alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests Actions Activity

Compare commits

base: alexlebens:main
Branches Tags
alexlebens:main alexlebens:manifests
..
compare: alexlebens:bdcdb56d0d3824c072e4496f9bc73909737acfda
Branches Tags
alexlebens:manifests alexlebens:main

1 Commits
main ... bdcdb56d0d

Author SHA1 Message Date
Renovate Bot
bdcdb56d0d Update ghcr.io/traefik/traefik Docker tag to v3.6.4
Some checks failed
lint-test-helm / lint-helm (pull_request) Failing after 14s
Details
lint-test-docker / lint-docker-compose (pull_request) Successful in 42s
Details
2025-12-07 18:28:03 +00:00
527 changed files with 12219 additions and 7097 deletions
Expand all files Collapse all files

29
.gitea/workflows/lint-test-docker.yaml
View File

@@ -36,20 +36,14 @@ jobs:
id: branch-exists id: branch-exists
if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request' if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
run: | run: |
if [ ${{ github.event_name == 'push' }} ]; then echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
echo ">> Action is from a push event, will continue with linting"
else
echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
fi
echo "----" echo "----"
echo "exists=true" >> $GITEA_OUTPUT echo "exists=true" >> $GITEA_OUTPUT
- name: Set up Node.js - name: Set up Node.js
if: steps.branch-exists.outputs.exists == 'true' if: steps.check-branch-exists.outputs.exists == 'true'
uses: actions/setup-node@v6 uses: actions/setup-node@v6
with: with:
node-version: '24' node-version: '24'
@@ -65,11 +59,11 @@ jobs:
if [ "${{ github.event_name }}" == "pull_request" ]; then if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "" echo ""
echo ">> Checking for changes in a pull request ..." echo ">> Checking for changes in a pull request ..."
GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u) GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "hosts/[^/]+/[^/]+")
else else
echo "" echo ""
echo ">> Checking for changes from a push ..." echo ">> Checking for changes from a push ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u) GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "hosts/[^/]+/[^/]+")
fi fi
if [ -n "${GIT_DIFF}" ]; then if [ -n "${GIT_DIFF}" ]; then
@@ -78,12 +72,8 @@ jobs:
echo "$GIT_DIFF" echo "$GIT_DIFF"
for path in $GIT_DIFF; do for path in $GIT_DIFF; do
if echo "$path" | grep -q -E "hosts/[^/]+/[^/]+"; then CHANGED_COMPOSE+=$(echo "$path")
echo "" CHANGED_COMPOSE+=$(echo " ")
echo ">> Adding path: $path"
CHANGED_COMPOSE+=$(echo "$path")
CHANGED_COMPOSE+=$(echo " ")
fi
done done
else else
@@ -104,16 +94,11 @@ jobs:
echo "$(echo "${CHANGED_COMPOSE}" | sort -u)" >> $GITEA_OUTPUT echo "$(echo "${CHANGED_COMPOSE}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT echo "EOF" >> $GITEA_OUTPUT
else else
echo ""
echo ">> Did not find any docker compose files to lint"
echo "----"
echo "changes-detected=false" >> $GITEA_OUTPUT echo "changes-detected=false" >> $GITEA_OUTPUT
fi fi
- name: Lint Docker Compose - name: Lint Docker Compose
if: steps.check-dir-changes.outputs.changes-detected == 'true' if: steps.check-branch-exists.outputs.exists == 'true'
env: env:
CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }} CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }}
run: | run: |

36
.gitea/workflows/lint-test-helm.yaml
View File

@@ -37,13 +37,7 @@ jobs:
id: branch-exists id: branch-exists
if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request' if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
run: | run: |
if [ ${{ github.event_name == 'push' }} ]; then echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
echo ">> Action is from a push event, will continue with linting"
else
echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
fi
echo "----" echo "----"
@@ -55,7 +49,6 @@ jobs:
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
version: v3.19.2 version: v3.19.2
cache: true
- name: Check Directories for Changes - name: Check Directories for Changes
id: check-dir-changes id: check-dir-changes
@@ -68,11 +61,12 @@ jobs:
if [ "${{ github.event_name }}" == "pull_request" ]; then if [ "${{ github.event_name }}" == "pull_request" ]; then
echo "" echo ""
echo ">> Checking for changes in a pull request ..." echo ">> Checking for changes in a pull request ..."
GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u) git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+"
GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
else else
echo "" echo ""
echo ">> Checking for changes from a push ..." echo ">> Checking for changes from a push ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u) GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
fi fi
if [ -n "${GIT_DIFF}" ]; then if [ -n "${GIT_DIFF}" ]; then
@@ -81,12 +75,8 @@ jobs:
echo "$GIT_DIFF" echo "$GIT_DIFF"
for path in $GIT_DIFF; do for path in $GIT_DIFF; do
if echo "$path" | grep -q -E "clusters/[^/]+/helm/[^/]+"; then CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
echo "" RENDER_DIR+=$(echo " ")
echo ">> Adding path: $path"
CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
CHANGED_CHARTS+=$(echo "\n")
fi
done done
else else
@@ -107,11 +97,6 @@ jobs:
echo "$(echo "${CHANGED_CHARTS}" | sort -u)" >> $GITEA_OUTPUT echo "$(echo "${CHANGED_CHARTS}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT echo "EOF" >> $GITEA_OUTPUT
else else
echo ""
echo ">> Did not find any helm charts files to lint"
echo "----"
echo "changes-detected=false" >> $GITEA_OUTPUT echo "changes-detected=false" >> $GITEA_OUTPUT
fi fi
@@ -125,14 +110,7 @@ jobs:
helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \ helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \ | tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \ | awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do | while read cmd; do echo "$cmd" | sh; done || true
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo ">> Command: $cmd"
echo "$cmd" | sh;
fi
done || true
done done
if helm repo list | tail +2 | read -r; then if helm repo list | tail +2 | read -r; then

30
.gitea/workflows/render-manifests-automerge.yaml
View File

@@ -38,13 +38,6 @@ jobs:
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743 version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch - name: Prepare Manifest Branch
id: prepare-manifest-branch id: prepare-manifest-branch
@@ -113,13 +106,7 @@ jobs:
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \ helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \ | tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \ | awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do | while read cmd; do echo "$cmd" | sh; done || true
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done done
if helm repo list | tail +2 | read -r; then if helm repo list | tail +2 | read -r; then
@@ -174,10 +161,6 @@ jobs:
cd $chart_path cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo "" echo ""
echo ">> Building helm dependency ..." echo ">> Building helm dependency ..."
helm dependency build --skip-refresh helm dependency build --skip-refresh
@@ -192,17 +175,17 @@ jobs:
"stack") "stack")
echo "" echo ""
echo ">> Special Rendering for stack into argocd namespace ..." echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
;; ;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds") "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo "" echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..." echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
;; ;;
*) *)
echo "" echo ""
echo ">> Standard Rendering for $chart_name ..." echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
;; ;;
esac esac
@@ -210,11 +193,6 @@ jobs:
echo ">> Formating rendered template ..." echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"' echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo "" echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER" echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER ls $OUTPUT_FOLDER

51
.gitea/workflows/render-manifests-dispatch.yaml
View File

@@ -1,9 +1,6 @@
name: render-manifests-dispatch name: render-manifests-dispatch
on: on:
schedule:
- cron: '0 3 * * *'
workflow_dispatch: workflow_dispatch:
env: env:
@@ -35,13 +32,6 @@ jobs:
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743 version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch - name: Prepare Manifest Branch
run: | run: |
@@ -101,13 +91,7 @@ jobs:
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \ helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \ | tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \ | awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do | while read cmd; do echo "$cmd" | sh; done || true
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done done
if helm repo list | tail +2 | read -r; then if helm repo list | tail +2 | read -r; then
@@ -117,6 +101,24 @@ jobs:
echo "----" echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MANIFEST_DIR}
echo ">> Remove manfiest files and rebuild from source ..."
for dir in ${RENDER_DIR}; do
chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
echo "$chart_path"
rm -rf $chart_path/*
done
echo "----"
- name: Render Helm Manifests - name: Render Helm Manifests
id: render-manifests id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true' if: steps.check-dir-changes.outputs.changes-detected == 'true'
@@ -144,10 +146,6 @@ jobs:
cd $chart_path cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo "" echo ""
echo ">> Building helm dependency ..." echo ">> Building helm dependency ..."
helm dependency build --skip-refresh helm dependency build --skip-refresh
@@ -162,17 +160,17 @@ jobs:
"stack") "stack")
echo "" echo ""
echo ">> Special Rendering for stack into argocd namespace ..." echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
;; ;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds") "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo "" echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..." echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
;; ;;
*) *)
echo "" echo ""
echo ">> Standard Rendering for $chart_name ..." echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
;; ;;
esac esac
@@ -180,11 +178,6 @@ jobs:
echo ">> Formating rendered template ..." echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"' echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo "" echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER" echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER ls $OUTPUT_FOLDER

30
.gitea/workflows/render-manifests-merge.yaml
View File

@@ -39,13 +39,6 @@ jobs:
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743 version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch - name: Prepare Manifest Branch
run: | run: |
@@ -118,13 +111,7 @@ jobs:
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \ helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \ | tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \ | awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do | while read cmd; do echo "$cmd" | sh; done || true
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done done
if helm repo list | tail +2 | read -r; then if helm repo list | tail +2 | read -r; then
@@ -179,10 +166,6 @@ jobs:
cd $chart_path cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo "" echo ""
echo ">> Building helm dependency ..." echo ">> Building helm dependency ..."
helm dependency build --skip-refresh helm dependency build --skip-refresh
@@ -197,17 +180,17 @@ jobs:
"stack") "stack")
echo "" echo ""
echo ">> Special Rendering for stack into argocd namespace ..." echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
;; ;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds") "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo "" echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..." echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
;; ;;
*) *)
echo "" echo ""
echo ">> Standard Rendering for $chart_name ..." echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
;; ;;
esac esac
@@ -215,11 +198,6 @@ jobs:
echo ">> Formating rendered template ..." echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"' echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo "" echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER" echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER ls $OUTPUT_FOLDER

30
.gitea/workflows/render-manifests-push.yaml
View File

@@ -37,13 +37,6 @@ jobs:
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743 version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch - name: Prepare Manifest Branch
run: | run: |
@@ -116,13 +109,7 @@ jobs:
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \ helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \ | tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \ | awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do | while read cmd; do echo "$cmd" | sh; done || true
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done done
if helm repo list | tail +2 | read -r; then if helm repo list | tail +2 | read -r; then
@@ -177,10 +164,6 @@ jobs:
cd $chart_path cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo "" echo ""
echo ">> Building helm dependency ..." echo ">> Building helm dependency ..."
helm dependency build --skip-refresh helm dependency build --skip-refresh
@@ -195,17 +178,17 @@ jobs:
"stack") "stack")
echo "" echo ""
echo ">> Special Rendering for stack into argocd namespace ..." echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run)
;; ;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds") "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo "" echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..." echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run)
;; ;;
*) *)
echo "" echo ""
echo ">> Standard Rendering for $chart_name ..." echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute") TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run)
;; ;;
esac esac
@@ -213,11 +196,6 @@ jobs:
echo ">> Formating rendered template ..." echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"' echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo "" echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER" echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER ls $OUTPUT_FOLDER

1
.gitignore vendored
View File

@@ -1,4 +1,3 @@
/**/archive/ /**/archive/
/**/charts/ /**/charts/
/**/manifests/ /**/manifests/
/**/tmpcharts*/

6
README.md
View File

@@ -2,12 +2,6 @@
GitOps definied infrastrucutre for the alexlebens.net domain. GitOps definied infrastrucutre for the alexlebens.net domain.
## Stack-cl01tl
https://argocd.alexlebens.net/api/badge?name=stack-cl01tl&revision=true&showAppName=true
App-of-Apps Application for cl01tl
## License ## License
This project is licensed under the terms of the Apache 2.0 License license. This project is licensed under the terms of the Apache 2.0 License license.

7
clusters/cl01tl/helm/actual/Chart.lock
View File

@@ -2,8 +2,5 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target digest: sha256:926b8da839684072fd79954aff0c9852c2ff3b618b0fa35177bdec8e2dff4986
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-05T17:02:01.15162583Z"
version: 0.7.0
digest: sha256:4840c828f8fbb695fa06fb959aad415acd12ff0d4930d136783488f16b9f875c
generated: "2025-12-27T13:29:28.243328-06:00"

7
clusters/cl01tl/helm/actual/Chart.yaml
View File

@@ -17,10 +17,5 @@ dependencies:
alias: actual alias: actual
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target
alias: volsync-target-data
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
# renovate: github=actualbudget/actual appVersion: 25.11.0
appVersion: 25.12.0

55
clusters/cl01tl/helm/actual/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: actual-data-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: actual-data-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/actual/actual-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/actual/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-actual
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-actual
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- actual.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: actual
port: 80
weight: 100

25
clusters/cl01tl/helm/actual/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: actual-data-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: actual-data-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: actual-data
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: actual-data-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

33
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -9,7 +9,7 @@ actual:
main: main:
image: image:
repository: ghcr.io/actualbudget/actual repository: ghcr.io/actualbudget/actual
tag: 26.1.0 tag: 25.12.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -42,27 +42,6 @@ actual:
port: 80 port: 80
targetPort: 5006 targetPort: 5006
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- actual.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: actual
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
data: data:
forceRename: actual-data forceRename: actual-data
@@ -75,13 +54,3 @@ actual:
main: main:
- path: /data - path: /data
readOnly: false readOnly: false
volsync-target-data:
pvcTarget: actual-data
local:
enabled: true
schedule: 0 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 0 9 * * *

8
clusters/cl01tl/helm/argo-workflows/Chart.lock
View File

@@ -1,12 +1,12 @@
dependencies: dependencies:
- name: argo-workflows - name: argo-workflows
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 0.46.2 version: 0.46.1
- name: argo-events - name: argo-events
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 2.4.19 version: 2.4.19
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.4.5 version: 6.16.1
digest: sha256:2cbfdaeceeba1a5bdaa6fb2e9c4d51ea1310878d8c1c122dcfb0614fc2c52fb7 digest: sha256:1f98e04526d7b61fa9ee690c46542bcc2ae6b69bf7619e1107a1592386de9bf2
generated: "2025-12-27T19:44:54.020935317Z" generated: "2025-12-07T03:02:14.909953853Z"

9
clusters/cl01tl/helm/argo-workflows/Chart.yaml
View File

@@ -18,15 +18,14 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: argo-workflows - name: argo-workflows
version: 0.46.2 version: 0.46.1
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
- name: argo-events - name: argo-events
version: 2.4.19 version: 2.4.19
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-17-cluster
version: 7.4.5 version: 6.16.1
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: github=argoproj/argo-workflows appVersion: v3.6.7
appVersion: v3.7.6

67
clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml
View File

@@ -26,3 +26,70 @@ spec:
key: /authentik/oidc/argo-workflows key: /authentik/oidc/argo-workflows
metadataPolicy: None metadataPolicy: None
property: client property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

4
clusters/cl01tl/helm/argo-workflows/templates/http-route.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: gateway.networking.k8s.io/v1 apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute kind: HTTPRoute
metadata: metadata:
name: argo-workflows name: http-route-argo-workflows
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: argo-workflows app.kubernetes.io/name: http-route-argo-workflows
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:

14
clusters/cl01tl/helm/argo-workflows/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

72
clusters/cl01tl/helm/argo-workflows/values.yaml
View File

@@ -9,15 +9,15 @@ argo-workflows:
nodeStatusOffLoad: true nodeStatusOffLoad: true
archive: true archive: true
postgresql: postgresql:
host: argo-workflows-postgresql-18-cluster-rw host: argo-workflows-postgresql-17-cluster-rw
port: 5432 port: 5432
database: app database: app
tableName: app tableName: app
userNameSecret: userNameSecret:
name: argo-workflows-postgresql-18-cluster-app name: argo-workflows-postgresql-17-cluster-app
key: username key: username
passwordSecret: passwordSecret:
name: argo-workflows-postgresql-18-cluster-app name: argo-workflows-postgresql-17-cluster-app
key: password key: password
ssl: false ssl: false
sslMode: disable sslMode: disable
@@ -59,6 +59,20 @@ argo-workflows:
useStaticCredentials: true useStaticCredentials: true
artifactRepository: artifactRepository:
archiveLogs: false archiveLogs: false
s3: {}
# accessKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: accesskey
# secretKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: secretkey
# insecure: true
# bucket:
# endpoint:
# region:
# encryptionOptions:
# enableEncryption: true
argo-events: argo-events:
controller: controller:
resources: resources:
@@ -75,33 +89,53 @@ argo-events:
requests: requests:
cpu: 10m cpu: 10m
memory: 128Mi memory: 128Mi
postgres-18-cluster: postgres-17-cluster:
mode: recovery mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:
destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1 index: 1
endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
backup: backup:
objectStore: objectStore:
- name: garage-local - name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
index: 1 index: 1
destinationBucket: postgres-backups retentionPolicy: "30d"
externalSecretCredentialPath: /garage/home-infra/postgres-backups isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true isWALArchiver: true
# - name: garage-remote # - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/argo-workflows/argo-workflows-postgresql-17-cluster
# index: 1 # index: 1
# destinationBucket: postgres-backups # endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# externalSecretCredentialPath: /garage/home-infra/postgres-backups # endpointCredentials: argo-workflows-postgresql-17-cluster-backup-secret-garage
# retentionPolicy: "90d" # endpointCredentialsIncludeRegion: true
# retentionPolicy: "30d"
# data: # data:
# compression: bzip2 # compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
@@ -109,11 +143,5 @@ postgres-18-cluster:
backupName: garage-local backupName: garage-local
# - name: weekly-backup # - name: weekly-backup
# suspend: true # suspend: true
# immediate: true
# schedule: "0 0 4 * * SAT" # schedule: "0 0 4 * * SAT"
# backupName: garage-remote # backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external

6
clusters/cl01tl/helm/argocd/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: argo-cd - name: argo-cd
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 9.2.4 version: 9.1.6
digest: sha256:ad9fc8f132ba717e9da4564ca1c90eab88c1d1ec251d015542b938f2bd5af7bd digest: sha256:488b8e826e7cc7179f154c1b7555e2cec78b69becb9f8cdbe4937b3546d87e5d
generated: "2026-01-03T23:01:53.96861459Z" generated: "2025-12-05T04:02:40.060511766Z"

5
clusters/cl01tl/helm/argocd/Chart.yaml
View File

@@ -15,8 +15,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: argo-cd - name: argo-cd
version: 9.2.4 version: 9.1.6
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: github=argoproj/argo-cd appVersion: 3.0.0
appVersion: v3.2.1

72
clusters/cl01tl/helm/argocd/templates/external-secret.yaml
View File

@@ -50,39 +50,39 @@ spec:
metadataPolicy: None metadataPolicy: None
property: token property: token
--- # ---
apiVersion: external-secrets.io/v1 # apiVersion: external-secrets.io/v1
kind: ExternalSecret # kind: ExternalSecret
metadata: # metadata:
name: argocd-gitea-repo-infrastructure-secret # name: argocd-gitea-repo-infrastructure-secret
namespace: {{ .Release.Namespace }} # namespace: {{ .Release.Namespace }}
labels: # labels:
app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret # app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
app.kubernetes.io/instance: {{ .Release.Name }} # app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} # app.kubernetes.io/part-of: {{ .Release.Name }}
spec: # spec:
secretStoreRef: # secretStoreRef:
kind: ClusterSecretStore # kind: ClusterSecretStore
name: vault # name: vault
data: # data:
- secretKey: type # - secretKey: type
remoteRef: # remoteRef:
conversionStrategy: Default # conversionStrategy: Default
decodingStrategy: None # decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure # key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None # metadataPolicy: None
property: type # property: type
- secretKey: url # - secretKey: url
remoteRef: # remoteRef:
conversionStrategy: Default # conversionStrategy: Default
decodingStrategy: None # decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure # key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None # metadataPolicy: None
property: url # property: url
- secretKey: sshPrivateKey # - secretKey: sshPrivateKey
remoteRef: # remoteRef:
conversionStrategy: Default # conversionStrategy: Default
decodingStrategy: None # decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure # key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None # metadataPolicy: None
property: sshPrivateKey # property: sshPrivateKey

28
clusters/cl01tl/helm/argocd/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-argocd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-argocd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: argocd-server
port: 80
weight: 100

53
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -25,10 +25,21 @@ argo-cd:
id: authentik id: authentik
params: params:
server.insecure: true server.insecure: true
controller.diff.server.side: true
rbac: rbac:
policy.csv: | policy.csv: |
g, ArgoCD Admins, role:admin g, ArgoCD Admins, role:admin
cmp:
create: true
plugins:
cdk8s:
init:
command: [cdk8s]
args: [import]
generate:
command: [cdk8s, synth]
args: [--stdout]
discover:
fileName: "*.go"
controller: controller:
replicas: 1 replicas: 1
metrics: metrics:
@@ -65,22 +76,34 @@ argo-cd:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
httproute: ingress:
enabled: true enabled: false
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
repoServer: repoServer:
replicas: 2 replicas: 2
extraContainers:
- name: cmp-cdk8s
command:
- /var/run/argocd/argocd-cmp-server
image: ghcr.io/akuity/cdk8s-cmp-typescript:1.0
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: cdk8s.yaml
name: argocd-cmp-cm
- mountPath: /tmp
name: cmp-tmp
volumes:
- name: argocd-cmp-cm
configMap:
name: argocd-cmp-cm
- name: cmp-tmp
emptyDir: {}
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:

10
clusters/cl01tl/helm/audiobookshelf/Chart.lock
View File

@@ -2,11 +2,5 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target digest: sha256:977ed15091e9ed30d647a626214701d22f3a8a5232a900e33f753cc7e090042f
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-05T17:02:13.674405673Z"
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:75ef1406c49929e118569581946d1baaf9e082a45e3482cb10b9b9ae464eadfb
generated: "2025-12-27T13:29:36.350679-06:00"

11
clusters/cl01tl/helm/audiobookshelf/Chart.yaml
View File

@@ -19,14 +19,5 @@ dependencies:
alias: audiobookshelf alias: audiobookshelf
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-metadata
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
# renovate: github=advplyr/audiobookshelf appVersion: 2.21.0
appVersion: 2.31.0

114
clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
View File

@@ -19,3 +19,117 @@ spec:
key: /cl01tl/audiobookshelf/apprise key: /cl01tl/audiobookshelf/apprise
metadataPolicy: None metadataPolicy: None
property: ntfy-url property: ntfy-url
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-metadata-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-metadata-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/audiobookshelf/audiobookshelf-metadata"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/audiobookshelf/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-audiobookshelf
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-audiobookshelf
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- audiobookshelf.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: audiobookshelf
port: 80
weight: 100

19
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
View File

@@ -1,5 +1,24 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata: metadata:
name: audiobookshelf-nfs-storage name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}

52
clusters/cl01tl/helm/audiobookshelf/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: audiobookshelf-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: audiobookshelf-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: audiobookshelf-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: audiobookshelf-metadata-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-metadata-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: audiobookshelf-metadata
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: audiobookshelf-metadata-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

19
clusters/cl01tl/helm/audiobookshelf/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: audiobookshelf-apprise
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-apprise
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
endpoints:
- port: apprise
interval: 30s
scrapeTimeout: 15s
path: /metrics
selector:
matchLabels:
app.kubernetes.io/name: audiobookshelf
app.kubernetes.io/instance: {{ .Release.Name }}

67
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -9,7 +9,7 @@ audiobookshelf:
main: main:
image: image:
repository: ghcr.io/advplyr/audiobookshelf repository: ghcr.io/advplyr/audiobookshelf
tag: 2.32.1 tag: 2.31.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -21,7 +21,7 @@ audiobookshelf:
apprise-api: apprise-api:
image: image:
repository: caronc/apprise repository: caronc/apprise
tag: 1.3.0 tag: 1.2.6
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -57,43 +57,8 @@ audiobookshelf:
port: 8000 port: 8000
targetPort: 8000 targetPort: 8000
protocol: HTTP protocol: HTTP
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: audiobookshelf
app.kubernetes.io/instance: audiobookshelf
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: apprise
scheme: http
path: /metrics
interval: 30s
scrapeTimeout: 15s
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- audiobookshelf.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: audiobookshelf
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: audiobookshelf-config
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 2Gi size: 2Gi
@@ -104,7 +69,6 @@ audiobookshelf:
- path: /config - path: /config
readOnly: false readOnly: false
metadata: metadata:
forceRename: audiobookshelf-metadata
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
@@ -114,6 +78,13 @@ audiobookshelf:
main: main:
- path: /metadata - path: /metadata
readOnly: false readOnly: false
backup:
existingClaim: audiobookshelf-nfs-storage-backup
advancedMounts:
main:
main:
- path: /metadata/backups
readOnly: false
audiobooks: audiobooks:
existingClaim: audiobookshelf-nfs-storage existingClaim: audiobookshelf-nfs-storage
advancedMounts: advancedMounts:
@@ -121,23 +92,3 @@ audiobookshelf:
main: main:
- path: /mnt/store/ - path: /mnt/store/
readOnly: false readOnly: false
volsync-target-config:
pvcTarget: audiobookshelf-config
local:
enabled: true
schedule: 2 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 2 9 * * *
volsync-target-metadata:
pvcTarget: audiobookshelf-metadata
local:
enabled: true
schedule: 4 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 4 9 * * *

13
clusters/cl01tl/helm/authentik/Chart.lock
View File

@@ -1,15 +1,12 @@
dependencies: dependencies:
- name: authentik - name: authentik
repository: https://charts.goauthentik.io/ repository: https://charts.goauthentik.io/
version: 2025.10.3 version: 2025.10.2
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.4.5 version: 6.16.1
- name: redis-replication digest: sha256:e6ea05d8bdb96164bc19da117078b5101f329ad5f1b461fa02f198bef45454f3
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-07T02:54:01.695741198Z"
version: 0.5.0
digest: sha256:d357b0a8f4351068d9ce7223ffd01a0921202cb2b41669421b8429bc3f7778eb
generated: "2025-12-27T19:45:06.478084011Z"

15
clusters/cl01tl/helm/authentik/Chart.yaml
View File

@@ -21,18 +21,15 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: authentik - name: authentik
version: 2025.10.3 version: 2025.10.2
repository: https://charts.goauthentik.io/ repository: https://charts.goauthentik.io/
- name: cloudflared - name: cloudflared
alias: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-17-cluster
version: 7.4.5 version: 6.16.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: redis-replication
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
# renovate: github=goauthentik/authentik appVersion: 2025.4.1
appVersion: 2025.10.2

90
clusters/cl01tl/helm/authentik/templates/external-secret.yaml
View File

@@ -19,3 +19,93 @@ spec:
key: /cl01tl/authentik/key key: /cl01tl/authentik/key
metadataPolicy: None metadataPolicy: None
property: key property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/authentik
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

28
clusters/cl01tl/helm/authentik/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- authentik.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: authentik-server
port: 80
weight: 100

32
clusters/cl01tl/helm/authentik/templates/redis-replication.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0

19
clusters/cl01tl/helm/authentik/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

91
clusters/cl01tl/helm/authentik/values.yaml
View File

@@ -9,22 +9,22 @@ authentik:
- name: AUTHENTIK_POSTGRESQL__HOST - name: AUTHENTIK_POSTGRESQL__HOST
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: host key: host
- name: AUTHENTIK_POSTGRESQL__NAME - name: AUTHENTIK_POSTGRESQL__NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: dbname key: dbname
- name: AUTHENTIK_POSTGRESQL__USER - name: AUTHENTIK_POSTGRESQL__USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: user key: user
- name: AUTHENTIK_POSTGRESQL__PASSWORD - name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-postgresql-18-cluster-app name: authentik-postgresql-17-cluster-app
key: password key: password
authentik: authentik:
redis: redis:
@@ -36,23 +36,8 @@ authentik:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
route: ingress:
main: enabled: false
enabled: true
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
hostnames:
- authentik.alexlebens.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
httpsRedirect: false
matches:
- path:
type: PathPrefix
value: /
worker: worker:
name: worker name: worker
replicas: 1 replicas: 1
@@ -63,53 +48,61 @@ authentik:
enabled: false enabled: false
redis: redis:
enabled: false enabled: false
postgres-18-cluster: cloudflared:
existingSecretName: authentik-cloudflared-secret
postgres-17-cluster:
mode: recovery mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:
destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1 index: 1
endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
backup: backup:
objectStore: objectStore:
- name: garage-local - name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
index: 1 index: 1
destinationBucket: postgres-backups retentionPolicy: "30d"
externalSecretCredentialPath: /garage/home-infra/postgres-backups isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true isWALArchiver: true
# - name: garage-remote # - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/authentik/authentik-postgresql-17-cluster
# index: 1 # index: 1
# destinationBucket: postgres-backups # endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# externalSecretCredentialPath: /garage/home-infra/postgres-backups # endpointCredentials: authentik-postgresql-17-cluster-backup-secret-garage
# retentionPolicy: "90d" # retentionPolicy: "30d"
# data: # data:
# compression: bzip2 # compression: bzip2
# - name: external # jobs: 2
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 0 0 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup # - name: weekly-backup
# suspend: true # suspend: false
# immediate: true
# schedule: "0 0 4 * * SAT" # schedule: "0 0 4 * * SAT"
# backupName: garage-remote # backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external
redis-replication:
existingSecret:
enabled: false
redisReplication:
clusterSize: 3
redisSentinel:
enabled: true
clusterSize: 3

10
clusters/cl01tl/helm/backrest/Chart.lock
View File

@@ -2,11 +2,5 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target digest: sha256:6e6f20320a485b57288a6febae1b7623076059c370f88b7fbe92460fc4047db3
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-05T17:02:26.599646463Z"
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:26680d49c76f150932d55fac070325d5ed89e635e713f37e1796f0d55775af9e
generated: "2025-12-27T13:29:41.313658-06:00"

9
clusters/cl01tl/helm/backrest/Chart.yaml
View File

@@ -17,14 +17,5 @@ dependencies:
alias: backrest alias: backrest
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
# renovate: github=garethgeorge/backrest
appVersion: v1.10.1 appVersion: v1.10.1

28
clusters/cl01tl/helm/backrest/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-backrest
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-backrest
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- backrest.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: backrest
port: 80
weight: 100

14
clusters/cl01tl/helm/backrest/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

43
clusters/cl01tl/helm/backrest/values.yaml
View File

@@ -33,30 +33,8 @@ backrest:
port: 80 port: 80
targetPort: 9898 targetPort: 9898
protocol: TCP protocol: TCP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- backrest.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: backrest
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
data: data:
forceRename: backrest-data
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
@@ -67,7 +45,6 @@ backrest:
- path: /data - path: /data
readOnly: false readOnly: false
config: config:
forceRename: backrest-config
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 1Gi size: 1Gi
@@ -105,23 +82,3 @@ backrest:
main: main:
- path: /mnt/share - path: /mnt/share
readOnly: true readOnly: true
volsync-target-data:
pvcTarget: backrest-data
local:
enabled: true
schedule: 6 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 6 9 * * *
volsync-target-config:
pvcTarget: backrest-config
local:
enabled: true
schedule: 8 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 8 9 * * *

7
clusters/cl01tl/helm/bazarr/Chart.lock
View File

@@ -2,8 +2,5 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target digest: sha256:54c88d51b4067dec5b22623957970b64092bf3f417fabb58277f6bc3e01eca20
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-05T17:02:40.843820962Z"
version: 0.7.0
digest: sha256:9d9d5e30903d7967baaf5c274e9adc8403cce32d91bdd3d1780acffb249f312d
generated: "2025-12-27T13:29:43.329783-06:00"

7
clusters/cl01tl/helm/bazarr/Chart.yaml
View File

@@ -19,10 +19,5 @@ dependencies:
alias: bazarr alias: bazarr
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
# renovate: github=linuxserver/bazarr appVersion: 1.5.2
appVersion: 1.5.3

55
clusters/cl01tl/helm/bazarr/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,55 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: bazarr-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/bazarr/bazarr-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

28
clusters/cl01tl/helm/bazarr/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-bazarr
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-bazarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- bazarr.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: bazarr
port: 80
weight: 100

30
clusters/cl01tl/helm/bazarr/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: bazarr-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: bazarr-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: bazarr-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot

38
clusters/cl01tl/helm/bazarr/values.yaml
View File

@@ -15,7 +15,7 @@ bazarr:
main: main:
image: image:
repository: ghcr.io/linuxserver/bazarr repository: ghcr.io/linuxserver/bazarr
tag: 1.5.4@sha256:f00df1c88545a23d3d22ca10f5ae5b7ee9359db1d28756b7f8a43cec624042fd tag: 1.5.3@sha256:ec11e988e8e13411c994a4d9f43ed9b97409aa92c1da54d9f23926c3da7c2032
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -36,27 +36,6 @@ bazarr:
port: 80 port: 80
targetPort: 6767 targetPort: 6767
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- bazarr.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: bazarr
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: bazarr-config forceRename: bazarr-config
@@ -76,18 +55,3 @@ bazarr:
main: main:
- path: /mnt/store - path: /mnt/store
readOnly: false readOnly: false
volsync-target-config:
pvcTarget: bazarr-config
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
local:
enabled: true
schedule: 10 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 10 9 * * *

7
clusters/cl01tl/helm/blocky/Chart.lock
View File

@@ -2,8 +2,5 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: redis-replication digest: sha256:b8516161886b87344848ad2b3bdafbd66da61ca8ffc5e9a5ebed462f205c9912
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-05T17:02:59.562863413Z"
version: 0.5.0
digest: sha256:a7840240d52d7c66aa2e542132e32907dd0c48d3051eb15190a209215cbd4dce
generated: "2025-12-15T20:06:31.995318697Z"

6
clusters/cl01tl/helm/blocky/Chart.yaml
View File

@@ -17,9 +17,5 @@ dependencies:
alias: blocky alias: blocky
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: redis-replication
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
# renovate: github=0xerr0r/blocky appVersion: v0.25
appVersion: v0.28.2

32
clusters/cl01tl/helm/blocky/templates/redis-replication.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.0.3
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.48.0

40
clusters/cl01tl/helm/blocky/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: {{ .Release.Name }}
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-blocky
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

33
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -96,9 +96,11 @@ blocky:
cl01tl-endpoint IN A 10.232.1.22 cl01tl-endpoint IN A 10.232.1.22
cl01tl-endpoint IN A 10.232.1.23 cl01tl-endpoint IN A 10.232.1.23
cl01tl-gateway IN A 10.232.1.200
traefik-cl01tl IN A 10.232.1.21 traefik-cl01tl IN A 10.232.1.21
blocky IN A 10.232.1.22 blocky IN A 10.232.1.22
cilium-cl01tl IN A 10.232.1.23 plex-lb IN A 10.232.1.23
;; Application Names ;; Application Names
actual IN CNAME traefik-cl01tl actual IN CNAME traefik-cl01tl
@@ -113,7 +115,6 @@ blocky:
ceph IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl
code-server IN CNAME traefik-cl01tl code-server IN CNAME traefik-cl01tl
ephemera IN CNAME traefik-cl01tl ephemera IN CNAME traefik-cl01tl
feishin IN CNAME traefik-cl01tl
garage-s3 IN CNAME traefik-cl01tl garage-s3 IN CNAME traefik-cl01tl
garage-webui IN CNAME traefik-cl01tl garage-webui IN CNAME traefik-cl01tl
gatus IN CNAME traefik-cl01tl gatus IN CNAME traefik-cl01tl
@@ -124,23 +125,25 @@ blocky:
home IN CNAME traefik-cl01tl home IN CNAME traefik-cl01tl
home-assistant IN CNAME traefik-cl01tl home-assistant IN CNAME traefik-cl01tl
home-assistant-code-server IN CNAME traefik-cl01tl home-assistant-code-server IN CNAME traefik-cl01tl
hubble IN CNAME traefik-cl01tl hubble IN CNAME cl01tl-gateway
huntarr IN CNAME traefik-cl01tl huntarr IN CNAME traefik-cl01tl
immich IN CNAME traefik-cl01tl immich IN CNAME traefik-cl01tl
jellyfin IN CNAME traefik-cl01tl jellyfin IN CNAME traefik-cl01tl
jellystat IN CNAME traefik-cl01tl jellystat IN CNAME traefik-cl01tl
kiwix IN CNAME traefik-cl01tl kiwix IN CNAME traefik-cl01tl
komodo IN CNAME traefik-cl01tl komodo IN CNAME traefik-cl01tl
kronic IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl lidarr IN CNAME traefik-cl01tl
lidatube IN CNAME traefik-cl01tl lidatube IN CNAME traefik-cl01tl
listenarr IN CNAME traefik-cl01tl listenarr IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl mail IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl n8n IN CNAME traefik-cl01tl
ntfy IN CNAME traefik-cl01tl ntfy IN CNAME traefik-cl01tl
objects IN CNAME traefik-cl01tl objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl
overseerr IN CNAME traefik-cl01tl overseerr IN CNAME traefik-cl01tl
pgadmin IN CNAME traefik-cl01tl
photoview IN CNAME traefik-cl01tl photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl
postiz IN CNAME traefik-cl01tl postiz IN CNAME traefik-cl01tl
@@ -153,7 +156,6 @@ blocky:
radarr-anime IN CNAME traefik-cl01tl radarr-anime IN CNAME traefik-cl01tl
radarr-standup IN CNAME traefik-cl01tl radarr-standup IN CNAME traefik-cl01tl
searxng IN CNAME traefik-cl01tl searxng IN CNAME traefik-cl01tl
seerr IN CNAME traefik-cl01tl
slskd IN CNAME traefik-cl01tl slskd IN CNAME traefik-cl01tl
sonarr IN CNAME traefik-cl01tl sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl sonarr-4k IN CNAME traefik-cl01tl
@@ -165,7 +167,6 @@ blocky:
vault IN CNAME traefik-cl01tl vault IN CNAME traefik-cl01tl
whodb IN CNAME traefik-cl01tl whodb IN CNAME traefik-cl01tl
yamtrack IN CNAME traefik-cl01tl yamtrack IN CNAME traefik-cl01tl
yubal-playlist IN CNAME traefik-cl01tl
blocking: blocking:
denylists: denylists:
@@ -288,19 +289,6 @@ blocky:
port: 4000 port: 4000
targetPort: 4000 targetPort: 4000
protocol: TCP protocol: TCP
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: blocky
app.kubernetes.io/instance: blocky
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 30s
scrapeTimeout: 10s
persistence: persistence:
config: config:
enabled: true enabled: true
@@ -313,10 +301,3 @@ blocky:
readOnly: true readOnly: true
mountPropagation: None mountPropagation: None
subPath: config.yml subPath: config.yml
redis-replication:
existingSecret:
enabled: false
redisReplication:
clusterSize: 1
redisSentinel:
enabled: false

12
clusters/cl01tl/helm/booklore/Chart.lock
View File

@@ -4,12 +4,6 @@ dependencies:
version: 4.5.0 version: 4.5.0
- name: mariadb-cluster - name: mariadb-cluster
repository: https://helm.mariadb.com/mariadb-operator repository: https://helm.mariadb.com/mariadb-operator
version: 25.10.3 version: 25.10.2
- name: volsync-target digest: sha256:58d978bd46c61285b06acc6d9a40404d8059f2df7b953dea13c528b35350d0a8
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-05T17:03:15.7199669Z"
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:805832fd8df9e1e4435dd2b10c877e0248ca5b3855d4c2faba4ff09c23afb898
generated: "2025-12-27T13:29:47.00956-06:00"

13
clusters/cl01tl/helm/booklore/Chart.yaml
View File

@@ -18,16 +18,7 @@ dependencies:
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: mariadb-cluster - name: mariadb-cluster
version: 25.10.3 version: 25.10.2
repository: https://helm.mariadb.com/mariadb-operator repository: https://helm.mariadb.com/mariadb-operator
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
# renovate: github=booklore-app/BookLore appVersion: v.1.10.0
appVersion: v1.13.2

228
clusters/cl01tl/helm/booklore/templates/external-secret.yaml
View File

@@ -43,6 +43,234 @@ spec:
metadataPolicy: None metadataPolicy: None
property: psk.txt property: psk.txt
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-local
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-local
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-remote
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-remote
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-remote
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/garage-remote
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/volsync-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: booklore-data-backup-secret-external
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-secret-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/booklore/booklore-data"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /volsync/restic/digital-ocean
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret

28
clusters/cl01tl/helm/booklore/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-booklore
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-booklore
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- booklore.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: booklore
port: 80
weight: 100

3
clusters/cl01tl/helm/booklore/templates/namespace.yaml
View File

@@ -8,6 +8,3 @@ metadata:
app.kubernetes.io/name: booklore app.kubernetes.io/name: booklore
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

112
clusters/cl01tl/helm/booklore/templates/replication-source.yaml
View File

@@ -15,3 +15,115 @@ spec:
keySecret: booklore-data-replication-secret keySecret: booklore-data-replication-secret
address: volsync-rsync-tls-dst-booklore-data-replication-destination address: volsync-rsync-tls-dst-booklore-data-replication-destination
copyMethod: Snapshot copyMethod: Snapshot
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-config-backup-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-config-backup-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-config
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: booklore-config-backup-secret
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-local
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-local
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 2 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-local
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-remote
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-remote
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 3 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-remote
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi
---
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-backup-source-external
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-backup-source-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: 0 4 * * *
restic:
pruneIntervalDays: 7
repository: booklore-data-backup-secret-external
retain:
hourly: 1
daily: 3
weekly: 2
monthly: 2
yearly: 4
copyMethod: Snapshot
storageClassName: ceph-block
volumeSnapshotClassName: ceph-blockpool-snapshot
cacheCapacity: 10Gi

14
clusters/cl01tl/helm/booklore/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

93
clusters/cl01tl/helm/booklore/values.yaml
View File

@@ -9,7 +9,7 @@ booklore:
main: main:
image: image:
repository: ghcr.io/booklore-app/booklore repository: ghcr.io/booklore-app/booklore
tag: v1.16.4 tag: v1.13.2
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -39,30 +39,8 @@ booklore:
port: 80 port: 80
targetPort: 6060 targetPort: 6060
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- booklore.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: booklore
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: booklore-config
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
@@ -73,7 +51,6 @@ booklore:
- path: /app/data - path: /app/data
readOnly: false readOnly: false
data: data:
forceRename: booklore-data
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
@@ -108,21 +85,6 @@ mariadb-cluster:
replicas: 3 replicas: 3
galera: galera:
enabled: true enabled: true
bootstrapFrom:
s3:
bucket: mariadb-backups-b230a2f5aecf080a4b372c08
prefix: cl01tl/booklore
endpoint: nyc3.digitaloceanspaces.com
region: us-east-1
accessKeyIdSecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-external
key: access
secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-external
key: secret
tls:
enabled: true
backupContentType: Physical
databases: databases:
- name: booklore - name: booklore
characterSet: utf8 characterSet: utf8
@@ -157,8 +119,7 @@ mariadb-cluster:
suspend: false suspend: false
immediate: true immediate: true
compression: gzip compression: gzip
maxRetention: 2160h maxRetention: 720h
successfulJobsHistoryLimit: 1
storage: storage:
s3: s3:
bucket: mariadb-backups-b230a2f5aecf080a4b372c08 bucket: mariadb-backups-b230a2f5aecf080a4b372c08
@@ -173,28 +134,6 @@ mariadb-cluster:
key: secret key: secret
tls: tls:
enabled: true enabled: true
- name: backup-remote
schedule:
cron: "0 0 * * 0"
suspend: false
immediate: true
compression: gzip
maxRetention: 2160h
successfulJobsHistoryLimit: 1
storage:
s3:
bucket: mariadb-backups
prefix: cl01tl/booklore
endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
region: us-east-1
accessKeyIdSecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage
key: access
secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage
key: secret
tls:
enabled: true
- name: backup-garage - name: backup-garage
schedule: schedule:
cron: "0 0 * * *" cron: "0 0 * * *"
@@ -202,7 +141,6 @@ mariadb-cluster:
immediate: true immediate: true
compression: gzip compression: gzip
maxRetention: 360h maxRetention: 360h
successfulJobsHistoryLimit: 1
storage: storage:
s3: s3:
bucket: mariadb-backups bucket: mariadb-backups
@@ -215,30 +153,3 @@ mariadb-cluster:
secretAccessKeySecretKeyRef: secretAccessKeySecretKeyRef:
name: booklore-mariadb-cluster-backup-secret-garage name: booklore-mariadb-cluster-backup-secret-garage
key: secret key: secret
volsync-target-config:
pvcTarget: booklore-config
local:
enabled: true
schedule: 12 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 12 9 * * *
volsync-target-data:
pvcTarget: booklore-data
local:
enabled: true
schedule: 14 8 * * *
restic:
cacheCapacity: 10Gi
remote:
enabled: true
schedule: 14 10 * * *
restic:
cacheCapacity: 10Gi
external:
enabled: true
schedule: 14 9 * * *
restic:
cacheCapacity: 10Gi

6
clusters/cl01tl/helm/cert-manager/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: cert-manager - name: cert-manager
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
version: v1.19.2 version: v1.19.1
digest: sha256:b02bda9b9f2fc886af11d017a27a5761513defee603f9e3aa1d7add2749b925c digest: sha256:0b1238a5552bc6d457d4b1a2a1f387a3e7f2c19f820ecb64e14d20481a1ed1ce
generated: "2025-12-10T15:01:57.196895547Z" generated: "2025-12-01T20:25:17.762628-06:00"

5
clusters/cl01tl/helm/cert-manager/Chart.yaml
View File

@@ -14,8 +14,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cert-manager - name: cert-manager
version: v1.19.2 version: v1.19.1
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
# renovate: github=cert-manager/cert-manager appVersion: v1.17.2
appVersion: v1.19.2

6
clusters/cl01tl/helm/cilium/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: cilium - name: cilium
repository: https://helm.cilium.io/ repository: https://helm.cilium.io/
version: 1.18.5 version: 1.18.4
digest: sha256:b997853961dca1ed43d32b58b17e6e592581eb555db0b1457b168251cf3aaa45 digest: sha256:e38eb92ee87c9a52b0f45a2451142ade02bac7d484b246d32379eacce3800bc8
generated: "2025-12-17T16:05:05.870297681Z" generated: "2025-12-02T17:17:49.043599-06:00"

5
clusters/cl01tl/helm/cilium/Chart.yaml
View File

@@ -15,8 +15,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cilium - name: cilium
version: 1.18.5 version: 1.18.4
repository: https://helm.cilium.io/ repository: https://helm.cilium.io/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
# renovate: github=cilium/cilium appVersion: 1.17.3
appVersion: 1.18.4

19
clusters/cl01tl/helm/cilium/templates/cilium-l2-announcement-policy.yaml
View File

@@ -1,19 +0,0 @@
# apiVersion: "cilium.io/v2alpha1"
# kind: CiliumL2AnnouncementPolicy
# metadata:
# name: general-l2-policy
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: general-l2-policy
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# nodeSelector:
# matchExpressions:
# - key: kubernetes.io/hostname
# operator: Exists
# interfaces:
# - end0
# - enp6s0
# externalIPs: true
# loadBalancerIPs: true

2
clusters/cl01tl/helm/cilium/templates/gateway.yaml
View File

@@ -1,7 +1,7 @@
# apiVersion: gateway.networking.k8s.io/v1 # apiVersion: gateway.networking.k8s.io/v1
# kind: Gateway # kind: Gateway
# metadata: # metadata:
# name: cilium-tls-gateway # name: tls-gateway
# namespace: {{ .Release.Namespace }} # namespace: {{ .Release.Namespace }}
# labels: # labels:
# app.kubernetes.io/name: tls-gateway # app.kubernetes.io/name: tls-gateway

4
clusters/cl01tl/helm/cilium/templates/http-route.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: gateway.networking.k8s.io/v1 apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute kind: HTTPRoute
metadata: metadata:
name: hubble name: http-route-hubble
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: hubble app.kubernetes.io/name: http-route-hubble
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:

5
clusters/cl01tl/helm/cilium/values.yaml
View File

@@ -55,12 +55,9 @@ cilium:
metrics: metrics:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
tls:
auto:
method: cronJob
relay: relay:
enabled: true enabled: true
prometheus: metrics:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
ui: ui:

8
clusters/cl01tl/helm/cloudnative-pg/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies: dependencies:
- name: cloudnative-pg - name: cloudnative-pg
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
version: 0.27.0 version: 0.26.1
- name: plugin-barman-cloud - name: plugin-barman-cloud
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
version: 0.4.0 version: 0.3.1
digest: sha256:5e2a32fa5ed8b180ae5e556d65c67eeb3dcf38e2974b0d668eff4ee3c83258ce digest: sha256:b38e5104d77ab1737a27a2542eda958e82038443940f07b7c2cbe3b0a477e1e6
generated: "2025-12-30T21:01:48.755246408Z" generated: "2025-12-01T20:25:20.341325-06:00"

7
clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
View File

@@ -16,11 +16,10 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cloudnative-pg - name: cloudnative-pg
version: 0.27.0 version: 0.26.1
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
- name: plugin-barman-cloud - name: plugin-barman-cloud
version: 0.4.0 version: 0.3.1
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4 icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
# renovate: github=cloudnative-pg/cloudnative-pg appVersion: 1.26.0
appVersion: 1.28.0

4
clusters/cl01tl/helm/cloudnative-pg/values.yaml
View File

@@ -7,10 +7,10 @@ plugin-barman-cloud:
image: image:
registry: ghcr.io registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud repository: cloudnative-pg/plugin-barman-cloud
tag: v0.10.0 tag: v0.9.0
sidecarImage: sidecarImage:
registry: ghcr.io registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud-sidecar repository: cloudnative-pg/plugin-barman-cloud-sidecar
tag: v0.10.0 tag: v0.9.0
crds: crds:
create: true create: true

9
clusters/cl01tl/helm/code-server/Chart.lock
View File

@@ -4,9 +4,6 @@ dependencies:
version: 4.5.0 version: 4.5.0
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
- name: volsync-target digest: sha256:3cf78630cd7670e1157a87fc7ccbeca248ef4ced8a3170e69140ea3e1b0ff564
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-07T02:54:11.675097664Z"
version: 0.7.0
digest: sha256:1deedc65dece8540fd850648bf533da244f9ac8ba48f2133f1f6cac083f5953d
generated: "2025-12-27T13:29:58.860038-06:00"

10
clusters/cl01tl/helm/code-server/Chart.yaml
View File

@@ -21,12 +21,8 @@ dependencies:
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: cloudflared - name: cloudflared
alias: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
# renovate: github=coder/code-server appVersion: 4.100.2
appVersion: 4.106.3

23
clusters/cl01tl/helm/code-server/templates/external-secret.yaml
View File

@@ -26,3 +26,26 @@ spec:
key: /cl01tl/code-server/auth key: /cl01tl/code-server/auth
metadataPolicy: None metadataPolicy: None
property: SUDO_PASSWORD property: SUDO_PASSWORD
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: code-server-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: code-server-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/codeserver
metadataPolicy: None
property: token

28
clusters/cl01tl/helm/code-server/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-code-server
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-code-server
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- code-server.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: code-server
port: 8443
weight: 100

17
clusters/cl01tl/helm/code-server/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: code-server-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

46
clusters/cl01tl/helm/code-server/values.yaml
View File

@@ -9,7 +9,7 @@ code-server:
main: main:
image: image:
repository: ghcr.io/linuxserver/code-server repository: ghcr.io/linuxserver/code-server
tag: 4.107.0@sha256:e2ebedc28ab9e2ebe08093cf7e78515f97822956ff7cbac3d86fb0bd9e4b6bca tag: 4.106.3@sha256:aab9520fe923b2d93dccc2c806f3dc60649c2f4a2847fcd40c942227d0f1ae8f
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
@@ -35,51 +35,13 @@ code-server:
port: 8443 port: 8443
targetPort: 8443 targetPort: 8443
protocol: HTTP protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- code-server.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: code-server
port: 8443
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence: persistence:
config: config:
forceRename: code-server-config existingClaim: code-server-nfs-storage
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
- path: /config - path: /config
readOnly: false readOnly: false
volsync-target-config: cloudflared:
pvcTarget: code-server-config existingSecretName: code-server-cloudflared-secret
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
local:
enabled: true
schedule: 16 8 * * *
remote:
enabled: false
external:
enabled: true
schedule: 16 9 * * *

3
clusters/cl01tl/helm/coredns/Chart.yaml
View File

@@ -18,5 +18,4 @@ dependencies:
version: 1.45.0 version: 1.45.0
repository: https://coredns.github.io/helm repository: https://coredns.github.io/helm
icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png
# renovate: github=coredns/coredns appVersion: v1.12.1
appVersion: v1.13.2

2
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,7 +1,7 @@
coredns: coredns:
image: image:
repository: registry.k8s.io/coredns/coredns repository: registry.k8s.io/coredns/coredns
tag: v1.13.2 tag: v1.13.1
replicaCount: 3 replicaCount: 3
resources: resources:
requests: requests:

1
clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
View File

@@ -17,5 +17,4 @@ dependencies:
repository: https://democratic-csi.github.io/charts/ repository: https://democratic-csi.github.io/charts/
version: 0.15.0 version: 0.15.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: github=democratic-csi/democratic-csi
appVersion: v1.9.4 appVersion: v1.9.4

3
clusters/cl01tl/helm/descheduler/Chart.yaml
View File

@@ -17,5 +17,4 @@ dependencies:
version: 0.34.0 version: 0.34.0
repository: https://kubernetes-sigs.github.io/descheduler/ repository: https://kubernetes-sigs.github.io/descheduler/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: github=kubernetes-sigs/descheduler appVersion: 0.33.0
appVersion: 0.34.0

11
clusters/cl01tl/helm/directus/Chart.lock
View File

@@ -4,12 +4,9 @@ dependencies:
version: 4.5.0 version: 4.5.0
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.4.5 version: 6.16.1
- name: redis-replication digest: sha256:73ab37385c3d0ec2db83a3640bc03b08ddd06fd015e1b7138e49bc8c3be9382e
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-07T02:54:20.639142398Z"
version: 0.5.0
digest: sha256:dcfd66bcdcc888dee6ee427265ac1ca32dd542571e84fbd5adc65a76ec5a6955
generated: "2025-12-27T19:45:16.762640684Z"

13
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -22,15 +22,12 @@ dependencies:
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: cloudflared - name: cloudflared
alias: cloudflared-directus
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-17-cluster
version: 7.4.5 version: 6.16.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: redis-replication
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
# renovate: github=directus/directus appVersion: 11.7.2
appVersion: 11.14.0

180
clusters/cl01tl/helm/directus/templates/external-secret.yaml
View File

@@ -41,36 +41,6 @@ spec:
metadataPolicy: None metadataPolicy: None
property: key property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: secret
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
@@ -123,3 +93,153 @@ spec:
key: /cl01tl/directus/redis key: /cl01tl/directus/redis
metadataPolicy: None metadataPolicy: None
property: password property: password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/directus
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-postgresql-17-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/postgres-backups
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-postgresql-17-cluster-backup-secret-weekly
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-weekly
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-postgresql-17-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-postgresql-17-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/postgres-backups
metadataPolicy: None
property: ACCESS_REGION

35
clusters/cl01tl/helm/directus/templates/redis-replication.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
kubernetesConfig:
image: quay.io/opstree/redis:v8.2.1
imagePullPolicy: IfNotPresent
redisSecret:
name: directus-redis-config
key: password
resources:
requests:
cpu: 50m
memory: 128Mi
storage:
volumeClaimTemplate:
spec:
storageClassName: ceph-block
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
redisExporter:
enabled: true
image: quay.io/opstree/redis-exporter:v1.76.0

30
clusters/cl01tl/helm/directus/templates/redis-sentinel.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisSentinel
metadata:
name: redis-sentinel-directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-sentinel-directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
clusterSize: 3
podSecurityContext:
runAsUser: 1000
fsGroup: 1000
redisSentinelConfig:
redisReplicationName: redis-replication-directus
redisReplicationPassword:
secretKeyRef:
name: directus-redis-config
key: password
kubernetesConfig:
image: quay.io/opstree/redis-sentinel:v7.0.15
imagePullPolicy: IfNotPresent
redisSecret:
name: directus-redis-config
key: password
resources:
requests:
cpu: 10m
memory: 128Mi

43
clusters/cl01tl/helm/directus/templates/service-monitor.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: directus
app.kubernetes.io/instance: {{ .Release.Name }}
endpoints:
- port: http
interval: 30s
scrapeTimeout: 15s
path: /metrics
bearerTokenSecret:
name: directus-metric-token
key: metric-token
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-directus
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: redis-replication-directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
redis-operator: "true"
env: production
spec:
selector:
matchLabels:
redis_setup_type: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

94
clusters/cl01tl/helm/directus/values.yaml
View File

@@ -9,7 +9,7 @@ directus:
main: main:
image: image:
repository: directus/directus repository: directus/directus
tag: 11.14.0 tag: 11.13.4
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: PUBLIC_URL - name: PUBLIC_URL
@@ -41,27 +41,27 @@ directus:
- name: DB_HOST - name: DB_HOST
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: host key: host
- name: DB_DATABASE - name: DB_DATABASE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: dbname key: dbname
- name: DB_PORT - name: DB_PORT
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: port key: port
- name: DB_USER - name: DB_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: user key: user
- name: DB_PASSWORD - name: DB_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-postgresql-18-cluster-app name: directus-postgresql-17-cluster-app
key: password key: password
- name: SYNCHRONIZATION_STORE - name: SYNCHRONIZATION_STORE
value: redis value: redis
@@ -153,70 +153,62 @@ directus:
port: 80 port: 80
targetPort: 8055 targetPort: 8055
protocol: TCP protocol: TCP
serviceMonitor: cloudflared-directus:
main: name: cloudflared-directus
selector: existingSecretName: directus-cloudflared-secret
matchLabels: postgres-17-cluster:
app.kubernetes.io/name: directus
app.kubernetes.io/instance: directus
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: http
interval: 30s
scrapeTimeout: 15s
path: /metrics
bearerTokenSecret:
name: directus-metric-token
key: metric-token
postgres-18-cluster:
mode: recovery mode: recovery
cluster:
storage:
storageClass: local-path
walStorage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:
destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
endpointURL: http://garage-main.garage:3900
index: 1 index: 1
endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
backup: backup:
objectStore: objectStore:
- name: garage-local - name: external
destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/directus/directus-postgresql-17-cluster
index: 1 index: 1
destinationBucket: postgres-backups retentionPolicy: "30d"
externalSecretCredentialPath: /garage/home-infra/postgres-backups isWALArchiver: false
- name: garage-local
destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
index: 1
endpointURL: http://garage-main.garage:3900
endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
endpointCredentialsIncludeRegion: true
retentionPolicy: "3d"
isWALArchiver: true isWALArchiver: true
# - name: garage-remote # - name: garage-remote
# destinationPath: s3://postgres-backups/cl01tl/directus/directus-postgresql-17-cluster
# index: 1 # index: 1
# destinationBucket: postgres-backups # endpointURL: https://garage-ps10rp.boreal-beaufort.ts.net:3900
# externalSecretCredentialPath: /garage/home-infra/postgres-backups # endpointCredentials: directus-postgresql-17-cluster-backup-secret-garage
# retentionPolicy: "90d" # retentionPolicy: "30d"
# data: # data:
# compression: bzip2 # compression: bzip2
# - name: external # jobs: 2
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: daily-backup
suspend: false
schedule: "0 0 0 * * *"
backupName: external
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 0 0 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup # - name: weekly-backup
# suspend: true # suspend: false
# immediate: true
# schedule: "0 0 4 * * SAT" # schedule: "0 0 4 * * SAT"
# backupName: garage-remote # backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external
redis-replication:
existingSecret:
enabled: true
name: directus-redis-config
key: password
redisReplication:
clusterSize: 3
redisSentinel:
enabled: true
clusterSize: 3

3
clusters/cl01tl/helm/elastic-operator/Chart.yaml
View File

@@ -18,5 +18,4 @@ dependencies:
version: 3.2.0 version: 3.2.0
repository: https://helm.elastic.co repository: https://helm.elastic.co
icon: https://helm.elastic.co/icons/eck.png icon: https://helm.elastic.co/icons/eck.png
# renovate: github=elastic/cloud-on-k8s appVersion: 1.26.0
appVersion: v3.2.0

6
clusters/cl01tl/helm/element-web/Chart.lock
View File

@@ -4,6 +4,6 @@ dependencies:
version: 1.4.26 version: 1.4.26
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
digest: sha256:640ff55a95ff9fd12716bc76106d13189867832f905eaa393b5f67553bd8c961 digest: sha256:f9196cbede894c6da6ecedd9ae05d3f1fd0e20304eca8ca38c18334a923b2235
generated: "2025-12-17T19:05:53.062353-06:00" generated: "2025-12-07T02:54:29.895481505Z"

6
clusters/cl01tl/helm/element-web/Chart.yaml
View File

@@ -20,8 +20,8 @@ dependencies:
version: 1.4.26 version: 1.4.26
repository: https://ananace.gitlab.io/charts repository: https://ananace.gitlab.io/charts
- name: cloudflared - name: cloudflared
alias: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.1.4 version: 1.23.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
# renovate: github=element-hq/element-web appVersion: v1.11.100
appVersion: v1.12.6

21
clusters/cl01tl/helm/element-web/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: element-web-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: element-web-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/element
metadataPolicy: None
property: token

4
clusters/cl01tl/helm/element-web/values.yaml
View File

@@ -2,7 +2,7 @@ element-web:
replicaCount: 1 replicaCount: 1
image: image:
repository: vectorim/element-web repository: vectorim/element-web
tag: v1.12.7 tag: v1.12.6
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
defaultServer: defaultServer:
url: https://matrix.alexlebens.dev url: https://matrix.alexlebens.dev
@@ -24,3 +24,5 @@ element-web:
requests: requests:
cpu: 10m cpu: 10m
memory: 128Mi memory: 128Mi
cloudflared:
existingSecretName: element-web-cloudflared-secret

7
clusters/cl01tl/helm/ephemera/Chart.lock
View File

@@ -2,8 +2,5 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target digest: sha256:b08b2d3923734ba8844754727803a4b4e1de2ad418c3f755ccd64927266c1b5c
repository: oci://harbor.alexlebens.net/helm-charts generated: "2025-12-05T17:04:04.30013278Z"
version: 0.7.0
digest: sha256:3b32ded75846bcee3e9fb892663173485da0dcd351ccc3a0337432f5d2da2e66
generated: "2025-12-27T13:30:15.119299-06:00"

5
clusters/cl01tl/helm/ephemera/Chart.yaml
View File

@@ -19,10 +19,5 @@ dependencies:
alias: ephemera alias: ephemera
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0 version: 4.5.0
- name: volsync-target
alias: volsync-target-config
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ephemera.png
# renovate: github=OrwellianEpilogue/ephemera
appVersion: 1.3.1 appVersion: 1.3.1

57
clusters/cl01tl/helm/ephemera/templates/external-secret.yaml
View File

@@ -42,3 +42,60 @@ spec:
key: /cl01tl/ephemera/config key: /cl01tl/ephemera/config
metadataPolicy: None metadataPolicy: None
property: ntfy-url property: ntfy-url
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: ephemera-config-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: ephemera-config-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/ephemera/ephemera-config"
data:
- secretKey: BUCKET_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: S3_BUCKET_ENDPOINT
- secretKey: RESTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: RESTIC_PASSWORD
- secretKey: AWS_DEFAULT_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/volsync/restic/config
metadataPolicy: None
property: AWS_DEFAULT_REGION
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: access_key
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/volsync-backups
metadataPolicy: None
property: secret_key

Some files were not shown because too many files have changed in this diff Show More