alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 4 Actions Activity

Compare commits

base: alexlebens:main
Branches Tags
alexlebens:main alexlebens:renovate/unified-backrest alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:manifests
..
compare: alexlebens:db241971ccdc44b6a1664bf57bd81f1c5ef9d354
Branches Tags
alexlebens:renovate/unified-backrest alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:main alexlebens:manifests

1 Commits
main ... db241971cc

Author SHA1 Message Date
Renovate Bot
db241971cc chore(deps): update ghcr.io/caronc/apprise docker tag to v1.4.1
Some checks are pending
renovate/stability-days Updates have not met minimum release age requirement
Details
lint-test-helm / lint-helm (pull_request) Successful in 55s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 39s
Details
2026-05-03 01:24:03 +00:00
43 changed files with 813 additions and 56 deletions
Expand all files Collapse all files

2
.gitea/workflows/renovate.yaml
View File

@@ -13,7 +13,7 @@ on:
jobs:
renovate:
runs-on: ubuntu-js
container: ghcr.io/renovatebot/renovate:43.160.7@sha256:fe98b7377d30a9e928f16df9453c2108856a27bc37c9dc0b260ba26f46011acc
container: ghcr.io/renovatebot/renovate:43.160.4@sha256:00185c0d63462acec8331cc9a94dcd74a763f2765fca0edcc3ff568af1dc8104
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

2
clusters/cl01tl/helm/actual/Chart.yaml
View File

@@ -24,4 +24,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
# renovate: datasource=github-releases depName=actualbudget/actual
appVersion: 26.5.0
appVersion: 26.4.0

2
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -8,7 +8,7 @@ actual:
main:
image:
repository: ghcr.io/actualbudget/actual
tag: 26.5.0@sha256:b733ae30c70a66dc4d03577526e53575a0c04eab4f3ab6ace30934776251058c
tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
env:
- name: ACTUAL_PORT
value: 5006

2
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -103,7 +103,7 @@ argo-cd:
enabled: true
image:
repository: haproxy
tag: 3.3.8-alpine@sha256:10690acb357180d5214c6fce59e2cefded6cc72b0f7e3febb323fea95b27e349
tag: 3.3.7-alpine@sha256:2afa53c856e4e9fcc7dfb35b807fcb189896d7e62b38d363f9bedea92bce7f9a
resources:
requests:
cpu: 5m

3
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -134,7 +134,7 @@ blocky:
komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
loki IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl
@@ -162,6 +162,7 @@ blocky:
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl

4
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,7 +1,7 @@
coredns:
image:
repository: coredns/coredns
tag: 1.14.3@sha256:b21d26b915e10acb5bc78715c1e8b6047ab2675389b2bcc18b3a6499d90e74c0
repository: registry.k8s.io/coredns/coredns
tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
replicaCount: 3
resources:
limits:

2
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -42,4 +42,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich
appVersion: 1.7.5
appVersion: 1.7.3

4
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -8,7 +8,7 @@ dawarich:
main:
image:
repository: freikin/dawarich
tag: 1.7.5@sha256:dceef4bf7bd5e6a842d61cdd2a82440a0db34f70dc766e02b0b3b212e13b4ba6
tag: 1.7.3@sha256:519ea4152381a3f58ae42859f530f5a433073e3f48f196fac3533432642b72b2
command:
- "web-entrypoint.sh"
args:
@@ -126,7 +126,7 @@ dawarich:
sidekiq:
image:
repository: freikin/dawarich
tag: 1.7.5@sha256:dceef4bf7bd5e6a842d61cdd2a82440a0db34f70dc766e02b0b3b212e13b4ba6
tag: 1.7.3@sha256:519ea4152381a3f58ae42859f530f5a433073e3f48f196fac3533432642b72b2
command:
- "sidekiq-entrypoint.sh"
args:

1
clusters/cl01tl/helm/elastic-operator/values.yaml
View File

@@ -1,5 +1,6 @@
eck-operator:
managedNamespaces:
- stalwart
- tubearchivist
installCRDs: true
replicaCount: 2

6
clusters/cl01tl/helm/gatus/values.yaml
View File

@@ -212,6 +212,12 @@ gatus:
- name: authentik
url: https://authentik.alexlebens.net
<<: *defaults
- name: roundcube
url: https://mail.alexlebens.net
<<: *defaults
- name: stalwart
url: https://stalwart.alexlebens.net
<<: *defaults
- name: ntfy
url: https://ntfy.alexlebens.net
<<: *defaults

18
clusters/cl01tl/helm/homepage/values.yaml
View File

@@ -487,6 +487,24 @@ homepage:
href: https://authentik.alexlebens.net
siteMonitor: http://authentik-server.authentik:80
statusStyle: dot
- Email Client:
icon: sh-roundcube.webp
description: Roundcube
href: https://mail.alexlebens.net
siteMonitor: http://roundcube.roundcube:80
statusStyle: dot
- Email Server:
icon: sh-stalwart.webp
description: Stalwart
href: https://stalwart.alexlebens.net
siteMonitor: http://stalwart.stalwart:80
statusStyle: dot
namespace: stalwart
app: stalwart
podSelector: >-
app.kubernetes.io/instance in (
stalwart
)
- Notifications:
icon: sh-ntfy.webp
description: ntfy

2
clusters/cl01tl/helm/medialyze/Chart.yaml
View File

@@ -24,4 +24,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://raw.githubusercontent.com/frederikemmer/MediaLyze/d8f69c0628bac7c047b90f91a66341648029c273/frontend/public/favicon.svg
# renovate: datasource=github-releases depName=frederikemmer/MediaLyze
appVersion: 0.10.0
appVersion: 0.9.0

2
clusters/cl01tl/helm/medialyze/values.yaml
View File

@@ -12,7 +12,7 @@ medialyze:
main:
image:
repository: ghcr.io/frederikemmer/medialyze
tag: 0.10.0@sha256:bd55c88662a31ea4d3203224d422b3eb6afe0c0089246222ba5b5f73a665fb2d
tag: 0.9.0@sha256:3d88b4f4a3e6cf2489a5236e5174d58d6274e99008ce2ddd4159d1389744473f
env:
- name: HOST_PORT
value: 8080

2
clusters/cl01tl/helm/ollama/Chart.yaml
View File

@@ -31,4 +31,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/ollama.png
# renovate: datasource=github-releases depName=ollama/ollama
appVersion: 0.23.0
appVersion: 0.22.1

6
clusters/cl01tl/helm/ollama/values.yaml
View File

@@ -21,7 +21,7 @@ ollama:
main:
image:
repository: ollama/ollama
tag: 0.23.0@sha256:5600a652d1081050f398152127c584222546354491f27fe47ccbc6351bc870bd
tag: 0.22.1@sha256:3ca37ec2b9cb6341b62554074205c616778fe98abcf9e4fc50361b79a07407ae
env:
- name: OLLAMA_KEEP_ALIVE
value: 24h
@@ -55,7 +55,7 @@ ollama:
main:
image:
repository: ollama/ollama
tag: 0.23.0@sha256:5600a652d1081050f398152127c584222546354491f27fe47ccbc6351bc870bd
tag: 0.22.1@sha256:3ca37ec2b9cb6341b62554074205c616778fe98abcf9e4fc50361b79a07407ae
env:
- name: OLLAMA_KEEP_ALIVE
value: 24h
@@ -89,7 +89,7 @@ ollama:
main:
image:
repository: ollama/ollama
tag: 0.23.0@sha256:5600a652d1081050f398152127c584222546354491f27fe47ccbc6351bc870bd
tag: 0.22.1@sha256:3ca37ec2b9cb6341b62554074205c616778fe98abcf9e4fc50361b79a07407ae
env:
- name: OLLAMA_KEEP_ALIVE
value: 24h

2
clusters/cl01tl/helm/radarr-4k/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-4k.png
# renovate: datasource=github-releases depName=linuxserver/docker-radarr
appVersion: 6.1.1.10360-ls301
appVersion: 6.1.1.10360-ls300

2
clusters/cl01tl/helm/radarr-4k/values.yaml
View File

@@ -14,7 +14,7 @@ radarr-4k:
main:
image:
repository: ghcr.io/linuxserver/radarr
tag: 6.1.1.10360-ls301@sha256:659e5f20500948b1491f31dd85c6f99a43508ce3e46595793e1e15aa955bf6d7
tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
env:
- name: TZ
value: America/Chicago

2
clusters/cl01tl/helm/radarr-anime/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr-anime.png
# renovate: datasource=github-releases depName=linuxserver/docker-radarr
appVersion: 6.1.1.10360-ls301
appVersion: 6.1.1.10360-ls300

2
clusters/cl01tl/helm/radarr-anime/values.yaml
View File

@@ -14,7 +14,7 @@ radarr-anime:
main:
image:
repository: ghcr.io/linuxserver/radarr
tag: 6.1.1.10360-ls301@sha256:659e5f20500948b1491f31dd85c6f99a43508ce3e46595793e1e15aa955bf6d7
tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
env:
- name: TZ
value: America/Chicago

2
clusters/cl01tl/helm/radarr-standup/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
# renovate: datasource=github-releases depName=linuxserver/docker-radarr
appVersion: 6.1.1.10360-ls301
appVersion: 6.1.1.10360-ls300

2
clusters/cl01tl/helm/radarr-standup/values.yaml
View File

@@ -14,7 +14,7 @@ radarr-standup:
main:
image:
repository: ghcr.io/linuxserver/radarr
tag: 6.1.1.10360-ls301@sha256:659e5f20500948b1491f31dd85c6f99a43508ce3e46595793e1e15aa955bf6d7
tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
env:
- name: TZ
value: America/Chicago

2
clusters/cl01tl/helm/radarr/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/radarr.png
# renovate: datasource=github-releases depName=linuxserver/docker-radarr
appVersion: 6.1.1.10360-ls301
appVersion: 6.1.1.10360-ls300

2
clusters/cl01tl/helm/radarr/values.yaml
View File

@@ -14,7 +14,7 @@ radarr:
main:
image:
repository: ghcr.io/linuxserver/radarr
tag: 6.1.1.10360-ls301@sha256:659e5f20500948b1491f31dd85c6f99a43508ce3e46595793e1e15aa955bf6d7
tag: 6.1.1.10360-ls300@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d
env:
- name: TZ
value: America/Chicago

12
clusters/cl01tl/helm/roundcube/Chart.lock Normal file
View File

@@ -0,0 +1,12 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:6ea0ffea8d47e3c62657f35ce0dda5d5f67aa13c99107dee396787a6e0c3633c
generated: "2026-04-28T23:36:57.236521514Z"

32
clusters/cl01tl/helm/roundcube/Chart.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v2
name: roundcube
version: 1.0.0
description: Roundcube
keywords:
- roundcube
- email-client
home: https://docs.alexlebens.dev/applications/rclone/
sources:
- https://github.com/roundcube/roundcubemail
- https://hub.docker.com/r/roundcube/roundcubemail
- https://hub.docker.com/_/nginx
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: roundcube
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.12.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 1.1.1
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/roundcube.png
# renovate: datasource=github-releases depName=roundcube/roundcubemail
appVersion: 1.6.15

14
clusters/cl01tl/helm/roundcube/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

17
clusters/cl01tl/helm/roundcube/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: roundcube-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: roundcube-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: DES_KEY
remoteRef:
key: /cl01tl/roundcube/key
property: des-key

236
clusters/cl01tl/helm/roundcube/values.yaml Normal file
View File

@@ -0,0 +1,236 @@
roundcube:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: roundcube/roundcubemail
tag: 1.6.15-fpm-alpine@sha256:0e07c1c66d5a1392f0c47cc79e85e0c60095108f715037d7d0aa3fd8cbe2e780
env:
- name: ROUNDCUBEMAIL_DB_TYPE
value: pgsql
- name: ROUNDCUBEMAIL_DB_HOST
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: host
- name: ROUNDCUBEMAIL_DB_NAME
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: dbname
- name: ROUNDCUBEMAIL_DB_USER
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: user
- name: ROUNDCUBEMAIL_DB_PASSWORD
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: password
- name: ROUNDCUBEMAIL_DES_KEY
valueFrom:
secretKeyRef:
name: roundcube-key
key: DES_KEY
- name: ROUNDCUBEMAIL_DEFAULT_HOST
value: stalwart.stalwart
- name: ROUNDCUBEMAIL_DEFAULT_PORT
value: 143
- name: ROUNDCUBEMAIL_SMTP_SERVER
value: stalwart.stalwart
- name: ROUNDCUBEMAIL_SMTP_PORT
value: 25
- name: ROUNDCUBEMAIL_SKIN
value: elastic
- name: ROUNDCUBEMAIL_PLUGINS
value: archive,zipdownload,newmail_notifier
resources:
requests:
cpu: 1m
memory: 40Mi
nginx:
image:
repository: nginx
tag: 1.30.0-alpine-slim@sha256:830b40ff1beb5e018e56aef2ed1f9fe87a7797e35a555b75fea5c9568e316b04
env:
- name: NGINX_HOST
value: mail.alexlebens.net
- name: NGINX_PHP_CGI
value: roundcube.roundcube:9000
cleandb:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 30 4 * * *
backoffLimit: 3
parallelism: 1
containers:
backup:
image:
repository: roundcube/roundcubemail
tag: 1.6.15-fpm-alpine@sha256:0e07c1c66d5a1392f0c47cc79e85e0c60095108f715037d7d0aa3fd8cbe2e780
args:
- bin/cleandb.sh
env:
- name: ROUNDCUBEMAIL_DB_TYPE
value: pgsql
- name: ROUNDCUBEMAIL_DB_HOST
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: host
- name: ROUNDCUBEMAIL_DB_NAME
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: dbname
- name: ROUNDCUBEMAIL_DB_USER
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: user
- name: ROUNDCUBEMAIL_DB_PASSWORD
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: password
- name: ROUNDCUBEMAIL_DES_KEY
valueFrom:
secretKeyRef:
name: roundcube-key
key: DES_KEY
- name: ROUNDCUBEMAIL_DEFAULT_HOST
value: tls://stalwart.stalwart
- name: ROUNDCUBEMAIL_SMTP_SERVER
value: tls://stalwart.stalwart
- name: ROUNDCUBEMAIL_SKIN
value: elastic
- name: ROUNDCUBEMAIL_PLUGINS
value: archive,zipdownload,newmail_notifier
configMaps:
config:
enabled: true
data:
default.conf: |
server {
listen 80 default_server;
server_name _;
root /var/www/html;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ \.php(/|$) {
try_files $uri =404;
fastcgi_pass roundcube:9000;
fastcgi_read_timeout 300;
proxy_read_timeout 300;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
}
client_max_body_size 6m;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
}
service:
main:
controller: main
ports:
mail:
port: 9000
targetPort: 9000
web:
port: 80
targetPort: 80
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- mail.alexlebens.net
rules:
- backendRefs:
- name: roundcube
port: 80
matches:
- path:
type: PathPrefix
value: /
persistence:
config:
enabled: true
type: configMap
name: roundcube-config
advancedMounts:
main:
nginx:
- path: /etc/nginx/conf.d/default.conf
readOnly: true
mountPropagation: None
subPath: default.conf
data:
forceRename: roundcube-data
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
advancedMounts:
main:
main:
- path: /var/www/html
readOnly: false
nginx:
- path: /var/www/html
readOnly: false
temp:
type: emptyDir
advancedMounts:
main:
main:
- path: /tmp/roundcube-temp
readOnly: false
postgres-18-cluster:
mode: recovery
recovery:
method: objectStore
objectStore:
index: 1
backup:
objectStore:
- name: garage-local
index: 1
destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true
scheduledBackups:
- name: live-backup
suspend: false
immediate: true
schedule: "0 40 15 * * *"
backupName: garage-local
volsync-target-data:
pvcTarget: roundcube-data
local:
enabled: true
schedule: 12 11 * * *
remote:
enabled: true
schedule: 12 12 * * *
external:
enabled: true
schedule: 12 13 * * *

15
clusters/cl01tl/helm/stalwart/Chart.lock Normal file
View File

@@ -0,0 +1,15 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:dd614761622fa310ad50f400727fa6a6574071c2ac057294364409fdfe0ff545
generated: "2026-05-02T01:49:21.562586412Z"

37
clusters/cl01tl/helm/stalwart/Chart.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: v2
name: stalwart
version: 1.0.0
description: Stalwart
keywords:
- stalwart
- email
home: https://docs.alexlebens.dev/applications/stalwart/
sources:
- https://github.com/stalwartlabs/mail-server
- https://github.com/stalwartlabs/stalwart/pkgs/container/stalwart
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: stalwart
version: 4.6.2
repository: https://bjw-s-labs.github.io/helm-charts/
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.12.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-config
version: 1.1.1
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/stalwart.png
# renovate: datasource=github-releases depName=stalwartlabs/mail-server
appVersion: v0.15.5

14
clusters/cl01tl/helm/stalwart/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

29
clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-stalwart
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: elasticsearch-stalwart
{{- include "custom.labels" . | nindent 4 }}
spec:
# renovate: datasource=docker depName=elasticsearch
version: 9.3.3
auth:
fileRealm:
- secretName: stalwart-elasticsearch-config
nodeSets:
- name: default
count: 2
config:
node.store.allow_mmap: false
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: ceph-block

25
clusters/cl01tl/helm/stalwart/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: stalwart-elasticsearch-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: stalwart-elasticsearch-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: username
remoteRef:
key: /cl01tl/stalwart/elasticsearch
property: username
- secretKey: password
remoteRef:
key: /cl01tl/stalwart/elasticsearch
property: password
- secretKey: roles
remoteRef:
key: /cl01tl/stalwart/elasticsearch
property: roles

10
clusters/cl01tl/helm/stalwart/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

169
clusters/cl01tl/helm/stalwart/templates/prometheus-rule.yaml Normal file
View File

@@ -0,0 +1,169 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: elasticsearch
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: elasticsearch
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: ElasticsearchExporter
rules:
- alert: ElasticsearchHeapUsageTooHigh
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 90 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch Heap Usage Too High (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHeapUsageWarning
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 80 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch Heap Usage warning (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskOutOfSpace
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 10 and elasticsearch_filesystem_data_size_bytes > 0
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch disk out of space (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskSpaceLow
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 20 and elasticsearch_filesystem_data_size_bytes > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch disk space low (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterRed
expr: elasticsearch_cluster_health_status{color="red"} == 1
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch Cluster Red (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Red status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterYellow
expr: elasticsearch_cluster_health_status{color="yellow"} == 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch Cluster Yellow (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Yellow status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyNodes
expr: elasticsearch_cluster_health_number_of_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyDataNodes
expr: elasticsearch_cluster_health_number_of_data_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Data Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing data node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShards
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch relocating shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is relocating shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShardsTooLong
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch relocating shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been relocating shards for 15min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShards
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch initializing shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is initializing shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShardsTooLong
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch initializing shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been initializing shards for 15 min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchUnassignedShards
expr: elasticsearch_cluster_health_unassigned_shards > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch unassigned shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has unassigned shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchPendingTasks
expr: elasticsearch_cluster_health_number_of_pending_tasks > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch pending tasks (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has pending tasks. Cluster works slowly.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchNoNewDocuments
expr: increase(elasticsearch_indices_indexing_index_total{es_data_node="true"}[10m]) < 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch no new documents (instance {{ `{{ $labels.instance }}` }})
description: "No new documents for 10 min!\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10ms (0.01s) per indexing operation is a rough default. Adjust based on your document size and cluster performance.
- alert: ElasticsearchHighIndexingLatency
expr: rate(elasticsearch_indices_indexing_index_time_seconds_total[5m]) / rate(elasticsearch_indices_indexing_index_total[5m]) > 0.01 and rate(elasticsearch_indices_indexing_index_total[5m]) > 0
for: 10m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Latency (instance {{ `{{ $labels.instance }}` }})
description: "The indexing latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10000 ops/s is a rough default. Adjust based on your cluster capacity and expected workload.
- alert: ElasticsearchHighIndexingRate
expr: sum(rate(elasticsearch_indices_indexing_index_total[1m]))> 10000
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Rate (instance {{ `{{ $labels.instance }}` }})
description: "The indexing rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 100 queries/s is very low for most production clusters. Adjust based on your expected query volume.
- alert: ElasticsearchHighQueryRate
expr: sum(rate(elasticsearch_indices_search_query_total[1m])) > 100
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Rate (instance {{ `{{ $labels.instance }}` }})
description: "The query rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHighQueryLatency
expr: rate(elasticsearch_indices_search_query_time_seconds[1m]) / rate(elasticsearch_indices_search_query_total[1m]) > 1 and rate(elasticsearch_indices_search_query_total[1m]) > 0
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Latency (instance {{ `{{ $labels.instance }}` }})
description: "The query latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

129
clusters/cl01tl/helm/stalwart/values.yaml Normal file
View File

@@ -0,0 +1,129 @@
stalwart:
controllers:
main:
forceRename: stalwart
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/stalwartlabs/stalwart
tag: v0.15.5@sha256:dcf575db2d53d9ef86d6ced8abe4ba491984659a0f8862cc6079ee7b41c3c568
resources:
requests:
cpu: 10m
memory: 100Mi
metrics:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: quay.io/prometheuscommunity/elasticsearch-exporter
tag: v1.10.0@sha256:a6a4d4403f670faf6a94b8c7f9adbca3ead91f26dd64e5ccf95fa69025dc6e58
args:
- '--es.uri=https://elasticsearch-stalwart-es-http.tubearchivist:9200'
- '--es.ssl-skip-verify'
resources:
requests:
cpu: 1m
memory: 10Mi
service:
main:
controller: main
forceRename: stalwart
ports:
http:
port: 80
targetPort: 8080
smtp:
port: 25
targetPort: 25
smtps:
port: 465
targetPort: 465
imap:
port: 143
targetPort: 143
imaps:
port: 993
targetPort: 993
metrics:
controller: metrics
ports:
metrics:
port: 9114
targetPort: 9114
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: stalwart-metrics
app.kubernetes.io/instance: stalwart-metrics
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- stalwart.alexlebens.net
rules:
- backendRefs:
- name: stalwart
port: 80
matches:
- path:
type: PathPrefix
value: /
persistence:
config:
forceRename: stalwart-config
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /opt/stalwart
readOnly: false
postgres-18-cluster:
mode: recovery
recovery:
method: objectStore
objectStore:
index: 1
backup:
objectStore:
- name: garage-local
index: 1
destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true
scheduledBackups:
- name: live-backup
suspend: false
immediate: true
schedule: "0 5 16 * * *"
backupName: garage-local
volsync-target-config:
pvcTarget: stalwart-config
local:
enabled: true
schedule: 28 11 * * *
remote:
enabled: true
schedule: 28 12 * * *
external:
enabled: true
schedule: 28 13 * * *

4
clusters/cl01tl/helm/tdarr/values.yaml
View File

@@ -12,7 +12,7 @@ tdarr:
main:
image:
repository: ghcr.io/haveagitgat/tdarr
tag: 2.71.01@sha256:e66fd4083cd6024bc3e2d66cc1f07f84eeb1a66f57e75ca9354015a4b776413a
tag: 2.70.01@sha256:4d48a46fb984b29e07cf4fd66cf7d3c8bd7c2c8dd662d09b4e20e11ae93e52fc
env:
- name: TZ
value: America/Chicago
@@ -68,7 +68,7 @@ tdarr:
main:
image:
repository: ghcr.io/haveagitgat/tdarr_node
tag: 2.71.01@sha256:fab0c179faac72727f5ca98ff33104596099feaef1faf72410159a51077b520b
tag: 2.70.01@sha256:60176a6ffc7584edde5420b7e1816f60227aa166f159b58a721d34564075c6e4
env:
- name: TZ
value: America/Chicago

2
clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml
View File

@@ -8,7 +8,7 @@ metadata:
{{- include "custom.labels" . | nindent 4 }}
spec:
# renovate: datasource=docker depName=elasticsearch
version: 9.3.4
version: 9.3.3
auth:
fileRealm:
- secretName: tubearchivist-elasticsearch-config

2
clusters/cl01tl/helm/vaultwarden/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/vaultwarden.png
# renovate: datasource=github-releases depName=dani-garcia/vaultwarden
appVersion: 1.36.0
appVersion: 1.35.8

2
clusters/cl01tl/helm/vaultwarden/values.yaml
View File

@@ -8,7 +8,7 @@ vaultwarden:
main:
image:
repository: ghcr.io/dani-garcia/vaultwarden
tag: 1.36.0@sha256:d626d04934cd1192ad8ced1adb975099fca78cec33ab467d2d3c923cde7f3b0c
tag: 1.35.8@sha256:c4f6056fe0c288a052a223cecd263a90d1dda1a0177bb5b054a363a6c7b211d9
env:
- name: DOMAIN
value: https://passwords.alexlebens.dev

3
hosts/ps08rp/blocky/config.yml
View File

@@ -111,7 +111,7 @@ customDNS:
komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
loki IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl
@@ -140,6 +140,7 @@ customDNS:
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl

3
hosts/ps09rp/blocky/config.yml
View File

@@ -132,7 +132,7 @@ customDNS:
komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
loki IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl
@@ -161,6 +161,7 @@ customDNS:
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl

40
renovate.json
View File

@@ -90,10 +90,10 @@
{
"description": "Specific app grouping overrides",
"matchPackageNames": [
"/(^|/|-)(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|rybbit|sonarr|sparkyfitness|tdarr|traefik)/",
"/(^|/|-)(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|roundcube|rybbit|sonarr|sparkyfitness|stalwartlabs|tdarr|traefik)/",
"/^rook(-ceph|/rook|/ceph)/"
],
"groupName": "{{#if packageName}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|rybbit|sonarr|sparkyfitness|tdarr|traefik).*$' '$1' packageName}}}{{else}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|rybbit|sonarr|sparkyfitness|tdarr|traefik).*$' '$1' depName}}}{{/if}}",
"groupName": "{{#if packageName}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|roundcube|rybbit|sonarr|sparkyfitness|stalwartlabs|tdarr|traefik).*$' '$1' packageName}}}{{else}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|roundcube|rybbit|sonarr|sparkyfitness|stalwartlabs|tdarr|traefik).*$' '$1' depName}}}{{/if}}",
"groupSlug": "unified-{{{groupName}}}"
},
{
@@ -159,39 +159,29 @@
"minimumReleaseAge": "3 days"
},
{
"description": "Automerge minor, specific packages, without release age",
"description": "Disable automerge for ghcr docker dependencies, unsupported release age",
"matchDatasources": [
"docker"
],
"matchPackageNames": [
"/^ghcr\\.io//"
],
"automerge": false
},
{
"description": "Automerge images, specific packages, without release age",
"matchUpdateTypes": [
"patch",
"minor"
],
"matchPackageNames": [
"/(^|/|-)(actual)/",
"/(^|/|-)(kube-prometheus-stack)/",
"/(^|/|-)(lidarr)/",
"/(^|/|-)(medialyze|MediaLyze)/",
"/(^|/|-)(ollama)/",
"/(^|/|-)(radarr)/",
"/(^|/|-)(renovate)/",
"/(^|/|-)(sonarr)/",
"/(^|/|-)(tdarr)/"
"ghcr.io/renovatebot/renovate",
"ghcr.io/prometheus-community/charts/kube-prometheus-stack"
],
"addLabels": [
"{{{datasource}}}",
"automerge"
],
"automerge": true
},
{
"description": "Disable minimum release age for ghcr and quay docker dependencies",
"matchDatasources": [
"docker"
],
"matchPackageNames": [
"/^ghcr\\.io//",
"/^quay\\.io//",
"/^harbor\\.alexlebens\\.net//"
],
"minimumReleaseAge": ""
}
]
}