- name: backup-garage - name: backup-garage
schedule: schedule:
cron: "0 0 * * *" cron: "0 0 * * *"
@@ -202,7 +141,6 @@ mariadb-cluster:
immediate: true immediate: true
compression: gzip compression: gzip
maxRetention: 360h maxRetention: 360h
successfulJobsHistoryLimit: 1
storage: storage:
s3: s3:
bucket: mariadb-backups bucket: mariadb-backups
@@ -215,30 +153,3 @@ mariadb-cluster:
secretAccessKeySecretKeyRef: secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage name: booklore-mariadb-cluster-backup-secret-garage
key: secret key: secret
volsync-target-config:
pvcTarget: booklore-config
local:
enabled: true
schedule: 12 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 12 9 * * *
volsync-target-data:
pvcTarget: booklore-data
local:
enabled: true
schedule: 14 8 * * *
restic:
cacheCapacity: 10Gi
remote:
enabled: true
schedule: 14 10 * * *
restic:
cacheCapacity: 10Gi
external:
enabled: true
schedule: 14 9 * * *
restic:
cacheCapacity: 10Gi

6
clusters/cl01tl/helm/cert-manager/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: cert-manager - name: cert-manager
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
version: v1.19.2 version: v1.19.1
digest: sha256:b02bda9b9f2fc886af11d017a27a5761513defee603f9e3aa1d7add2749b925c digest: sha256:0b1238a5552bc6d457d4b1a2a1f387a3e7f2c19f820ecb64e14d20481a1ed1ce
generated: "2025-12-10T15:01:57.196895547Z" generated: "2025-12-01T20:25:17.762628-06:00"

5
clusters/cl01tl/helm/cert-manager/Chart.yaml
View File

@@ -14,8 +14,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cert-manager - name: cert-manager
version: v1.19.2 version: v1.19.1
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
# renovate: github=cert-manager/cert-manager appVersion: v1.17.2
appVersion: v1.19.2

6
clusters/cl01tl/helm/cilium/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: cilium - name: cilium
repository: https://helm.cilium.io/ repository: https://helm.cilium.io/
version: 1.18.6 version: 1.18.4
digest: sha256:8ea328ac238524b5b423e6289f5e25d05ef64e6aa19cfd5de238f1d5dd533e9b digest: sha256:e38eb92ee87c9a52b0f45a2451142ade02bac7d484b246d32379eacce3800bc8
generated: "2026-01-14T11:02:31.272963463Z" generated: "2025-12-02T17:17:49.043599-06:00"

5
clusters/cl01tl/helm/cilium/Chart.yaml
View File

@@ -15,8 +15,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cilium - name: cilium
version: 1.18.6 version: 1.18.4
repository: https://helm.cilium.io/ repository: https://helm.cilium.io/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
# renovate: github=cilium/cilium appVersion: 1.17.3
appVersion: 1.18.4

19
clusters/cl01tl/helm/cilium/templates/cilium-l2-announcement-policy.yaml
View File

@@ -1,19 +0,0 @@
# apiVersion: "cilium.io/v2alpha1"
# kind: CiliumL2AnnouncementPolicy
# metadata:
# name: general-l2-policy
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: general-l2-policy
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# nodeSelector:
# matchExpressions:
# - key: kubernetes.io/hostname
# operator: Exists
# interfaces:
# - end0
# - enp6s0
# externalIPs: true
# loadBalancerIPs: true

2
clusters/cl01tl/helm/cilium/templates/gateway.yaml
View File

@@ -1,7 +1,7 @@
# apiVersion: gateway.networking.k8s.io/v1 # apiVersion: gateway.networking.k8s.io/v1
# kind: Gateway # kind: Gateway
# metadata: # metadata:
# name: cilium-tls-gateway # name: tls-gateway
# namespace: {{ .Release.Namespace }} # namespace: {{ .Release.Namespace }}
# labels: # labels:
# app.kubernetes.io/name: tls-gateway # app.kubernetes.io/name: tls-gateway

4
clusters/cl01tl/helm/cilium/templates/http-route.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: gateway.networking.k8s.io/v1 apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute kind: HTTPRoute
metadata: metadata:
name: hubble name: http-route-hubble
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: hubble app.kubernetes.io/name: http-route-hubble
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:

5
clusters/cl01tl/helm/cilium/values.yaml
View File

@@ -55,12 +55,9 @@ cilium:
metrics: metrics:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
tls:
auto:
method: cronJob
relay: relay:
enabled: true enabled: true
prometheus: metrics:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
ui: ui:

8
clusters/cl01tl/helm/cloudnative-pg/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies: dependencies:
- name: cloudnative-pg - name: cloudnative-pg
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
version: 0.27.0 version: 0.26.1
- name: plugin-barman-cloud - name: plugin-barman-cloud
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
version: 0.4.0 version: 0.3.1
digest: sha256:5e2a32fa5ed8b180ae5e556d65c67eeb3dcf38e2974b0d668eff4ee3c83258ce digest: sha256:b38e5104d77ab1737a27a2542eda958e82038443940f07b7c2cbe3b0a477e1e6
generated: "2025-12-30T21:01:48.755246408Z" generated: "2025-12-01T20:25:20.341325-06:00"

7
clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
View File

@@ -16,11 +16,10 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cloudnative-pg - name: cloudnative-pg
version: 0.27.0 version: 0.26.1
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
- name: plugin-barman-cloud - name: plugin-barman-cloud
version: 0.4.0 version: 0.3.1
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4 icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
# renovate: github=cloudnative-pg/cloudnative-pg appVersion: 1.26.0
appVersion: 1.28.0

4
clusters/cl01tl/helm/cloudnative-pg/values.yaml
View File

@@ -7,10 +7,10 @@ plugin-barman-cloud:
image: image:
registry: ghcr.io registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud repository: cloudnative-pg/plugin-barman-cloud
tag: v0.10.0 tag: v0.9.0
sidecarImage: sidecarImage:
registry: ghcr.io registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud-sidecar repository: cloudnative-pg/plugin-barman-cloud-sidecar
tag: v0.10.0 tag: v0.9.0
crds: crds:
create: true create: true

11
clusters/cl01tl/helm/code-server/Chart.lock
View File

@@ -1,12 +1,9 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.6 version: 1.23.0
- name: volsync-target digest: sha256:99eb4f940077dc916f5425d196232fcd363223fa7b7b5d3889f5965aa59e26f5
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-11-30T21:05:26.699161-06:00"
version: 0.7.0
digest: sha256:62df4e053f3b887bae03f79ef3cb158b7e7147f8b0fba0bca019d4ca16c12ade
generated: "2026-01-08T23:01:55.996749204Z"

12
clusters/cl01tl/helm/code-server/Chart.yaml
View File

@@ -19,14 +19,10 @@ dependencies:
- name: app-template - name: app-template
alias: code-server alias: code-server
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: cloudflared - name: cloudflared
alias: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.6 version: 1.23.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
# renovate: github=coder/code-server appVersion: 4.100.2
appVersion: 4.106.3

23
clusters/cl01tl/helm/code-server/templates/external-secret.yaml
View File

@@ -26,3 +26,26 @@ spec:
key: /cl01tl/code-server/auth key: /cl01tl/code-server/auth
metadataPolicy: None metadataPolicy: None
property: SUDO_PASSWORD property: SUDO_PASSWORD
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: code-server-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: code-server-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/codeserver
metadataPolicy: None
property: token

28
clusters/cl01tl/helm/code-server/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-code-server
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-code-server
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- code-server.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: code-server
port: 8443
weight: 100

8
clusters/cl01tl/helm/shelfmark/templates/persistent-volume-claim.yaml → clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml
View File

@@ -1,17 +1,17 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: shelfmark-import-nfs-storage name: code-server-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: shelfmark-import-nfs-storage app.kubernetes.io/name: code-server-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: shelfmark-import-nfs-storage volumeMode: Filesystem
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteOnce
resources: resources:
requests: requests:
storage: 1Gi storage: 1Gi

46
clusters/cl01tl/helm/code-server/values.yaml
View File

@@ -9,7 +9,7 @@ code-server:
main: main:
image: image:
repository: ghcr.io/linuxserver/code-server repository: ghcr.io/linuxserver/code-server
tag: 4.108.0@sha256:982ef207e723fe04d001a9cfe58c545913c8271ae9fd4cb036fa004bfcc33631 tag: 4.106.2@sha256:a98afdbcb59559f11e5e8df284062e55da1076b2e470e13db4aae133ea82bad0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -35,51 +35,13 @@ code-server:
port: 8443 port: 8443
targetPort: 8443 targetPort: 8443
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- code-server.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: code-server
port: 8443
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: code-server-config existingClaim: code-server-nfs-storage
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
- path: /config - path: /config
readOnly: false readOnly: false
volsync-target-config: cloudflared:
pvcTarget: code-server-config existingSecretName: code-server-cloudflared-secret
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
local:
enabled: true
schedule: 16 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 16 9 * * *

3
clusters/cl01tl/helm/coredns/Chart.yaml
View File

@@ -18,5 +18,4 @@ dependencies:
version: 1.45.0 version: 1.45.0
repository: https://coredns.github.io/helm repository: https://coredns.github.io/helm
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png
# renovate: github=coredns/coredns appVersion: v1.12.1
appVersion: v1.13.2

2
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,7 +1,7 @@
coredns: coredns:
image: image:
repository: registry.k8s.io/coredns/coredns repository: registry.k8s.io/coredns/coredns
tag: v1.13.2 tag: v1.13.1
replicaCount: 3 replicaCount: 3
resources: resources:
requests: requests:

6
clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: democratic-csi - name: democratic-csi
repository: https://democratic-csi.github.io/charts/ repository: https://democratic-csi.github.io/charts/
version: 0.15.1 version: 0.15.0
digest: sha256:e07d76a67023fb523e7d49730330995d0028faba9a4c7c3a6b87c5828921b3c3 digest: sha256:6fe3d8ad7b990b07ed80a31c75a0a49db8da497c46a956c632615a2093d29d58
generated: "2026-01-08T20:33:17.610556446Z" generated: "2025-12-01T20:25:24.972076-06:00"

3
clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
View File

@@ -15,7 +15,6 @@ maintainers:
dependencies: dependencies:
- name: democratic-csi - name: democratic-csi
repository: https://democratic-csi.github.io/charts/ repository: https://democratic-csi.github.io/charts/
version: 0.15.1 version: 0.15.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: github=democratic-csi/democratic-csi
appVersion: v1.9.4 appVersion: v1.9.4

3
clusters/cl01tl/helm/descheduler/Chart.yaml
View File

@@ -17,5 +17,4 @@ dependencies:
version: 0.34.0 version: 0.34.0
repository: https://kubernetes-sigs.github.io/descheduler/ repository: https://kubernetes-sigs.github.io/descheduler/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: github=kubernetes-sigs/descheduler appVersion: 0.33.0
appVersion: 0.34.0

21
clusters/cl01tl/helm/descheduler/values.yaml
View File

@@ -39,27 +39,16 @@ descheduler:
- name: RemovePodsViolatingNodeTaints - name: RemovePodsViolatingNodeTaints
- name: RemovePodsViolatingInterPodAntiAffinity - name: RemovePodsViolatingInterPodAntiAffinity
- name: RemovePodsViolatingTopologySpreadConstraint - name: RemovePodsViolatingTopologySpreadConstraint
- name: "HighNodeUtilization"
args:
thresholds:
cpu : 80
memory: 80
pods: 90
evictableNamespaces:
exclude:
- "kube-system"
evictionModes:
- "OnlyThresholdingResources"
- name: LowNodeUtilization - name: LowNodeUtilization
args: args:
thresholds: thresholds:
cpu: 30 cpu: 20
memory: 30 memory: 20
pods: 50 pods: 20
targetThresholds: targetThresholds:
cpu: 60 cpu: 60
memory: 40 memory: 60
pods: 80 pods: 60
plugins: plugins:
balance: balance:
enabled: enabled:

13
clusters/cl01tl/helm/directus/Chart.lock
View File

@@ -1,15 +1,12 @@
dependencies: dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.6 version: 1.23.0
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.4.5 version: 6.16.1
- name: redis-replication digest: sha256:fe86da80c9c6629e55219375a29c87c9dcbe2031cec8226c01c1ea9cdf5d7f4a
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-03T06:11:09.749222128Z"
version: 1.0.1
digest: sha256:4a666a87c07396ff40393f5d78658ee543ac442270868b65f350e6ad30bbcb5f
generated: "2026-01-08T23:02:12.156604855Z"

15
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -20,17 +20,14 @@ dependencies:
- name: app-template - name: app-template
alias: directus alias: directus
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.0 version: 4.4.0
- name: cloudflared - name: cloudflared
alias: cloudflared-directus
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.6 version: 1.23.0
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-17-cluster
version: 7.4.5 version: 6.16.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: redis-replication
version: 1.0.1
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
# renovate: github=directus/directus appVersion: 11.7.2
appVersion: 11.14.0

180
clusters/cl01tl/helm/directus/templates/external-secret.yaml
View File

@@ -41,36 +41,6 @@ spec:
metadataPolicy: None metadataPolicy: None
property: key property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: secret
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
@@ -123,3 +93,153 @@ spec:
key: /cl01tl/directus/redis key: /cl01tl/directus/redis
metadataPolicy: None metadataPolicy: None
property: password property: password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/directus
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-postgresql-17-cluster-backup-secret-weekly
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-weekly
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

35
clusters/cl01tl/helm/directus/templates/redis-replication.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.2.1
imagePullPolicy: IfNotPresent
redisSecret:
name: directus-redis-config
key: password
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.76.0

30
clusters/cl01tl/helm/directus/templates/redis-sentinel.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisSentinel
metadata:
name: redis-sentinel-directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-sentinel-directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
redisSentinelConfig:
redisReplicationName: redis-replication-directus
redisReplicationPassword:
secretKeyRef:
name: directus-redis-config
key: password
kubernetesConfig:
image: quay.io/opstree/redis-sentinel:v7.0.15
imagePullPolicy: IfNotPresent
redisSecret:
name: directus-redis-config
key: password
resources:
requests:
cpu: 10m
memory: 128Mi

43
clusters/cl01tl/helm/directus/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: directus
app.kubernetes.io/instance: {{ .Release.Name }}
endpoints:
- port: http
interval: 30s
scrapeTimeout: 15s
path: /metrics
bearerTokenSecret:
name: directus-metric-token
key: metric-token
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

93
clusters/cl01tl/helm/directus/values.yaml
View File

@@ -9,7 +9,7 @@ directus:
main: main:
image: image:
repository: directus/directus repository: directus/directus
tag: 11.14.0 tag: 11.13.4
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: PUBLIC_URL - name: PUBLIC_URL
@@ -41,27 +41,27 @@ directus:
- name: DB_HOST - name: DB_HOST
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: host key: host
- name: DB_DATABASE - name: DB_DATABASE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: dbname key: dbname
- name: DB_PORT - name: DB_PORT
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: port key: port
- name: DB_USER - name: DB_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: user key: user
- name: DB_PASSWORD - name: DB_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: password key: password
- name: SYNCHRONIZATION_STORE - name: SYNCHRONIZATION_STORE
value: redis value: redis
@@ -153,69 +153,62 @@ directus:
port: 80 port: 80
targetPort: 8055 targetPort: 8055
protocol: TCP protocol: TCP
serviceMonitor: cloudflared-directus:
main: name: cloudflared-directus
selector: existingSecretName: directus-cloudflared-secret
matchLabels: postgres-17-cluster:
app.kubernetes.io/name: directus
app.kubernetes.io/instance: directus
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: http
interval: 30s
scrapeTimeout: 15s
path: /metrics
bearerTokenSecret:
name: directus-metric-token
key: metric-token
postgres-18-cluster:
mode: recovery mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:
destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1 index: 1
endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
backup: backup:
objectStore: objectStore:
- name: garage-local - name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-17-cluster
index: 1 index: 1
destinationBucket: postgres-backups retentionPolicy: "30d"
externalSecretCredentialPath: /garage/home-infra/postgres-backups isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true isWALArchiver: true
# - name: garage-remote # - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
# index: 1 # index: 1
# destinationBucket: postgres-backups # endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# externalSecretCredentialPath: /garage/home-infra/postgres-backups # endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
# retentionPolicy: "90d" # retentionPolicy: "30d"
# data: # data:
# compression: bzip2 # compression: bzip2
# - name: external # jobs: 2
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 0 0 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup # - name: weekly-backup
# suspend: true # suspend: false
# immediate: true
# schedule: "0 0 4 * * SAT" # schedule: "0 0 4 * * SAT"
# backupName: garage-remote # backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external
redis-replication:
existingSecret:
enabled: true
name: directus-redis-config
key: password
redisReplication:
clusterSize: 3
sentinel:
enabled: true

3
clusters/cl01tl/helm/elastic-operator/Chart.yaml
View File

@@ -18,5 +18,4 @@ dependencies:
version: 3.2.0 version: 3.2.0
repository: https://helm.elastic.co repository: https://helm.elastic.co
icon: https://helm.elastic.co/icons/eck.png icon: https://helm.elastic.co/icons/eck.png
# renovate: github=elastic/cloud-on-k8s appVersion: 1.26.0
appVersion: v3.2.0

8
clusters/cl01tl/helm/element-web/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies: dependencies:
- name: element-web - name: element-web
repository: https://ananace.gitlab.io/charts repository: https://ananace.gitlab.io/charts
version: 1.4.27 version: 1.4.24
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.6 version: 1.23.0
digest: sha256:b8b4e36fb88254e7575bd3aff60721fbf44a13af33eff949b6bc011facfcec62 digest: sha256:05aa032adca6d808215d6dcd5d7e38b821a740a53868238f79adaa606444b3ae
generated: "2026-01-08T23:02:24.62763032Z" generated: "2025-11-30T21:05:30.356497-06:00"

Some files were not shown because too many files have changed in this diff Show More