alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Activity

Compare commits

base: alexlebens:main
Branches Tags
alexlebens:main alexlebens:renovate/docker.io-postgres-18.x alexlebens:renovate/php-8.x alexlebens:auto/update-manifests alexlebens:manifests
..
compare: alexlebens:auto/update-manifests
Branches Tags
alexlebens:renovate/docker.io-postgres-18.x alexlebens:renovate/php-8.x alexlebens:auto/update-manifests alexlebens:main alexlebens:manifests

22 Commits
main ... auto/updat

Author SHA1 Message Date
gitea-bot
68fe594156 chore: Update manifests after change 2025-12-02 11:02:01 +00:00
gitea-bot
84c4d2f809 Automated Manifest Update (#2179) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2179
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 05:19:15 +00:00
gitea-bot
d9d069228a Automated Manifest Update (#2177) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2177
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 04:36:29 +00:00
gitea-bot
3cb434b703 Automated Manifest Update (#2176) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2176
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 04:13:11 +00:00
gitea-bot
2667aca6cf Automated Manifest Update (#2175) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2175
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 03:14:01 +00:00
gitea-bot
693da9f62c Automated Manifest Update (#2174) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2174
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 02:23:24 +00:00
gitea-bot
726ef7e0ac Automated Manifest Update (#2173) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2173
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 01:49:15 +00:00
gitea-bot
f39fda9f14 Automated Manifest Update (#2172) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2172
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 01:40:19 +00:00
gitea-bot
15b191f7e4 Automated Manifest Update (#2170) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2170
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-02 00:35:06 +00:00
gitea-bot
930eaeb591 Automated Manifest Update: 2025-12-01 (#2169) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2169
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 22:05:54 +00:00
gitea-bot
dde7978b9d Automated Manifest Update: 2025-12-01 (#2167) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2167
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 22:00:44 +00:00
gitea-bot
5780cc4285 Automated Manifest Update: 2025-12-01 (#2165) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2165
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 21:39:35 +00:00
gitea-bot
2f8dc0a4f1 Automated Manifest Update: 2025-12-01 (#2164) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2164
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 21:34:28 +00:00
gitea-bot
15f8bbafef Automated Manifest Update: 2025-12-01 (#2163) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2163
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 21:20:16 +00:00
gitea-bot
1b8baba160 Automated Manifest Update: 2025-12-01 (#2162) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2162
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 21:10:30 +00:00
Alex Lebens
a26bec0c3f update ignore 2025-12-01 15:04:23 -06:00
gitea-bot
d9c80085aa Automated Manifest Update: 2025-12-01 (#2157) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2157
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 04:13:13 +00:00
gitea-bot
5ac696fd05 Automated Manifest Update: 2025-12-01 (#2155) 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #2155
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
 2025-12-01 00:18:33 +00:00
Alex Lebens
ccf87c8c73 update ignore 2025-11-30 15:28:43 -06:00
Alex Lebens
7f5acc4c4a add gitignore 2025-11-30 14:36:15 -06:00
Alex Lebens
50d21807cc remove all 2025-11-29 22:04:11 -06:00
Alex Lebens
f74d526f87 remove all 2025-11-29 21:48:56 -06:00
794 changed files with 286704 additions and 35302 deletions
Expand all files Collapse all files

86
.gitea/workflows/lint-test-docker-pull.yaml
View File

@@ -1,86 +0,0 @@
name: lint-test-docker
on:
pull_request:
branches:
- main
paths:
- 'hosts/**'
jobs:
docker-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check Branch Exists
id: check-branch-exists
uses: GuillaumeFalourd/branch-exists@v1.1
with:
branch: "${{ github.base_ref }}"
- name: Branch Does Not Exist
if: steps.check-branch-exists.outputs.exists == 'false'
run: echo "Branch ${{ github.base_ref }} was not found, likely already merged"
- name: Set up Node.js
if: steps.check-branch-exists.outputs.exists == 'true'
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Lint Docker Compose
if: steps.check-branch-exists.outputs.exists == 'true'
run: |
set -e # Exit immediately if a command exits with a non-zero status.
TARGET_BRANCH="origin/${{ github.base_ref }}"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'hosts/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with compose.yaml).
# Then, create a unique list of those directories.
CHANGED_COMPOSE=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/compose.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_COMPOSE" ]]; then
echo ">> Could not determine changed compose files. This will happen if only files outside a compose file were changed."
exit 0
fi
echo ">> Running dclint on changed compose files:"
echo "$CHANGED_COMPOSE"
echo "$CHANGED_COMPOSE" | while read -r compose; do
echo ">> Linting $compose ..."
npx dclint $compose
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Docker linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-pull.yaml", "clear": true}]'
image: true

74
.gitea/workflows/lint-test-docker-push.yaml
View File

@@ -1,74 +0,0 @@
name: lint-test-docker
on:
push:
branches:
- main
paths:
- 'hosts/**'
jobs:
docker-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Lint Docker Compose
run: |
set -e # Exit immediately if a command exits with a non-zero status.
TARGET_BRANCH="origin/main"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'hosts/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with compose.yaml).
# Then, create a unique list of those directories.
CHANGED_COMPOSE=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/compose.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_COMPOSE" ]]; then
echo ">> Could not determine changed compose files. This will happen if only files outside a compose file were changed."
exit 0
fi
echo ">> Running dclint on changed compose files:"
echo "$CHANGED_COMPOSE"
echo "$CHANGED_COMPOSE" | while read -r compose; do
echo ">> Linting $compose ..."
npx dclint $compose
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Docker linting on Push for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-push.yaml", "clear": true}]'
image: true

94
.gitea/workflows/lint-test-helm-pull.yaml
View File

@@ -1,94 +0,0 @@
name: lint-test-helm
on:
pull_request:
branches:
- main
paths:
- 'clusters/**'
jobs:
helm-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Check Branch Exists
id: check-branch-exists
uses: GuillaumeFalourd/branch-exists@v1.1
with:
branch: ${{ github.base_ref }}
- name: Branch Does Not Exist
if: steps.check-branch-exists.outputs.exists == 'false'
run: echo "Branch ${{ github.base_ref }} was not found, likely already merged"
- name: Set up Helm
if: steps.check-branch-exists.outputs.exists == 'true'
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.19.2
- name: Lint Helm Chart
if: steps.check-branch-exists.outputs.exists == 'true'
run: |
set -e # Exit immediately if a command exits with a non-zero status.
TARGET_BRANCH="origin/${{ github.base_ref }}"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'clusters/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with Chart.yaml).
# Then, create a unique list of those directories.
CHANGED_CHARTS=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/Chart.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_CHARTS" ]]; then
echo ">> Could not determine changed charts. This could happen if only files outside a chart were changed."
exit 0
fi
echo ">> Running helm lint on changed charts:"
echo "$CHANGED_CHARTS"
echo "$CHANGED_CHARTS" | while read -r chart; do
helm dependency list --max-col-width 120 $chart 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do echo "$cmd" | sh; done || true
echo ">> Building dependency for "$chart" ..."
helm dependency build "$chart"
echo ">> Linting $chart..."
helm lint "$chart"
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Helm linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-pull.yaml", "clear": true}]'
image: true

80
.gitea/workflows/lint-test-helm-push.yaml
View File

@@ -1,80 +0,0 @@
name: lint-test-helm
on:
push:
branches:
- main
paths:
- 'clusters/**'
jobs:
helm-lint:
runs-on: ubuntu-js
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.19.2
- name: Lint Helm Chart
run: |
TARGET_BRANCH="origin/main"
echo ">> Target branch for diff is: $TARGET_BRANCH"
CHANGED_FILES=$(git diff --name-only "$TARGET_BRANCH" -- 'clusters/**')
echo ">> Found changed files:"
echo "$CHANGED_FILES"
# For each changed file, find its parent chart directory (the one with Chart.yaml).
# Then, create a unique list of those directories.
CHANGED_CHARTS=$(echo "$CHANGED_FILES" | while read -r file; do
dir=$(dirname "$file")
while [[ "$dir" != "." && ! -f "$dir/Chart.yaml" ]]; do
dir=$(dirname "$dir")
done
if [[ "$dir" != "." ]]; then
echo "$dir"
fi
done | sort -u)
if [[ -z "$CHANGED_CHARTS" ]]; then
echo ">> Could not determine changed charts. This could happen if only files outside a chart were changed."
exit 0
fi
echo ">> Running helm lint on changed charts:"
echo "$CHANGED_CHARTS"
echo "$CHANGED_CHARTS" | while read -r chart; do
helm dependency list --max-col-width 120 $chart 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do echo "$cmd" | sh; done || true
echo ">> Building dependency for "$chart" ..."
helm dependency build "$chart"
echo ">> Linting $chart..."
helm lint "$chart"
done
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Test Failure - Infrastructure'
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: 'Helm linting on Push for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-push.yaml", "clear": true}]'
image: true

343
.gitea/workflows/render-manifests.yaml
View File

@@ -1,343 +0,0 @@
name: render-manifests
on:
push:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
workflow_dispatch:
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests:
runs-on: ubuntu-js
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
- name: Prepare Manifest Branch
run: |
cd ${MANIFEST_DIR}
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Checking if PR branch exists ..."
if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b $BRANCH_NAME
fi
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd ${MAIN_DIR}
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep "clusters/cl01tl/helm/")
CHANGED_DIR=()
echo ">> Checking for changes .."
echo "$GIT_DIFF"
if [ -n $GIT_DIFF ]; then
echo ">> Changes detected"
for path in $GIT_DIFF; do
CHANGED_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
done
echo ">> Changes Directories:"
echo "$(printf "%s\n" "$CHANGED_DIR" | sort -u)"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "changed-dir=$(printf "%s\n" "$CHANGED_DIR" | sort -u)" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping rendering"
exit 0
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
CHANGED_DIR: ${{ steps.check-dir-changes.outputs.changed-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Adding repositories for chart dependencies ..."
for dir in ${CHANGED_DIR}; do
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do echo "$cmd" | sh; done || true
done
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
CHANGED_DIR: ${{ steps.check-dir-changes.outputs.changed-dir }}
run: |
cd ${MANIFEST_DIR}
echo ">> Remove manfiest files and rebuild from source ..."
for dir in ${CHANGED_DIR}; do
chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
echo ">> Removing from $chart_path ..."
rm -rf $chart_path/*
done
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
CHANGED_DIR: ${{ steps.check-dir-changes.outputs.changed-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Rendering Manifests ..."
for dir in ${CHANGED_DIR}; do
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
OUTPUT_FILE="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/$chart_name.yaml"
cd $chart_path
echo ""
echo ">> Building helm dependency ..."
helm dependency build
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
echo ""
echo ">> Rendering templates ..."
helm template "$chart_name" ./ --namespace "$chart_name" --include-crds > "$OUTPUT_FILE"
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FILE"
echo ""
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
if git status --porcelain | grep -q .; then
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping PR creation"
exit 0
fi
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
echo ">> Pushing changes to $REPO_URL ..."
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
echo "push=true" >> $GITEA_OUTPUT
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${BASE_BRANCH}/${HEAD_BRANCH}"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body'} )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
- name: Cleanup Branch
if: failure() && steps.create-pull-request.outcome == 'failure'
env:
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
echo ">> Removing branch: ${HEAD_BRANCH}"
git push origin --delete ${HEAD_BRANCH}
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

32
.gitea/workflows/renovate.yaml
View File

@@ -1,32 +0,0 @@
name: renovate
on:
schedule:
- cron: "@hourly"
push:
branches:
- main
workflow_dispatch:
jobs:
renovate:
runs-on: ubuntu-latest
container: ghcr.io/renovatebot/renovate:42
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Renovate
run: renovate
env:
RENOVATE_PLATFORM: gitea
RENOVATE_ENDPOINT: ${{ vars.INSTANCE_URL }}
RENOVATE_REPOSITORIES: alexlebens/infrastructure
RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net>
LOG_LEVEL: info
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
RENOVATE_REDIS_URL: ${{ vars.RENOVATE_REDIS_URL }}

3
.gitignore vendored
View File

@@ -1,3 +1,4 @@
.gitignore
/**/archive/
/**/charts/
/**/manifests/
/**/helm/

15
.pre-commit-config.yaml
View File

@@ -1,15 +0,0 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v2.3.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
- id: check-added-large-files
- id: check-yaml
exclude: '^.*\/templates\/.*$'
args:
- --multi
- repo: https://github.com/IamTheFij/docker-pre-commit
rev: v2.0.0
hooks:
- id: docker-compose-check

201
LICENSE
View File

@@ -1,201 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

7
README.md
View File

@@ -1,7 +0,0 @@
# alexlebens.net
GitOps definied infrastrucutre for the alexlebens.net domain.
## License
This project is licensed under the terms of the Apache 2.0 License license.

21
clusters/cl01tl/deployment/argocd/Chart.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v2
name: argocd
version: 1.0.0
description: Argo CD
keywords:
- argo-cd
- delivery
- deployment
- gitops
home: https://wiki.alexlebens.dev/s/8a75cf26-b9df-437e-9cc5-2ef47e871a5f
sources:
- https://github.com/argoproj/argo-cd
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
maintainers:
- name: alexlebens
dependencies:
- name: argo-cd
version: 9.1.5
repository: https://argoproj.github.io/argo-helm
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
appVersion: 3.0.0

88
clusters/cl01tl/deployment/argocd/templates/external-secret.yaml
View File

@@ -1,88 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-notifications-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-notifications-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ntfy-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl
metadataPolicy: None
property: token
# ---
# apiVersion: external-secrets.io/v1
# kind: ExternalSecret
# metadata:
# name: argocd-gitea-repo-infrastructure-secret
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# secretStoreRef:
# kind: ClusterSecretStore
# name: vault
# data:
# - secretKey: type
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: type
# - secretKey: url
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: url
# - secretKey: sshPrivateKey
# remoteRef:
# conversionStrategy: Default
# decodingStrategy: None
# key: /cl01tl/argocd/credentials/repo/infrastructure
# metadataPolicy: None
# property: sshPrivateKey

28
clusters/cl01tl/deployment/argocd/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-argocd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-argocd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: argocd-server
port: 80
weight: 100

302
clusters/cl01tl/deployment/argocd/values.yaml
View File

@@ -1,302 +0,0 @@
argo-cd:
crds:
install: true
configs:
cm:
admin.enabled: true
timeout.reconciliation: 100s
timeout.reconciliation.jitter: 60s
url: https://argocd.alexlebens.net
statusbadge.url: https://argocd.alexlebens.net/
statusbadge.enabled: true
dex.config: |
connectors:
- config:
issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
name: authentik
type: oidc
id: authentik
params:
server.insecure: true
rbac:
policy.csv: |
g, ArgoCD Admins, role:admin
cmp:
create: true
plugins:
cdk8s:
init:
command: [cdk8s]
args: [import]
generate:
command: [cdk8s, synth]
args: [--stdout]
discover:
fileName: "*.go"
controller:
replicas: 1
metrics:
enabled: true
serviceMonitor:
enabled: true
dex:
enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: true
livenessProbe:
enabled: true
readinessProbe:
enabled: true
redis-ha:
enabled: true
auth: false
redisSecretInit:
enabled: true
server:
replicas: 2
extensions:
enabled: true
extensionList:
- name: extension-trivy
env:
- name: EXTENSION_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar
- name: EXTENSION_CHECKSUM_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: false
repoServer:
replicas: 2
extraContainers:
- name: cmp-cdk8s
command:
- /var/run/argocd/argocd-cmp-server
image: ghcr.io/akuity/cdk8s-cmp-typescript:1.0
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: cdk8s.yaml
name: argocd-cmp-cm
- mountPath: /tmp
name: cmp-tmp
volumes:
- name: argocd-cmp-cm
configMap:
name: argocd-cmp-cm
- name: cmp-tmp
emptyDir: {}
metrics:
enabled: true
serviceMonitor:
enabled: true
applicationSet:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true
livenessProbe:
enabled: true
readinessProbe:
enabled: true
notifications:
enabled: true
context:
argocdUrl: https://argocd.alexlebens.net
secret:
create: false
name: argocd-notifications-secret
metrics:
enabled: true
serviceMonitor:
enabled: true
notifiers:
service.webhook.ntfy: |
url: http://ntfy.ntfy/
headers:
- name: Authorization
value: Bearer $ntfy-token
livenessProbe:
enabled: true
readinessProbe:
enabled: true
subscriptions:
- recipients:
- ntfy
triggers:
- on-created
- on-deleted
- on-deployed
- on-health-degraded
- on-sync-failed
- on-sync-running
- on-sync-status-unknown
- on-sync-succeeded
templates:
template.app-created: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been created.",
"title": "Created: {{.app.metadata.name}}",
"tags": ["building_construction"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-deleted: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been deleted",
"title": "Deleted: {{.app.metadata.name}}",
"tags": ["warning"],
"priority": 4,
"click": "{{.context.argocdUrl}}"
}
template.app-deployed: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} is now running new version of deployments manifests",
"title": "Deployed: {{.app.metadata.name}}",
"tags": ["+1"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-health-degraded: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} health has degraded",
"title": "Degraded: {{.app.metadata.name}}",
"tags": ["rotating_light"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/argocd/{{.app.metadata.name}}"
}
template.app-sync-failed: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}",
"title": "Sync Failed: {{.app.metadata.name}}",
"tags": ["rotating_light"],
"priority": 4,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
template.app-sync-running: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync has started at {{.app.status.operationState.startedAt}}",
"title": "Sync Running: {{.app.metadata.name}}",
"tags": ["runner"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
template.app-sync-status-unknown: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} sync status is unknown",
"title": "Sync Unknown: {{.app.metadata.name}}",
"tags": ["question"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}"
}
template.app-sync-succeeded: |
webhook:
ntfy:
method: POST
body: |
{
"topic": "argocd",
"message": "{{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}",
"title": "Sync Succeeded: {{.app.metadata.name}}",
"tags": ["+1"],
"priority": 3,
"click": "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
}
triggers:
trigger.on-created: |
- description: Application {{.app.metadata.name}} has been created.
oncePer: app.metadata.name
send:
- app-created
when: "true"
trigger.on-deleted: |
- description: Application {{.app.metadata.name}} has been deleted.
oncePer: app.metadata.name
send:
- app-deleted
when: app.metadata.deletionTimestamp != nil
trigger.on-deployed: |
- description: Application is synced and healthy. Triggered once per commit.
oncePer: app.status.operationState.syncResult.revision
send:
- app-deployed
when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
trigger.on-health-degraded: |
- description: Application has degraded
send:
- app-health-degraded
when: app.status.health.status == 'Degraded' and time.Now().Sub(time.Parse(app.status.health.lastTransitionTime).Minutes() >= 15
trigger.on-sync-failed: |
- description: Application syncing has failed
send:
- app-sync-failed
when: app.status.operationState.phase in ['Error', 'Failed']
trigger.on-sync-running: |
- description: Application is being synced
send:
- app-sync-running
when: app.status.operationState.phase in ['Running']
trigger.on-sync-status-unknown: |
- description: Application status is 'Unknown'
send:
- app-sync-status-unknown
when: app.status.sync.status == 'Unknown'
trigger.on-sync-succeeded: |
- description: Application syncing has succeeded
send:
- app-sync-succeeded
when: app.status.operationState.phase in ['Succeeded']

16
clusters/cl01tl/deployment/stack/Chart.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v2
name: stack
version: 1.0.0
description: Stack
keywords:
- argo-cd
- stack
- deployment
home: https://wiki.alexlebens.dev/s/0c2d1896-710d-4972-9bc8-08d71987428a
sources:
- https://github.com/argoproj/argo-cd
- https://gitea.alexlebens.dev/alexlebens/infrastructure
maintainers:
- name: alexlebens
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
appVersion: 1.0.0

59
clusters/cl01tl/deployment/stack/templates/application-set.yaml
View File

@@ -1,59 +0,0 @@
{{- range $index, $stack := .Values.applicationSet }}
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: {{ $stack.name }}
namespace: {{ $.Release.Namespace }}
labels:
app.kubernetes.io/name: {{ $stack.name }}
app.kubernetes.io/instance: {{ $stack.name }}
app.kubernetes.io/part-of: {{ $.Release.Name }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
syncPolicy:
applicationsSync: create-update
preserveResourcesOnDeletion: true
generators:
- git:
repoURL: {{ $.Values.git.repo }}
revision: {{ $.Values.git.revision }}
directories:
- path: "clusters/{{ $.Values.cluster.name }}/{{ $stack.name }}/*"
template:
metadata:
name: '{{ `{{path.basename}}` }}'
spec:
destination:
name: in-cluster
namespace: '{{ $stack.namespace | default `{{path.basename}}` }}'
project: default
revisionHistoryLimit: 3
source:
repoURL: {{ $.Values.git.repo }}
targetRevision: {{ $.Values.git.revision }}
path: '{{ `{{path}}` }}'
helm:
releaseName: "{{ `{{path.basename}}` }}"
{{- if $stack.ignoreDifferences }}
ignoreDifferences:
{{- toYaml $stack.ignoreDifferences | nindent 8 }}
{{ end }}
syncPolicy:
automated:
prune: {{ $stack.syncPolicy.automated.prune | default false }}
selfHeal: {{ $stack.syncPolicy.automated.selfHeal | default false }}
retry:
limit: 3
backoff:
duration: 1m
factor: 2
maxDuration: 15m
syncOptions:
- CreateNamespace={{ $stack.syncPolicy.syncOptions.createNamespace | default true }}
- ApplyOutOfSyncOnly={{ $stack.syncPolicy.syncOptions.applyOutOfSyncOnly | default true }}
- ServerSideApply={{ $stack.syncPolicy.syncOptions.serverSideApply | default true }}
- PruneLast={{ $stack.syncPolicy.syncOptions.pruneLast | default true }}
- RespectIgnoreDifferences={{ $stack.syncPolicy.syncOptions.respectIgnoreDifferences | default true }}
{{- end }}

192
clusters/cl01tl/deployment/stack/templates/application.yaml
View File

@@ -1,192 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cilium
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cilium
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.git.repo }}
targetRevision: {{ .Values.git.revision }}
path: clusters/{{ .Values.cluster.name }}/standalone/cilium
destination:
name: in-cluster
namespace: kube-system
revisionHistoryLimit: 3
ignoreDifferences:
- group: monitoring.coreos.com
kind: ServiceMonitor
jqPathExpressions:
- .spec.endpoints[]?.relabelings[]?.action
syncPolicy:
automated:
prune: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
- RespectIgnoreDifferences=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: coredns
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: coredns
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.git.repo }}
targetRevision: {{ .Values.git.revision }}
path: clusters/{{ .Values.cluster.name }}/standalone/coredns
destination:
name: in-cluster
namespace: kube-system
revisionHistoryLimit: 10
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metrics-server
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: metrics-server
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.git.repo }}
targetRevision: {{ .Values.git.revision }}
path: clusters/{{ .Values.cluster.name }}/standalone/metrics-server
destination:
name: in-cluster
namespace: kube-system
revisionHistoryLimit: 3
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubelet-serving-cert-approver
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kubelet-serving-cert-approver
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.git.repo }}
targetRevision: {{ .Values.git.revision }}
path: clusters/{{ .Values.cluster.name }}/standalone/kubelet-serving-cert-approver
destination:
name: in-cluster
namespace: kubelet-serving-cert-approver
revisionHistoryLimit: 3
syncPolicy:
automated:
prune: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prometheus-operator-crds
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: prometheus-operator-crds
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.git.repo }}
targetRevision: {{ .Values.git.revision }}
path: clusters/{{ .Values.cluster.name }}/standalone/prometheus-operator-crds
destination:
name: in-cluster
namespace: kube-system
revisionHistoryLimit: 3
syncPolicy:
automated:
prune: true
selfHeal: false
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true

27
clusters/cl01tl/deployment/stack/values.yaml
View File

@@ -1,27 +0,0 @@
cluster:
name: cl01tl
git:
# repo: git@github.com:alexlebens/infrastructure.git
# repo: https://github.com/alexlebens/infrastructure.git
repo: http://gitea-http.gitea:3000/alexlebens/infrastructure
# repo: ssh://git@gitea-ssh.gitea/alexlebens/infrastructure
revision: HEAD
applicationSet:
- name: deployment
namespace: argocd
syncPolicy:
automated:
prune: true
syncOptions:
serverSideApply: true
- name: storage
ignoreDifferences:
- group: ""
kind: Service
jqPathExpressions:
- .spec.externalName
syncPolicy:
automated:
prune: true
syncOptions:
serverSideApply: true

6
clusters/cl01tl/helm/actual/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
digest: sha256:b5d823171e1b4dc1d3856f782f0c67cbb5d49e4fa170df2f21b06303c7aff7f5
generated: "2025-11-30T21:05:19.732832-06:00"

21
clusters/cl01tl/helm/actual/Chart.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v2
name: actual
version: 1.0.0
description: Actual
keywords:
- actual
- budget
home: https://wiki.alexlebens.dev/s/86192f45-94b7-45de-872c-6ef3fec7df5e
sources:
- https://github.com/actualbudget/actual
- https://github.com/actualbudget/actual/pkgs/container/actual
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: actual
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
appVersion: 25.11.0

55
clusters/cl01tl/helm/actual/templates/external-secret.yaml
View File

@@ -1,55 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: actual-data-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: actual-data-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/actual/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-actual
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-actual
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- actual.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: actual
port: 80
weight: 100

25
clusters/cl01tl/helm/actual/templates/replication-source.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: actual-data-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: actual-data-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: actual-data
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: actual-data-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

56
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -1,56 +0,0 @@
actual:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/actualbudget/actual
tag: 25.11.0
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
resources:
requests:
cpu: 10m
memory: 128Mi
probes:
liveness:
enabled: true
custom: true
spec:
exec:
command:
- /usr/bin/env
- bash
- -c
- node src/scripts/health-check.js
failureThreshold: 5
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 5006
protocol: HTTP
persistence:
data:
forceRename: actual-data
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
retain: true
advancedMounts:
main:
main:
- path: /data
readOnly: false

12
clusters/cl01tl/helm/argo-workflows/Chart.lock
View File

@@ -1,12 +0,0 @@
dependencies:
- name: argo-workflows
repository: https://argoproj.github.io/argo-helm
version: 0.45.28
- name: argo-events
repository: https://argoproj.github.io/argo-helm
version: 2.4.17
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 6.16.0
digest: sha256:b00fd479a9d9e606661b3799182c8e24395b4f531f8d2bda87bdc5db16a8d66c
generated: "2025-12-01T19:55:40.18149-06:00"

31
clusters/cl01tl/helm/argo-workflows/Chart.yaml
View File

@@ -1,31 +0,0 @@
apiVersion: v2
name: argo-workflows
version: 1.0.0
description: Argo Workflows
keywords:
- argo-workflows
- argo-events
- workflows
- events
home: https://wiki.alexlebens.dev/s/a268508f-d81d-4b4b-8bd5-9058edaea635
sources:
- https://github.com/argoproj/argo-workflows
- https://github.com/argoproj/argo-events
- https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/argoproj/argo-helm/tree/main/charts
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: argo-workflows
version: 0.45.28
repository: https://argoproj.github.io/argo-helm
- name: argo-events
version: 2.4.17
repository: https://argoproj.github.io/argo-helm
- name: postgres-cluster
alias: postgres-17-cluster
version: 6.16.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
appVersion: v3.6.7

95
clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml
View File

@@ -1,95 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argo-workflows-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

28
clusters/cl01tl/helm/argo-workflows/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-argo-workflows
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-argo-workflows
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argo-workflows.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: argo-workflows-server
port: 2746
weight: 100

14
clusters/cl01tl/helm/argo-workflows/templates/service.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

147
clusters/cl01tl/helm/argo-workflows/values.yaml
View File

@@ -1,147 +0,0 @@
argo-workflows:
controller:
metricsConfig:
enabled: true
persistence:
connectionPool:
maxIdleConns: 100
maxOpenConns: 0
nodeStatusOffLoad: true
archive: true
postgresql:
host: argo-workflows-postgresql-17-cluster-rw
port: 5432
database: app
tableName: app
userNameSecret:
name: argo-workflows-postgresql-17-cluster-app
key: username
passwordSecret:
name: argo-workflows-postgresql-17-cluster-app
key: password
ssl: false
sslMode: disable
workflowWorkers: 2
workflowTTLWorkers: 1
podCleanupWorkers: 1
cronWorkflowWorkers: 1
resources:
requests:
cpu: 10m
memory: 128Mi
serviceMonitor:
enabled: true
name: workflow-controller
workflowNamespaces:
- argocd
- argo-workflows
server:
authModes:
- sso
ingress:
enabled: false
sso:
enabled: true
issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
clientId:
name: argo-workflows-oidc-secret
key: client
clientSecret:
name: argo-workflows-oidc-secret
key: secret
redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
rbac:
enabled: false
scopes:
- openid
- email
- profile
useStaticCredentials: true
artifactRepository:
archiveLogs: false
s3: {}
# accessKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: accesskey
# secretKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: secretkey
# insecure: true
# bucket:
# endpoint:
# region:
# encryptionOptions:
# enableEncryption: true
argo-events:
controller:
resources:
requests:
cpu: 10m
memory: 128Mi
metrics:
enabled: true
serviceMonitor:
enabled: true
webhook:
enabled: true
resources:
requests:
cpu: 10m
memory: 128Mi
postgres-17-cluster:
mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery:
method: objectStore
objectStore:
destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1
endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
backup:
objectStore:
- name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
index: 1
retentionPolicy: "30d"
isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true
# - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
# index: 1
# endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
# endpointCredentialsIncludeRegion: true
# retentionPolicy: "30d"
# data:
# compression: bzip2
scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup
suspend: false
immediate: true
schedule: "0 0 0 * * *"
backupName: garage-local
# - name: weekly-backup
# suspend: true
# schedule: "0 0 4 * * SAT"
# backupName: garage-remote

6
clusters/cl01tl/helm/audiobookshelf/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
digest: sha256:f3a9990542f24965fadad0b5493059b78cdc3fae91c8214577fa6f41ca5f7de3
generated: "2025-11-30T21:05:21.317114-06:00"

23
clusters/cl01tl/helm/audiobookshelf/Chart.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v2
name: audiobookshelf
version: 1.0.0
description: Audiobookshelf
keywords:
- audiobookshelf
- books
- podcasts
- audiobooks
home: https://wiki.alexlebens.dev/s/d4d6719f-cd1c-4b6e-b78e-2d2d7a5097d7
sources:
- https://github.com/advplyr/audiobookshelf
- https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: audiobookshelf
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
appVersion: 2.21.0

135
clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
View File

@@ -1,135 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-apprise-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-apprise-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ntfy-url
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/audiobookshelf/apprise
metadataPolicy: None
property: ntfy-url
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-metadata-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/audiobookshelf/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-audiobookshelf
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-audiobookshelf
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- audiobookshelf.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: audiobookshelf
port: 80
weight: 100

36
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

23
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

52
clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml
View File

@@ -1,52 +0,0 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: audiobookshelf-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: audiobookshelf-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: audiobookshelf-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: audiobookshelf-metadata-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-metadata-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: audiobookshelf-metadata
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: audiobookshelf-metadata-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

19
clusters/cl01tl/helm/audiobookshelf/templates/service-monitor.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: audiobookshelf-apprise
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-apprise
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
endpoints:
- port: apprise
interval: 30s
scrapeTimeout: 15s
path: /metrics
selector:
matchLabels:
app.kubernetes.io/name: audiobookshelf
app.kubernetes.io/instance: {{ .Release.Name }}

94
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -1,94 +0,0 @@
audiobookshelf:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/advplyr/audiobookshelf
tag: 2.30.0
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
resources:
requests:
cpu: 10m
memory: 128Mi
apprise-api:
image:
repository: caronc/apprise
tag: 1.2.6
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: PGID
value: "1000"
- name: PUID
value: "1000"
- name: APPRISE_STORAGE_MODE
value: memory
- name: APPRISE_STATEFUL_MODE
value: disabled
- name: APPRISE_WORKER_COUNT
value: 1
- name: APPRISE_STATELESS_URLS
valueFrom:
secretKeyRef:
name: audiobookshelf-apprise-config
key: ntfy-url
resources:
requests:
cpu: 10m
memory: 128Mi
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 80
protocol: HTTP
apprise:
port: 8000
targetPort: 8000
protocol: HTTP
persistence:
config:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
retain: true
advancedMounts:
main:
main:
- path: /config
readOnly: false
metadata:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
retain: true
advancedMounts:
main:
main:
- path: /metadata
readOnly: false
backup:
existingClaim: audiobookshelf-nfs-storage-backup
advancedMounts:
main:
main:
- path: /metadata/backups
readOnly: false
audiobooks:
existingClaim: audiobookshelf-nfs-storage
advancedMounts:
main:
main:
- path: /mnt/store/
readOnly: false

12
clusters/cl01tl/helm/authentik/Chart.lock
View File

@@ -1,12 +0,0 @@
dependencies:
- name: authentik
repository: https://charts.goauthentik.io/
version: 2025.10.2
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.23.0
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 6.16.0
digest: sha256:ad51c94c1125890ef60d179205d14c55eb9fdbc2702e3455e233042a48d00146
generated: "2025-12-01T20:25:07.016724-06:00"

35
clusters/cl01tl/helm/authentik/Chart.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v2
name: authentik
version: 1.0.0
description: Authentik
keywords:
- authentik
- sso
- oidc
- ldap
- idp
- authentication
home: https://wiki.alexlebens.dev/s/45ca5171-581f-41d2-b6fb-2b0915029a2d
sources:
- https://github.com/goauthentik/authentik
- https://github.com/cloudflare/cloudflared
- https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/goauthentik/helm
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: authentik
version: 2025.10.2
repository: https://charts.goauthentik.io/
- name: cloudflared
alias: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.23.0
- name: postgres-cluster
alias: postgres-17-cluster
version: 6.16.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
appVersion: 2025.4.1

111
clusters/cl01tl/helm/authentik/templates/external-secret.yaml
View File

@@ -1,111 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/authentik/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/authentik
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

28
clusters/cl01tl/helm/authentik/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- authentik.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: authentik-server
port: 80
weight: 100

29
clusters/cl01tl/helm/authentik/templates/ingress.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authentik-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
ingressClassName: tailscale
tls:
- hosts:
- auth-cl01tl
secretName: auth-cl01tl
rules:
- host: auth-cl01tl
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: authentik-server
port:
number: 80

32
clusters/cl01tl/helm/authentik/templates/redis-replication.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0

19
clusters/cl01tl/helm/authentik/templates/service-monitor.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

108
clusters/cl01tl/helm/authentik/values.yaml
View File

@@ -1,108 +0,0 @@
authentik:
global:
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-key-secret
key: key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-postgresql-17-cluster-app
key: host
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-postgresql-17-cluster-app
key: dbname
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-postgresql-17-cluster-app
key: user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-postgresql-17-cluster-app
key: password
authentik:
redis:
host: redis-replication-authentik-master
server:
name: server
replicas: 1
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: false
worker:
name: worker
replicas: 1
prometheus:
rules:
enabled: true
postgresql:
enabled: false
redis:
enabled: false
cloudflared:
existingSecretName: authentik-cloudflared-secret
postgres-17-cluster:
mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery:
method: objectStore
objectStore:
destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1
endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
backup:
objectStore:
- name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
index: 1
retentionPolicy: "30d"
isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true
# - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
# index: 1
# endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
# retentionPolicy: "30d"
# data:
# compression: bzip2
# jobs: 2
scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup
suspend: false
immediate: true
schedule: "0 0 0 * * *"
backupName: garage-local
# - name: weekly-backup
# suspend: false
# schedule: "0 0 4 * * SAT"
# backupName: garage-remote

6
clusters/cl01tl/helm/backrest/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
digest: sha256:aa797b99d6d8b7aafe142811938408b7f234df6d429a7e076196337cc63876cb
generated: "2025-12-01T20:25:09.888407-06:00"

21
clusters/cl01tl/helm/backrest/Chart.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v2
name: backrest
version: 1.0.0
description: backrest
keywords:
- backrest
- backup
home: https://wiki.alexlebens.dev/
sources:
- https://github.com/garethgeorge/backrest
- https://hub.docker.com/r/garethgeorge/backrest
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: backrest
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
appVersion: v1.10.1

28
clusters/cl01tl/helm/backrest/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-backrest
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-backrest
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- backrest.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: backrest
port: 80
weight: 100

36
clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: backrest-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: backrest-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: backrest-nfs-share
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-share
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: backrest-nfs-share
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

48
clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
View File

@@ -1,48 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: backrest-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: backrest-nfs-share
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: backrest-nfs-share
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Share
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

14
clusters/cl01tl/helm/backrest/templates/service.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

84
clusters/cl01tl/helm/backrest/values.yaml
View File

@@ -1,84 +0,0 @@
backrest:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: garethgeorge/backrest
tag: v1.10.1
pullPolicy: IfNotPresent
env:
- name: TZ
value: America/Chicago
- name: BACKREST_DATA
value: /data
- name: BACKREST_CONFIG
value: /config/config.json
- name: XDG_CACHE_HOME
value: /cache
- name: TMPDIR
value: /tmp
resources:
requests:
cpu: 10m
memory: 256Mi
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 9898
protocol: TCP
persistence:
data:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
retain: true
advancedMounts:
main:
main:
- path: /data
readOnly: false
config:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 1Gi
retain: true
advancedMounts:
main:
main:
- path: /config
readOnly: false
cache:
type: emptyDir
advancedMounts:
main:
main:
- path: /cache
readOnly: false
tmp:
type: emptyDir
advancedMounts:
main:
main:
- path: /tmp
readOnly: false
storage:
existingClaim: backrest-nfs-storage
advancedMounts:
main:
main:
- path: /mnt/storage
readOnly: true
share:
existingClaim: backrest-nfs-share
advancedMounts:
main:
main:
- path: /mnt/share
readOnly: true

6
clusters/cl01tl/helm/bazarr/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
digest: sha256:c6f6d1f2fb9fedf54094920737a6f0bd1a2ab89f0a4122966ca98f6c9d3f11fa
generated: "2025-11-30T21:05:22.694344-06:00"

23
clusters/cl01tl/helm/bazarr/Chart.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v2
name: bazarr
version: 1.0.0
description: Bazarr
keywords:
- bazarr
- servarr
- subtitles
home: https://wiki.alexlebens.dev/s/92784d53-1d43-42fd-b509-f42c73454226
sources:
- https://github.com/morpheus65535/bazarr
- https://github.com/linuxserver/docker-bazarr
- https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: bazarr
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
appVersion: 1.5.2

55
clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
View File

@@ -1,55 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: bazarr-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/bazarr/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-bazarr
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-bazarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- bazarr.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: bazarr
port: 80
weight: 100

17
clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: bazarr-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

23
clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

30
clusters/cl01tl/helm/bazarr/templates/replication-source.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: bazarr-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: bazarr-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: bazarr-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

57
clusters/cl01tl/helm/bazarr/values.yaml
View File

@@ -1,57 +0,0 @@
bazarr:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
pod:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
containers:
main:
image:
repository: ghcr.io/linuxserver/bazarr
tag: 1.5.3@sha256:2be164c02c0bb311b6c32e57d3d0ddc2813d524e89ab51a3408c1bf6fafecda5
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: PUID
value: 1000
- name: PGID
value: 1000
resources:
requests:
cpu: 10m
memory: 256Mi
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 6767
protocol: HTTP
persistence:
config:
forceRename: bazarr-config
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
retain: true
advancedMounts:
main:
main:
- path: /config
readOnly: false
media:
existingClaim: bazarr-nfs-storage
advancedMounts:
main:
main:
- path: /mnt/store
readOnly: false

6
clusters/cl01tl/helm/blocky/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
digest: sha256:0009729bcf7f1941401b767fd4ae952b7a8d44f80053090b4a9224de912a14ef
generated: "2025-12-01T20:25:13.511406-06:00"

21
clusters/cl01tl/helm/blocky/Chart.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: v2
name: blocky
version: 1.0.0
description: Blocky
keywords:
- blocky
- dns
home: https://wiki.alexlebens.dev/s/cf70113d-20bc-48ad-afb8-1e22ed3fd62a
sources:
- https://github.com/0xERR0R/blocky
- https://hub.docker.com/r/spx01/blocky
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: blocky
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
appVersion: v0.25

32
clusters/cl01tl/helm/blocky/templates/redis-replication.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0

40
clusters/cl01tl/helm/blocky/templates/service-monitor.yaml
View File

@@ -1,40 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: {{ .Release.Name }}
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

303
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -1,303 +0,0 @@
blocky:
controllers:
main:
type: deployment
replicas: 3
strategy: RollingUpdate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/0xerr0r/blocky
tag: v0.28.2@sha256:5f84a54e4ee950c4ab21db905b7497476ece2f4e1a376d23ab8c4855cabddcba
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
resources:
requests:
cpu: 10m
memory: 128Mi
configMaps:
config:
enabled: true
data:
config.yml: |
upstreams:
init:
strategy: fast
groups:
default:
- tcp-tls:1.1.1.1:853
- tcp-tls:1.0.0.1:853
strategy: parallel_best
timeout: 2s
connectIPVersion: v4
customDNS:
filterUnmappedTypes: false
zone: |
$ORIGIN alexlebens.net.
$TTL 86400
;; Name Server
IN NS patryk.ns.cloudflare.com.
IN NS veda.ns.cloudflare.com.
IN NS dns1.
IN NS dns2.
IN NS dns3.
dns1 IN A 10.232.1.22
dns2 IN A 10.232.1.51
dns3 IN A 10.232.1.52
;; Computer Names
nw01un IN A 192.168.1.1 ; Unifi Gateway
ps08rp IN A 10.232.1.51 ; DNS
ps09rp IN A 10.232.1.52 ; DNS
ps02sn IN A 10.232.1.61 ; Synology Web
ps02sn-bond IN A 10.232.1.64 ; Synology Bond for Storage
pd05wd IN A 10.230.0.115 ; Desktop
pl02mc IN A 10.230.0.105 ; Laptop
dv01hr IN A 10.232.1.72 ; HD Homerun
dv02kv IN A 10.232.1.71 ; Pi KVM
it01ag IN A 10.232.1.83 ; Airgradient
it02ph IN A 10.232.1.85 ; Phillips Hue
it03tb IN A 10.232.1.81 ; TubesZB ZigBee
it04tb IN A 10.232.1.82 ; TubesZB Z-Wave
it05sp IN A 10.230.0.100 ; Shelly Plug
;; Common Names
synology IN CNAME ps02sn
synologybond IN CNAME ps02sn-bond
unifi IN CNAME nw01un
airgradient IN CNAME it01ag
hdhr IN CNAME dv01hr
pikvm IN CNAME dv02kv
;; Service Names
cl01tl IN A 10.232.1.11
cl01tl IN A 10.232.1.12
cl01tl IN A 10.232.1.13
cl01tl-api IN A 10.232.1.11
cl01tl-api IN A 10.232.1.12
cl01tl-api IN A 10.232.1.13
cl01tl-endpoint IN A 10.232.1.21
cl01tl-endpoint IN A 10.232.1.22
cl01tl-endpoint IN A 10.232.1.23
cl01tl-gateway IN A 10.232.1.200
traefik-cl01tl IN A 10.232.1.21
blocky IN A 10.232.1.22
plex-lb IN A 10.232.1.23
;; Application Names
actual IN CNAME traefik-cl01tl
alertmanager IN CNAME traefik-cl01tl
argo-workflows IN CNAME traefik-cl01tl
argocd IN CNAME traefik-cl01tl
audiobookshelf IN CNAME traefik-cl01tl
authentik IN CNAME traefik-cl01tl
backrest IN CNAME traefik-cl01tl
bazarr IN CNAME traefik-cl01tl
booklore IN CNAME traefik-cl01tl
ceph IN CNAME traefik-cl01tl
code-server IN CNAME traefik-cl01tl
ephemera IN CNAME traefik-cl01tl
garage-s3 IN CNAME traefik-cl01tl
garage-webui IN CNAME traefik-cl01tl
gatus IN CNAME traefik-cl01tl
gitea IN CNAME traefik-cl01tl
grafana IN CNAME traefik-cl01tl
harbor IN CNAME traefik-cl01tl
headlamp IN CNAME traefik-cl01tl
home IN CNAME traefik-cl01tl
home-assistant IN CNAME traefik-cl01tl
home-assistant-code-server IN CNAME traefik-cl01tl
hubble IN CNAME cl01tl-gateway
huntarr IN CNAME traefik-cl01tl
immich IN CNAME traefik-cl01tl
jellyfin IN CNAME traefik-cl01tl
jellystat IN CNAME traefik-cl01tl
kiwix IN CNAME traefik-cl01tl
komodo IN CNAME traefik-cl01tl
kronic IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
lidatube IN CNAME traefik-cl01tl
listenarr IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
n8n IN CNAME traefik-cl01tl
ntfy IN CNAME traefik-cl01tl
objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl
overseerr IN CNAME traefik-cl01tl
pgadmin IN CNAME traefik-cl01tl
photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl
postiz IN CNAME traefik-cl01tl
prometheus IN CNAME traefik-cl01tl
prowlarr IN CNAME traefik-cl01tl
qbittorrent IN CNAME traefik-cl01tl
qui IN CNAME traefik-cl01tl
radarr IN CNAME traefik-cl01tl
radarr-4k IN CNAME traefik-cl01tl
radarr-anime IN CNAME traefik-cl01tl
radarr-standup IN CNAME traefik-cl01tl
searxng IN CNAME traefik-cl01tl
slskd IN CNAME traefik-cl01tl
sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tautulli IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl
whodb IN CNAME traefik-cl01tl
yamtrack IN CNAME traefik-cl01tl
blocking:
denylists:
sus:
- https://v.firebog.net/hosts/static/w3kbl.txt
ads:
- https://v.firebog.net/hosts/AdguardDNS.txt
- https://v.firebog.net/hosts/Admiral.txt
- https://v.firebog.net/hosts/Easylist.txt
- https://adaway.org/hosts.txt
priv:
- https://v.firebog.net/hosts/Easyprivacy.txt
- https://v.firebog.net/hosts/Prigent-Ads.txt
mal:
- https://v.firebog.net/hosts/Prigent-Crypto.txt
- https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
pro:
- https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.plus.txt
allowlists:
sus:
- |
*.alexlebens.net
*.alexlebens.dev
*.boreal-beaufort.ts.net
ads:
- |
*.alexlebens.net
*.alexlebens.dev
*.boreal-beaufort.ts.net
priv:
- |
*.alexlebens.net
*.alexlebens.dev
*.boreal-beaufort.ts.net
mal:
- |
*.alexlebens.net
*.alexlebens.dev
*.boreal-beaufort.ts.net
pro:
- |
*.alexlebens.net
*.alexlebens.dev
*.boreal-beaufort.ts.net
clientGroupsBlock:
default:
- sus
- ads
- priv
- mal
- pro
blockType: zeroIp
blockTTL: 1m
loading:
refreshPeriod: 24h
downloads:
timeout: 60s
attempts: 5
cooldown: 10s
concurrency: 16
strategy: fast
maxErrorsPerSource: 5
caching:
minTime: 5m
maxTime: 30m
maxItemsCount: 0
prefetching: true
prefetchExpires: 2h
prefetchThreshold: 5
prefetchMaxItemsCount: 0
cacheTimeNegative: 30m
redis:
address: redis-replication-blocky-master.blocky:6379
required: true
prometheus:
enable: true
path: /metrics
queryLog:
type: console
logRetentionDays: 7
creationAttempts: 1
creationCooldown: 2s
flushInterval: 30s
minTlsServeVersion: 1.3
ports:
dns: 53
http: 4000
log:
level: info
format: text
timestamp: true
privacy: false
service:
dns-external:
controller: main
type: LoadBalancer
annotations:
tailscale.com/expose: "true"
ports:
tcp:
port: 53
targetPort: 53
protocol: TCP
udp:
port: 53
targetPort: 53
protocol: UDP
metrics:
controller: main
ports:
metrics:
port: 4000
targetPort: 4000
protocol: TCP
persistence:
config:
enabled: true
type: configMap
name: blocky
advancedMounts:
main:
main:
- path: /app/config.yml
readOnly: true
mountPropagation: None
subPath: config.yml

9
clusters/cl01tl/helm/booklore/Chart.lock
View File

@@ -1,9 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
- name: mariadb-cluster
repository: https://helm.mariadb.com/mariadb-operator
version: 25.10.2
digest: sha256:264725306c1d1f38140293c0820abdc7e8aa4f39764b4d91e20200705ce2ec91
generated: "2025-11-30T21:05:24.649316-06:00"

24
clusters/cl01tl/helm/booklore/Chart.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: v2
name: booklore
version: 1.0.0
description: booklore
keywords:
- booklore
- books
home: https://wiki.alexlebens.dev/
sources:
- https://github.com/booklore-app/BookLore
- https://github.com/booklore-app/booklore/pkgs/container/booklore
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: booklore
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
- name: mariadb-cluster
version: 25.10.2
repository: https://helm.mariadb.com/mariadb-operator
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
appVersion: v.1.10.0

332
clusters/cl01tl/helm/booklore/templates/external-secret.yaml
View File

@@ -1,332 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-database-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-database-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/booklore/database
metadataPolicy: None
property: password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-replication-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-replication-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: psk.txt
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/booklore/replication
metadataPolicy: None
property: psk.txt
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-local
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-local
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-remote
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-remote
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-remote
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-remote
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-external
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-mariadb-cluster-backup-secret-external
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: access
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/mariadb-backups
metadataPolicy: None
property: access
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/mariadb-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-mariadb-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: access
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/mariadb-backups
metadataPolicy: None
property: access
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/mariadb-backups
metadataPolicy: None
property: secret

28
clusters/cl01tl/helm/booklore/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-booklore
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-booklore
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- booklore.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: booklore
port: 80
weight: 100

10
clusters/cl01tl/helm/booklore/templates/namespace.yaml
View File

@@ -1,10 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: booklore
annotations:
volsync.backube/privileged-movers: "true"
labels:
app.kubernetes.io/name: booklore
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}

36
clusters/cl01tl/helm/booklore/templates/persistent-volume-claim.yaml
View File

@@ -1,36 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: booklore-books-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: booklore-books-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: booklore-books-import-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-books-import-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: booklore-books-import-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

48
clusters/cl01tl/helm/booklore/templates/persistent-volume.yaml
View File

@@ -1,48 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: booklore-books-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Books
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: booklore-books-import-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-books-import-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Books Import
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

15
clusters/cl01tl/helm/booklore/templates/replication-destination.yaml
View File

@@ -1,15 +0,0 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationDestination
metadata:
name: booklore-data-replication-destination
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-replication-destination
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
rsyncTLS:
copyMethod: Direct
accessModes: ["ReadWriteMany"]
destinationPVC: booklore-books-nfs-storage
keySecret: booklore-data-replication-secret

129
clusters/cl01tl/helm/booklore/templates/replication-source.yaml
View File

@@ -1,129 +0,0 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-replication-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-replication-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: "0 0 * * *"
rsyncTLS:
keySecret: booklore-data-replication-secret
address: volsync-rsync-tls-dst-booklore-data-replication-destination
copyMethod: Snapshot
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: booklore-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 2 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-local
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-remote
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-remote
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 3 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-remote
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-external
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-external
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi

14
clusters/cl01tl/helm/booklore/templates/service.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

155
clusters/cl01tl/helm/booklore/values.yaml
View File

@@ -1,155 +0,0 @@
booklore:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/booklore-app/booklore
tag: v1.12.0
pullPolicy: IfNotPresent
env:
- name: TZ
value: America/Chicago
- name: DATABASE_URL
value: jdbc:mariadb://booklore-mariadb-cluster-primary.booklore:3306/booklore
- name: DATABASE_USERNAME
value: booklore
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: booklore-database-secret
key: password
- name: BOOKLORE_PORT
value: 6060
- name: SWAGGER_ENABLED
value: false
resources:
requests:
cpu: 50m
memory: 128Mi
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 6060
protocol: HTTP
persistence:
config:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
retain: true
advancedMounts:
main:
main:
- path: /app/data
readOnly: false
data:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
retain: true
advancedMounts:
main:
main:
- path: /data
readOnly: false
books-import:
type: emptyDir
advancedMounts:
main:
main:
- path: /bookdrop
readOnly: false
ingest:
existingClaim: booklore-books-import-nfs-storage
advancedMounts:
main:
main:
- path: /bookdrop/ingest
readOnly: false
mariadb-cluster:
mariadb:
rootPasswordSecretKeyRef:
generate: false
name: booklore-database-secret
key: password
storage:
size: 5Gi
replicas: 3
galera:
enabled: true
databases:
- name: booklore
characterSet: utf8
collate: utf8_general_ci
cleanupPolicy: Delete
requeueInterval: 10h
users:
- name: booklore
passwordSecretKeyRef:
name: booklore-database-secret
key: password
host: '%'
cleanupPolicy: Delete
requeueInterval: 10h
retryInterval: 30s
grants:
- name: booklore
privileges:
- "ALL PRIVILEGES"
database: "booklore"
table: "*"
username: booklore
grantOption: true
host: '%'
cleanupPolicy: Delete
requeueInterval: 10h
retryInterval: 30s
physicalBackups:
- name: backup-external
schedule:
cron: "0 0 * * 0"
suspend: false
immediate: true
compression: gzip
maxRetention: 720h
storage:
s3:
bucket: mariadb-backups-b230a2f5aecf080a4b372c08
prefix: cl01tl/booklore
endpoint: nyc3.digitaloceanspaces.com
region: us-east-1
accessKeyIdSecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-external
key: access
secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-external
key: secret
tls:
enabled: true
- name: backup-garage
schedule:
cron: "0 0 * * *"
suspend: false
immediate: true
compression: gzip
maxRetention: 360h
storage:
s3:
bucket: mariadb-backups
prefix: cl01tl/booklore
endpoint: garage-main.garage:3900
region: us-east-1
accessKeyIdSecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage
key: access
secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage
key: secret

6
clusters/cl01tl/helm/cert-manager/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.19.1
digest: sha256:0b1238a5552bc6d457d4b1a2a1f387a3e7f2c19f820ecb64e14d20481a1ed1ce
generated: "2025-12-01T20:25:17.762628-06:00"

20
clusters/cl01tl/helm/cert-manager/Chart.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v2
name: cert-manager
version: 1.0.0
description: Cert Manager
keywords:
- cert-manager
- certificates
- kubernetes
home: https://wiki.alexlebens.dev/s/368fe718-eedb-40e0-a5a7-fad03cdc6b09
sources:
- https://github.com/cert-manager/cert-manager
- https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
maintainers:
- name: alexlebens
dependencies:
- name: cert-manager
version: v1.19.1
repository: https://charts.jetstack.io
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
appVersion: v1.17.2

21
clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
spec:
acme:
email: alexanderlebens@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-issuer-account-key
solvers:
- selector:
dnsZones:
- "alexlebens.net"
- "*.alexlebens.net"
dns01:
cloudflare:
email: alexanderlebens@gmail.com
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token

21
clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cloudflare-api-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cloudflare-api-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: api-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/alexlebens.net/clusterissuer
metadataPolicy: None
property: token

15
clusters/cl01tl/helm/cert-manager/values.yaml
View File

@@ -1,15 +0,0 @@
cert-manager:
crds:
enabled: true
keep: true
replicaCount: 2
extraArgs:
- --enable-gateway-api
prometheus:
enabled: true
servicemonitor:
enabled: true
honorLabels: true
cainjector:
enabled: true
replicaCount: 2

9
clusters/cl01tl/helm/cloudnative-pg/Chart.lock
View File

@@ -1,9 +0,0 @@
dependencies:
- name: cloudnative-pg
repository: https://cloudnative-pg.io/charts/
version: 0.26.1
- name: plugin-barman-cloud
repository: https://cloudnative-pg.io/charts/
version: 0.3.1
digest: sha256:b38e5104d77ab1737a27a2542eda958e82038443940f07b7c2cbe3b0a477e1e6
generated: "2025-12-01T20:25:20.341325-06:00"

25
clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: v2
name: cloudnative-pg
version: 1.0.0
description: Cloudnative PG
keywords:
- cloudnative-pg
- operator
- postgresql
- kubernetes
home: https://wiki.alexlebens.dev/s/9fb10833-0278-4e64-a34c-d348d833839f
sources:
- https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
- https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
maintainers:
- name: alexlebens
dependencies:
- name: cloudnative-pg
version: 0.26.1
repository: https://cloudnative-pg.io/charts/
- name: plugin-barman-cloud
version: 0.3.1
repository: https://cloudnative-pg.io/charts/
icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
appVersion: 1.26.0

16
clusters/cl01tl/helm/cloudnative-pg/values.yaml
View File

@@ -1,16 +0,0 @@
cloudnative-pg:
replicaCount: 2
monitoring:
podMonitorEnabled: true
plugin-barman-cloud:
replicaCount: 1
image:
registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud
tag: v0.9.0
sidecarImage:
registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud-sidecar
tag: v0.9.0
crds:
create: true

9
clusters/cl01tl/helm/code-server/Chart.lock
View File

@@ -1,9 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.23.0
digest: sha256:99eb4f940077dc916f5425d196232fcd363223fa7b7b5d3889f5965aa59e26f5
generated: "2025-11-30T21:05:26.699161-06:00"

28
clusters/cl01tl/helm/code-server/Chart.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: v2
name: code-server
version: 1.0.0
description: Code Server
keywords:
- code-server
- code
- ide
home: https://wiki.alexlebens.dev/s/233f96bb-db70-47e4-8b22-a8efcbb0f93d
sources:
- https://github.com/coder/code-server
- https://github.com/cloudflare/cloudflared
- https://hub.docker.com/r/linuxserver/code-server
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: code-server
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.4.0
- name: cloudflared
alias: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.23.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
appVersion: 4.100.2

51
clusters/cl01tl/helm/code-server/templates/external-secret.yaml
View File

@@ -1,51 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: codeserver-password-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: codeserver-password-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/code-server/auth
metadataPolicy: None
property: PASSWORD
- secretKey: SUDO_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/code-server/auth
metadataPolicy: None
property: SUDO_PASSWORD
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: code-server-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: code-server-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/codeserver
metadataPolicy: None
property: token

28
clusters/cl01tl/helm/code-server/templates/http-route.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-code-server
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-code-server
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- code-server.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: code-server
port: 8443
weight: 100

17
clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: code-server-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

47
clusters/cl01tl/helm/code-server/values.yaml
View File

@@ -1,47 +0,0 @@
code-server:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/linuxserver/code-server
tag: 4.106.2@sha256:a98afdbcb59559f11e5e8df284062e55da1076b2e470e13db4aae133ea82bad0
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: PUID
value: 1000
- name: PGID
value: 1000
- name: DEFAULT_WORKSPACE
value: /config
envFrom:
- secretRef:
name: codeserver-password-secret
resources:
requests:
cpu: 10m
memory: 128Mi
service:
main:
controller: main
ports:
http:
port: 8443
targetPort: 8443
protocol: HTTP
persistence:
config:
existingClaim: code-server-nfs-storage
advancedMounts:
main:
main:
- path: /config
readOnly: false
cloudflared:
existingSecretName: code-server-cloudflared-secret

6
clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: democratic-csi
repository: https://democratic-csi.github.io/charts/
version: 0.15.0
digest: sha256:6fe3d8ad7b990b07ed80a31c75a0a49db8da497c46a956c632615a2093d29d58
generated: "2025-12-01T20:25:24.972076-06:00"

20
clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v2
name: democratic-csi-synology-iscsi
version: 1.0.0
description: Democratic CSI
keywords:
- democratic-csi-synology-iscsi
- iscsi
- kubernetes
home: https://wiki.alexlebens.dev/s/0cc6ba65-024b-4489-952a-fc0f647fd099
sources:
- https://github.com/democratic-csi/democratic-csi
- https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi
maintainers:
- name: alexlebens
dependencies:
- name: democratic-csi
repository: https://democratic-csi.github.io/charts/
version: 0.15.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
appVersion: v1.9.4

21
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: synology-iscsi-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: synology-iscsi-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: driver-config-file.yaml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/democratic-csi-synology-iscsi/config
metadataPolicy: None
property: driver-config-file.yaml

11
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: democratic-csi-synology-iscsi
labels:
app.kubernetes.io/name: democratic-csi-synology-iscsi
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

37
clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
View File

@@ -1,37 +0,0 @@
democratic-csi:
driver:
existingConfigSecret: synology-iscsi-config-secret
config:
driver: synology-iscsi
csiDriver:
name: "org.democratic-csi.iscsi-synology"
controller:
enabled: true
rbac:
enabled: true
replicaCount: 2
storageClasses:
- name: synology-iscsi-delete
defaultClass: false
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
fsType: ext4
- name: synology-iscsi-retain
defaultClass: false
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
fsType: ext4
node:
hostPID: true
driver:
extraEnv:
- name: ISCSIADM_HOST_STRATEGY
value: nsenter
- name: ISCSIADM_HOST_PATH
value: /usr/local/sbin/iscsiadm
iscsiDirHostPath: /var/iscsi
iscsiDirHostPathType: ""

6
clusters/cl01tl/helm/descheduler/Chart.lock
View File

@@ -1,6 +0,0 @@
dependencies:
- name: descheduler
repository: https://kubernetes-sigs.github.io/descheduler/
version: 0.34.0
digest: sha256:1020c1fc8c179744f308e9b79f010dcaf59a05019f7d007157974be97063e12b
generated: "2025-12-01T20:25:26.970808-06:00"

20
clusters/cl01tl/helm/descheduler/Chart.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: v2
name: descheduler
version: 1.0.0
description: Descheduler
keywords:
- descheduler
- kube-scheduler
- kubernetes
home: https://wiki.alexlebens.dev/s/0c38b7e4-4573-487c-82b0-4eeeb00e1276
sources:
- https://github.com/kubernetes-sigs/descheduler
- https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
maintainers:
- name: alexlebens
dependencies:
- name: descheduler
version: 0.34.0
repository: https://kubernetes-sigs.github.io/descheduler/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
appVersion: 0.33.0

70
clusters/cl01tl/helm/descheduler/values.yaml
View File

@@ -1,70 +0,0 @@
descheduler:
kind: Deployment
resources:
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
deschedulingInterval: 5m
replicas: 1
leaderElection:
enabled: false
command:
- "/bin/descheduler"
cmdOptions:
v: 3
deschedulerPolicyAPIVersion: "descheduler/v1alpha2"
deschedulerPolicy:
profiles:
- name: default
pluginConfig:
- name: DefaultEvictor
args:
ignorePvcPods: true
evictLocalStoragePods: false
evictDaemonSetPods: false
- name: RemoveDuplicates
- name: RemovePodsViolatingNodeAffinity
args:
nodeAffinityType:
- requiredDuringSchedulingIgnoredDuringExecution
- name: RemovePodsViolatingNodeTaints
- name: RemovePodsViolatingInterPodAntiAffinity
- name: RemovePodsViolatingTopologySpreadConstraint
- name: LowNodeUtilization
args:
thresholds:
cpu: 20
memory: 20
pods: 20
targetThresholds:
cpu: 60
memory: 60
pods: 60
plugins:
balance:
enabled:
- RemoveDuplicates
- RemovePodsViolatingTopologySpreadConstraint
- LowNodeUtilization
deschedule:
enabled:
- RemovePodsViolatingNodeTaints
- RemovePodsViolatingNodeAffinity
- RemovePodsViolatingInterPodAntiAffinity
rbac:
create: true
serviceAccount:
create: true
service:
enabled: true
serviceMonitor:
enabled: true

Some files were not shown because too many files have changed in this diff Show More