alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests Actions Activity

Compare commits

base: alexlebens:main
Branches Tags
alexlebens:main alexlebens:manifests
..
compare: alexlebens:fe207aab32e89f77e2576a93ce52554d415b9caa
Branches Tags
alexlebens:manifests alexlebens:main

1 Commits
main ... fe207aab32

Author SHA1 Message Date
Renovate Bot
fe207aab32 Update Helm release tailscale-operator to v1.92.4
All checks were successful
renovate/stability-days Updates have met minimum release age requirement
Details
lint-test-helm / lint-helm (pull_request) Successful in 23s
Details
2025-12-19 22:03:05 +00:00
52 changed files with 387 additions and 1127 deletions
Expand all files Collapse all files

14
clusters/cl01tl/helm/backrest/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

1
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -129,6 +129,7 @@ blocky:
huntarr IN CNAME traefik-cl01tl
immich IN CNAME traefik-cl01tl
jellyfin IN CNAME traefik-cl01tl
jellyfin-vue IN CNAME traefik-cl01tl
jellystat IN CNAME traefik-cl01tl
kiwix IN CNAME traefik-cl01tl
komodo IN CNAME traefik-cl01tl

14
clusters/cl01tl/helm/booklore/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

2
clusters/cl01tl/helm/booklore/values.yaml
View File

@@ -9,7 +9,7 @@ booklore:
main:
image:
repository: ghcr.io/booklore-app/booklore
tag: v1.15.0
tag: v1.14.1
pullPolicy: IfNotPresent
env:
- name: TZ

2
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,7 +1,7 @@
coredns:
image:
repository: registry.k8s.io/coredns/coredns
tag: v1.13.2
tag: v1.13.1
replicaCount: 3
resources:
requests:

6
clusters/cl01tl/helm/external-secrets/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: external-secrets
repository: https://charts.external-secrets.io
version: 1.2.0
digest: sha256:6e713c4b50c14d9daf1758d9f169d10a8c7274d2c42490846817b6fb1a3ce558
generated: "2025-12-20T01:04:35.136580598Z"
version: 1.1.1
digest: sha256:d346563864c95c4ca3fe5f04f6b292e417069d171f5866b5af0fe84277481493
generated: "2025-12-06T18:01:23.564488208Z"

2
clusters/cl01tl/helm/external-secrets/Chart.yaml
View File

@@ -12,7 +12,7 @@ sources:
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies:
- name: external-secrets
version: 1.2.0
version: 1.1.1
repository: https://charts.external-secrets.io
icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
appVersion: v1.1.1

3
clusters/cl01tl/helm/gatus/values.yaml
View File

@@ -122,6 +122,9 @@ gatus:
- name: jellyfin
url: https://jellyfin.alexlebens.net
<<: *defaults
- name: jellyfin-vue
url: https://jellyfin-vue.alexlebens.net
<<: *defaults
- name: overseerr
url: https://overseerr.alexlebens.net
<<: *defaults

6
clusters/cl01tl/helm/headlamp/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: headlamp
repository: https://kubernetes-sigs.github.io/headlamp/
version: 0.39.0
digest: sha256:870e456773199684c150585c12c2e18b3f0895ee8cc73481a53b23c8e94560b1
generated: "2025-12-20T00:03:40.10414707Z"
version: 0.38.0
digest: sha256:3f4c6bb308a1e5e757368ea9eee902d5ade7d33881c0f6c8402d6ed41641e260
generated: "2025-12-01T19:55:48.64361-06:00"

2
clusters/cl01tl/helm/headlamp/Chart.yaml
View File

@@ -14,7 +14,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: headlamp
version: 0.39.0
version: 0.38.0
repository: https://kubernetes-sigs.github.io/headlamp/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/headlamp.png
appVersion: 0.38.0

2
clusters/cl01tl/helm/home-assistant/values.yaml
View File

@@ -9,7 +9,7 @@ home-assistant:
main:
image:
repository: ghcr.io/home-assistant/home-assistant
tag: 2025.12.4
tag: 2025.12.3
pullPolicy: IfNotPresent
env:
- name: TZ

46
clusters/cl01tl/helm/homepage/templates/service.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: v1
kind: Service
metadata:
name: gitea-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: gitea-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: home-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: home-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: home-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: garage-ui-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ui-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ui-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

6
clusters/cl01tl/helm/homepage/values.yaml
View File

@@ -141,6 +141,12 @@ homepage:
href: https://jellyfin.alexlebens.net
siteMonitor: http://jellyfin.jellyfin:80
statusStyle: dot
- Jellyfin (Alt):
icon: sh-jellyfin.webp
description: Media server (Alternate UI)
href: https://jellyfin-vue.alexlebens.net
siteMonitor: http://jellyfin-vue.jellyfin:80
statusStyle: dot
- Media Requests:
icon: sh-overseerr.webp
description: Overseerr

2
clusters/cl01tl/helm/immich/values.yaml
View File

@@ -9,7 +9,7 @@ immich:
main:
image:
repository: ghcr.io/immich-app/immich-server
tag: v2.4.1
tag: v2.3.1
pullPolicy: IfNotPresent
env:
- name: TZ

30
clusters/cl01tl/helm/jellyfin/templates/http-route.yaml
View File

@@ -26,3 +26,33 @@ spec:
name: jellyfin
port: 80
weight: 100
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-route-jellyfin-vue
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: http-route-jellyfin-vue
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- jellyfin-vue.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: jellyfin-vue
port: 80
weight: 100

23
clusters/cl01tl/helm/jellyfin/values.yaml
View File

@@ -25,6 +25,22 @@ jellyfin:
gpu.intel.com/i915: 1
cpu: 1
memory: 2Gi
vue:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/jellyfin/jellyfin-vue
tag: unstable@sha256:e73edd4dfc2e4028e83a0638cf6cf207a8edbdb4ec8d1231f7efef08658a6fd7
pullPolicy: IfNotPresent
env:
- name: DEFAULT_SERVERS
value: https://jellyfin.alexlebens.net
- name: DISABLE_SERVER_SELECTION
value: true
service:
main:
forceRename: jellyfin
@@ -34,6 +50,13 @@ jellyfin:
port: 80
targetPort: 8096
protocol: HTTP
vue:
controller: vue
ports:
http:
port: 80
targetPort: 80
protocol: HTTP
persistence:
config:
forceRename: jellyfin-config

14
clusters/cl01tl/helm/komodo/templates/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: komodo-periphery-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: komodo-periphery-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: komodo-periphery-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

6
clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
View File

@@ -1,12 +1,12 @@
dependencies:
- name: kube-prometheus-stack
repository: oci://ghcr.io/prometheus-community/charts
version: 80.6.0
version: 80.4.2
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0
- name: redis-replication
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.5.0
digest: sha256:6f046a936f1d732a44113eb0b7e54330a4261042179f37f4c94fccc9f20ee511
generated: "2025-12-20T01:04:57.413744271Z"
digest: sha256:e167d9dd4f23c5c590d3e44c89e8f76860a1cc5c8acd4b7939fcd3a8cd7d24b4
generated: "2025-12-17T16:26:22.948236914Z"

2
clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
View File

@@ -20,7 +20,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: kube-prometheus-stack
version: 80.6.0
version: 80.4.2
repository: oci://ghcr.io/prometheus-community/charts
- name: app-template
alias: ntfy-alertmanager

30
clusters/cl01tl/helm/kube-prometheus-stack/templates/service.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: node-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: node-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: node-exporter-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: garage-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

30
clusters/cl01tl/helm/ollama/templates/service.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: ollama-pd05wd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: ollama-pd05wd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: ollama-pd05wd.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: stable-diffusion-pd05wd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: stable-diffusion-pd05wd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: stable-diffusion-pd05wd.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

62
clusters/cl01tl/helm/qbittorrent/templates/config-map.yaml
View File

@@ -9,57 +9,19 @@ metadata:
app.kubernetes.io/part-of: {{ .Release.Name }}
data:
update.sh: |
if ! command -v curl 2>&1 >/dev/null
then
echo "curl could not be found, installing";
apk add curl;
fi;
if ! command -v jq 2>&1 >/dev/null
then
echo "jq could not be found, installing";
apk add jq;
fi;
API_ENDPOINT="http://localhost:8080/api/v2";
MAX_RETRIES=5
SUCCESS=false
echo " "
echo ">> Running Update Port Script ..."
echo " "
echo ">> Verifying required commands ..."
echo " "
for i in $(seq 1 "$MAX_RETRIES"); do
if apk update 2>&1 >/dev/null; then
echo ">> Attempt $i: Repositories are reachable"
SUCCESS=true
break
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ..."
sleep 5
fi
done
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ..."
exit 1
fi
if ! command -v curl 2>&1 >/dev/null; then
echo ">> Command curl could not be found, installing";
apk add --no-cache -q curl;
if [ $? -eq 0 ]; then
echo ">> Installation successful"
else
echo ">> Installation failed with exit code $?"
exit 1
fi
fi;
if ! command -v jq 2>&1 >/dev/null; then
echo " "
echo ">> Command jq could not be found, installing";
apk add --no-cache -q jq;
if [ $? -eq 0 ]; then
echo " "
echo ">> Installation successful"
else
echo " "
echo ">> Installation failed with exit code $?"
exit 1
fi
fi;
# echo " ";
# echo ">> Authentication ...";

2
clusters/cl01tl/helm/qbittorrent/values.yaml
View File

@@ -198,7 +198,7 @@ qbittorrent:
qui:
image:
repository: ghcr.io/autobrr/qui
tag: v1.11.0
tag: v1.10.0
pullPolicy: IfNotPresent
env:
- name: QUI__METRICS_ENABLED

2
clusters/cl01tl/helm/shelly-plug/values.yaml
View File

@@ -36,7 +36,7 @@ shelly-plug:
main:
image:
repository: php
tag: 8.5.1-apache-bookworm
tag: 8.5.0-apache-bookworm
pullPolicy: IfNotPresent
env:
- name: SHELLY_HOSTNAME

2
clusters/cl01tl/helm/sonarr-4k/values.yaml
View File

@@ -13,7 +13,7 @@ sonarr-4k:
main:
image:
repository: ghcr.io/linuxserver/sonarr
tag: 4.0.16@sha256:8b9f2138ec50fc9e521960868f79d2ad0d529bc610aef19031ea8ff80b54c5e0
tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
pullPolicy: IfNotPresent
env:
- name: TZ

2
clusters/cl01tl/helm/sonarr-anime/values.yaml
View File

@@ -13,7 +13,7 @@ sonarr-anime:
main:
image:
repository: ghcr.io/linuxserver/sonarr
tag: 4.0.16@sha256:8b9f2138ec50fc9e521960868f79d2ad0d529bc610aef19031ea8ff80b54c5e0
tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
pullPolicy: IfNotPresent
env:
- name: TZ

2
clusters/cl01tl/helm/sonarr/values.yaml
View File

@@ -13,7 +13,7 @@ sonarr:
main:
image:
repository: ghcr.io/linuxserver/sonarr
tag: 4.0.16@sha256:8b9f2138ec50fc9e521960868f79d2ad0d529bc610aef19031ea8ff80b54c5e0
tag: 4.0.16@sha256:60e5edcac39172294ad22d55d1b08c2c0a9fe658cad2f2c4d742ae017d7874de
pullPolicy: IfNotPresent
env:
- name: TZ

2
clusters/cl01tl/helm/tailscale-operator/Chart.lock
View File

@@ -3,4 +3,4 @@ dependencies:
repository: https://pkgs.tailscale.com/helmcharts
version: 1.92.4
digest: sha256:e883577bd0b7f676ce3ec97468321c5956b476e4c9f81c4e99b261a3a0b90641
generated: "2025-12-20T00:12:07.547753923Z"
generated: "2025-12-19T22:03:01.496082477Z"

112
clusters/cl01tl/helm/tailscale-operator/templates/service.yaml
View File

@@ -12,115 +12,3 @@ metadata:
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: garage-ui-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-ui-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: garage-ui-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: gitea-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: gitea-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: home-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: home-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: home-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: komodo-periphery-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: komodo-periphery-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: komodo-periphery-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: node-ps10rp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: node-ps10rp
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: node-exporter-ps10rp.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: ollama-pd05wd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: ollama-pd05wd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: ollama-pd05wd.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName
---
apiVersion: v1
kind: Service
metadata:
name: stable-diffusion-pd05wd
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: stable-diffusion-pd05wd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
tailscale.com/tailnet-fqdn: stable-diffusion-pd05wd.boreal-beaufort.ts.net
spec:
externalName: placeholder
type: ExternalName

102
clusters/cl01tl/helm/talos/templates/config.yaml
View File

@@ -1,102 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: talos-prune-script
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-prune-script
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
data:
prune.sh: |
DATE_RANGE=$(date -d @$(( $(date +%s) - $DATE_RANGE_SECONDS )) +%Y-%m-%dT%H:%M:%SZ);
FILE_MATCH="${BUCKET}/cl01tl/etcd/cl01tl-${DATE_RANGE}.snap.age";
ERROR=false;
echo " ";
echo ">> Running S3 prune for Talos backup repository ${TARGET} ...";
echo " ";
echo ">> Configured Date Range is $(date -u -d @${DATE_RANGE_SECONDS} +"%j days, %H hours, %M minutes")";
echo ">> Backups prior to '$DATE_RANGE' will be removed";
FILES=$(s3cmd ls --no-check-certificate ${BUCKET}/cl01tl/etcd/ |
awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}');
if [ $? -ne 0 ]; then
ERROR=true;
echo " ";
echo ">> Detected error, will send message to ntfy";
elif [ -n "${FILES}" ]; then
echo " ";
echo ">> Backups to be removed:";
echo "$FILES"
echo " ";
echo ">> Deleting ...";
$FILES | while read file; do
s3cmd del --no-check-certificate -v "$file";
if [ $? -ne 0 ]; then
ERROR=true;
echo ">> Detected error, will send message to ntfy";
fi;
done;
else
echo " ";
echo ">> No backups to remove";
fi;
if [ "$ERROR" = "true" ]; then
MAX_RETRIES=5;
SUCCESS=false;
echo " ";
echo ">> Sending message to ntfy using curl ...";
echo " ";
echo ">> Verifying required commands ...";
for i in $(seq 1 "$MAX_RETRIES"); do
if apk update 2>&1 >/dev/null; then
echo ">> Attempt $i: Repositories are reachable";
SUCCESS=true;
break;
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
sleep 5;
fi;
done;
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
exit 1;
fi
if ! command -v curl 2>&1 >/dev/null; then
echo ">> Command curl could not be found, installing";
apk add --no-cache -q curl;
if [ $? -eq 0 ]; then
echo ">> Installation successful";
else
echo ">> Installation failed with exit code $?";
exit 1;
fi;
fi;
echo " ";
echo ">> Sending to NTFY ...";
HTTP_STATUS=$(curl \
--silent \
--write-out '%{http_code}' \
-H "Authorization: Bearer ${NTFY_TOKEN}" \
-H "X-Priority: 5" \
-H "X-Tags: warning" \
-H "X-Title: Talos Backup Failed for ${TARGET}" \
-d "$MESSAGE" \
${NTFY_ENDPOINT}/${NTFY_TOPIC}
);
echo ">> HTTP Status Code: $HTTP_STATUS";
fi;
echo " ";
echo ">> Completed S3 prune for Talos backup repository ${TARGET}";

145
clusters/cl01tl/helm/talos/templates/external-secret.yaml
View File

@@ -1,114 +1,14 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-local-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: s3cfg-local
- secretKey: BUCKET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: BUCKET
- secretKey: AGE_X25519_PUBLIC_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/talos/etcd-backup
metadataPolicy: None
property: AGE_X25519_PUBLIC_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-etcd-backup-remote-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-remote-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: ACCESS_SECRET_KEY
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: s3cfg-remote
- secretKey: BUCKET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/talos-backups
metadataPolicy: None
property: BUCKET
- secretKey: AGE_X25519_PUBLIC_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/talos/etcd-backup
metadataPolicy: None
property: AGE_X25519_PUBLIC_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-etcd-backup-external-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-external-secret
app.kubernetes.io/name: talos-etcd-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
annotations:
kubernetes.io/service-account.name: talos-backup-secrets
spec:
secretStoreRef:
kind: ClusterSecretStore
@@ -150,43 +50,6 @@ spec:
metadataPolicy: None
property: AGE_X25519_PUBLIC_KEY
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-backup-ntfy-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-backup-ntfy-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: NTFY_TOKEN
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl
metadataPolicy: None
property: token
- secretKey: NTFY_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl
metadataPolicy: None
property: endpoint
- secretKey: NTFY_TOPIC
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/talos/etcd-backup
metadataPolicy: None
property: NTFY_TOPIC
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret

356
clusters/cl01tl/helm/talos/values.yaml
View File

@@ -1,6 +1,6 @@
etcd-backup:
controllers:
local:
main:
type: cronjob
pod:
nodeSelector:
@@ -20,7 +20,7 @@ etcd-backup:
backoffLimit: 3
parallelism: 1
containers:
backup:
main:
image:
repository: ghcr.io/siderolabs/talos-backup
tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7
@@ -42,184 +42,12 @@ etcd-backup:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-secret
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-local-secret
key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION
value: us-east-1
- name: CUSTOM_S3_ENDPOINT
value: http://garage-main.garage:3900
- name: BUCKET
value: talos-backups
- name: S3_PREFIX
value: "cl01tl/etcd"
- name: CLUSTER_NAME
value: "cl01tl"
- name: AGE_X25519_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-local-secret
key: AGE_X25519_PUBLIC_KEY
- name: USE_PATH_STYLE
value: "false"
s3-prune:
image:
repository: d3fk/s3cmd
tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- /scripts/prune.sh
envFrom:
- secretRef:
name: talos-etcd-backup-local-secret
- secretRef:
name: talos-backup-ntfy-secret
env:
- name: TARGET
value: Local
- name: DATE_RANGE_SECONDS
value: "2419200"
remote:
type: cronjob
pod:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
cronjob:
suspend: true
concurrencyPolicy: Forbid
timeZone: US/Central
schedule: "0 3 * * *"
startingDeadlineSeconds: 90
successfulJobsHistory: 1
failedJobsHistory: 1
backoffLimit: 3
parallelism: 1
containers:
backup:
image:
repository: ghcr.io/siderolabs/talos-backup
tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7
pullPolicy: IfNotPresent
command:
- /talos-backup
workingDir: /tmp
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: talos-etcd-backup-remote-secret
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-remote-secret
key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION
value: us-east-1
- name: CUSTOM_S3_ENDPOINT
value: https://garage-ps10rp.boreal-beaufort.ts.net:3900
- name: BUCKET
value: talos-backups
- name: S3_PREFIX
value: "cl01tl/etcd"
- name: CLUSTER_NAME
value: "cl01tl"
- name: AGE_X25519_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-remote-secret
key: AGE_X25519_PUBLIC_KEY
- name: USE_PATH_STYLE
value: "false"
s3-prune:
image:
repository: d3fk/s3cmd
tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- /scripts/prune.sh
envFrom:
- secretRef:
name: talos-etcd-backup-remote-secret
- secretRef:
name: talos-backup-ntfy-secret
env:
- name: TARGET
value: Remote
- name: DATE_RANGE_SECONDS
value: "2419200"
external:
type: cronjob
pod:
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
cronjob:
suspend: false
concurrencyPolicy: Forbid
timeZone: US/Central
schedule: "0 4 * * *"
startingDeadlineSeconds: 90
successfulJobsHistory: 1
failedJobsHistory: 1
backoffLimit: 3
parallelism: 1
containers:
backup:
image:
repository: ghcr.io/siderolabs/talos-backup
tag: v0.1.0-beta.3-5-g07d09ec@sha256:96054af026b6255ec14d198f2f10ad6c813b335a2e21a76804365c053dd4ba7b
pullPolicy: IfNotPresent
command:
- /talos-backup
workingDir: /tmp
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: talos-etcd-backup-external-secret
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-external-secret
name: talos-etcd-backup-secret
key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION
value: nyc3
@@ -234,10 +62,14 @@ etcd-backup:
- name: AGE_X25519_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-external-secret
name: talos-etcd-backup-secret
key: AGE_X25519_PUBLIC_KEY
- name: USE_PATH_STYLE
value: "false"
resources:
requests:
cpu: 100m
memory: 128Mi
s3-prune:
image:
repository: d3fk/s3cmd
@@ -247,137 +79,69 @@ etcd-backup:
- /bin/sh
args:
- -ec
- /scripts/prune.sh
envFrom:
- secretRef:
name: talos-etcd-backup-external-secret
- secretRef:
name: talos-backup-ntfy-secret
- |
export DATE_RANGE=$(date -d @$(( $(date +%s) - 1209600 )) +%Y-%m-%dT%H:%M:%SZ);
export FILE_MATCH="$BUCKET/cl01tl/etcd/cl01tl-$DATE_RANGE.snap.age"
echo ">> Running S3 prune for Talos backup repository"
echo ">> Backups prior to '$DATE_RANGE' will be removed"
echo ">> Backups to be removed:"
s3cmd ls ${BUCKET}/cl01tl/etcd/ |
awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}'
echo ">> Deleting ..."
s3cmd ls ${BUCKET}/cl01tl/etcd/ |
awk -v file_match="$FILE_MATCH" '$4 < file_match {print $4}' |
while read file; do
s3cmd del "$file";
done;
echo ">> Completed S3 prune for Talos backup repository"
env:
- name: TARGET
value: External
- name: DATE_RANGE_SECONDS
value: "1209600"
- name: BUCKET
valueFrom:
secretKeyRef:
name: talos-etcd-backup-secret
key: BUCKET
resources:
requests:
cpu: 100m
memory: 128Mi
persistence:
tmp:
type: emptyDir
medium: Memory
advancedMounts:
main:
main:
- path: /tmp
readOnly: false
talos:
type: emptyDir
medium: Memory
advancedMounts:
main:
main:
- path: /.talos
readOnly: false
secret:
enabled: true
type: secret
name: talos-backup-secrets
advancedMounts:
local:
backup:
main:
main:
- path: /var/run/secrets/talos.dev
readOnly: true
mountPropagation: None
remote:
backup:
- path: /var/run/secrets/talos.dev
readOnly: true
mountPropagation: None
external:
backup:
- path: /var/run/secrets/talos.dev
readOnly: true
mountPropagation: None
prune-script:
enabled: true
type: configMap
name: talos-prune-script
defaultMode: 0755
advancedMounts:
local:
s3-prune:
- path: /scripts/prune.sh
subPath: prune.sh
remote:
s3-prune:
- path: /scripts/prune.sh
subPath: prune.sh
external:
s3-prune:
- path: /scripts/prune.sh
subPath: prune.sh
s3cmd-config-local:
s3cmd-config:
enabled: true
type: secret
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-secret
advancedMounts:
local:
main:
s3-prune:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
s3cmd-config-remote:
enabled: true
type: secret
name: talos-etcd-backup-remote-secret
advancedMounts:
remote:
s3-prune:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
s3cmd-config-external:
enabled: true
type: secret
name: talos-etcd-backup-external-secret
advancedMounts:
external:
s3-prune:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
tmp-local:
type: emptyDir
medium: Memory
advancedMounts:
local:
backup:
- path: /tmp
readOnly: false
tmp-remote:
type: emptyDir
medium: Memory
advancedMounts:
remote:
backup:
- path: /tmp
readOnly: false
tmp-external:
type: emptyDir
medium: Memory
advancedMounts:
external:
backup:
- path: /tmp
readOnly: false
talos-local:
type: emptyDir
medium: Memory
advancedMounts:
local:
backup:
- path: /.talos
readOnly: false
talos-remote:
type: emptyDir
medium: Memory
advancedMounts:
remote:
backup:
- path: /.talos
readOnly: false
talos-external:
type: emptyDir
medium: Memory
advancedMounts:
external:
backup:
- path: /.talos
readOnly: false
etcd-defrag:
global:
fullnameOverride: etcd-defrag
@@ -415,6 +179,10 @@ etcd-defrag:
env:
- name: TALOSCONFIG
value: /tmp/.talos/config
resources:
requests:
cpu: 100m
memory: 128Mi
defrag-2:
type: cronjob
pod:
@@ -448,6 +216,10 @@ etcd-defrag:
env:
- name: TALOSCONFIG
value: /tmp/.talos/config
resources:
requests:
cpu: 100m
memory: 128Mi
defrag-3:
type: cronjob
pod:
@@ -481,6 +253,10 @@ etcd-defrag:
env:
- name: TALOSCONFIG
value: /tmp/.talos/config
resources:
requests:
cpu: 100m
memory: 128Mi
persistence:
talos-config-1:
enabled: true

8
clusters/cl01tl/helm/traefik/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: traefik
repository: https://traefik.github.io/charts
version: 38.0.1
version: 37.4.0
- name: traefik-crds
repository: https://traefik.github.io/charts
version: 1.13.0
digest: sha256:0caf1c25f7bca77f070a3ba490f0d0370f7583370dfeeb2a726023ff567c208e
generated: "2025-12-19T18:45:42.696331-06:00"
version: 1.12.0
digest: sha256:68267043bdc2c60346e196e1c1d0cef62884bb3dc2ff26ff4a273ccf27edf738
generated: "2025-12-14T21:03:44.140099-06:00"

4
clusters/cl01tl/helm/traefik/Chart.yaml
View File

@@ -15,10 +15,10 @@ maintainers:
- name: alexlebens
dependencies:
- name: traefik
version: 38.0.1
version: 37.4.0
repository: https://traefik.github.io/charts
- name: traefik-crds
version: 1.13.0
version: 1.12.0
repository: https://traefik.github.io/charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/traefik.webp
appVersion: v3.6.4

20
clusters/cl01tl/helm/traefik/values.yaml
View File

@@ -1,8 +1,13 @@
traefik:
crds:
enabled: true
deleteOnUninstall: false
deployment:
kind: DaemonSet
ingressClass:
enabled: false
kubernetesGateway:
enabled: true
gateway:
enabled: true
annotations:
@@ -90,18 +95,6 @@ traefik:
expose:
default: true
exposedPort: 443
http:
# -- See
# -- [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering)
# -- [relevant issue] https://github.com/traefik/traefik/issues/12399
encodedCharacters:
allowEncodedSlash: true
allowEncodedBackSlash: true
allowEncodedNullCharacter: true
allowEncodedSemicolon: true
allowEncodedPercent: true
allowEncodedQuestionMark: true
allowEncodedHash: true
forwardedHeaders:
trustedIPs:
- 10.0.0.0/8
@@ -150,7 +143,6 @@ traefik:
traefik-crds:
enabled: true
traefik: true
gatewayAPI: false
gatewayAPIExperimental: true
gatewayAPI: true
hub: false
deleteOnUninstall: false

2
clusters/cl01tl/helm/vault/Chart.lock
View File

@@ -9,4 +9,4 @@ dependencies:
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.5.0
digest: sha256:01077322d1f106f1bb2834f2bc74f548084910af901a71e2892e05d3fb0d8c68
generated: "2025-12-19T22:52:58.599824-06:00"
generated: "2025-12-05T17:15:08.381024587Z"

153
clusters/cl01tl/helm/vault/templates/config-map.yaml
View File

@@ -1,153 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-snapshot-script
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-snapshot-script
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
data:
snapshot.sh: |
DATE=$(date +"%Y%m%d-%H-%M")
MAX_RETRIES=5
SUCCESS=false
echo " "
echo ">> Running Vault Snapshot Script ..."
echo " "
echo ">> Verifying required commands ..."
echo " "
for i in $(seq 1 "$MAX_RETRIES"); do
if apk update 2>&1 >/dev/null; then
echo ">> Attempt $i: Repositories are reachable";
SUCCESS=true;
break;
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
sleep 5;
fi;
done;
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
exit 1;
fi
echo " "
if ! command -v jq 2>&1 >/dev/null; then
echo ">> Command jq could not be found, installing";
apk add --no-cache -q jq;
if [ $? -eq 0 ]; then
echo ">> Installation successful";
else
echo ">> Installation failed with exit code $?";
exit 1;
fi;
fi;
echo " ";
echo ">> Fetching Vault token ...";
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
echo " ";
echo ">> Taking Vault snapsot ...";
vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap
echo " ";
echo ">> Setting ownership of Vault snapsot ...";
chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap
echo " ";
echo ">> Completed Vault snapshot";
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-backup-script
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-backup-script
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
data:
backup.sh: |
echo " ";
echo ">> Running S3 backup for Vault snapshot";
OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
STATUS=$?
if [ $STATUS -ne 0 ]; then
if echo "$OUTPUT" | grep -q "403 Forbidden"; then
MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
elif echo "$OUTPUT" | grep -q "404 Not Found"; then
MESSAGE="404 Error: The bucket or folder does not exist"
elif echo "$OUTPUT" | grep -q "Connection refused"; then
MESSAGE="Network Error: Cannot reach the S3 endpoint"
else
MESSAGE="Unknown Error"
echo " ";
echo ">> Unknown Error, output:"
echo " "
echo "$OUTPUT"
fi
MAX_RETRIES=5
SUCCESS=false
echo " "
echo ">> Sending message to ntfy using curl ..."
echo " "
echo ">> Verifying required commands ..."
for i in $(seq 1 "$MAX_RETRIES"); do
if apk update 2>&1 >/dev/null; then
echo ">> Attempt $i: Repositories are reachable";
SUCCESS=true;
break;
else
echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
sleep 5;
fi;
done;
if [ "$SUCCESS" = false ]; then
echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
exit 1;
fi
if ! command -v curl 2>&1 >/dev/null; then
echo ">> Command curl could not be found, installing";
apk add --no-cache -q curl;
if [ $? -eq 0 ]; then
echo ">> Installation successful";
else
echo ">> Installation failed with exit code $?";
exit 1;
fi;
fi;
echo " "
echo ">> Sending to NTFY ..."
echo ">> Message: $MESSAGE"
HTTP_STATUS=$(curl \
--silent \
--write-out '%{http_code}' \
-H "Authorization: Bearer ${NTFY_TOKEN}" \
-H "X-Priority: 5" \
-H "X-Tags: warning" \
-H "X-Title: Vault Backup Failed for ${TARGET}" \
-d "$MESSAGE" \
${NTFY_ENDPOINT}/${NTFY_TOPIC}
)
echo ">> HTTP Status Code: $HTTP_STATUS"
else
echo " ";
echo ">> S3 Sync succeeded"
fi

101
clusters/cl01tl/helm/vault/templates/external-secret.yaml
View File

@@ -31,70 +31,10 @@ spec:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-s3cmd-local-config
name: vault-s3cmd-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-s3cmd-local-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/vault-backups
metadataPolicy: None
property: s3cfg-local
- secretKey: BUCKET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/vault-backups
metadataPolicy: None
property: BUCKET
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-s3cmd-remote-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-s3cmd-remote-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: .s3cfg
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/vault-backups
metadataPolicy: None
property: s3cfg-remote
- secretKey: BUCKET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/vault-backups
metadataPolicy: None
property: BUCKET
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-s3cmd-external-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-s3cmd-external-config
app.kubernetes.io/name: vault-s3cmd-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
@@ -117,43 +57,6 @@ spec:
metadataPolicy: None
property: BUCKET
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: vault-backup-ntfy-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-backup-ntfy-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: NTFY_TOKEN
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl
metadataPolicy: None
property: token
- secretKey: NTFY_ENDPOINT
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl
metadataPolicy: None
property: endpoint
- secretKey: NTFY_TOPIC
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/vault/snapshot
metadataPolicy: None
property: NTFY_TOPIC
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret

8
clusters/cl01tl/helm/vault/templates/persistent-volume-claim.yaml
View File

@@ -1,17 +1,17 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vault-storage-backup
name: vault-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-storage-backup
app.kubernetes.io/name: vault-nfs-storage-backup
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: ceph-filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteMany
- ReadWriteOnce
resources:
requests:
storage: 1Gi

154
clusters/cl01tl/helm/vault/values.yaml
View File

@@ -32,12 +32,12 @@ vault:
livenessProbe:
enabled: false
volumes:
- name: vault-storage-backup
- name: vault-nfs-storage-backup
persistentVolumeClaim:
claimName: vault-storage-backup
claimName: vault-nfs-storage-backup
volumeMounts:
- mountPath: /opt/backups/
name: vault-storage-backup
name: vault-nfs-storage-backup
readOnly: false
affinity: |
podAntiAffinity:
@@ -176,15 +176,26 @@ snapshot:
- /bin/ash
args:
- -ec
- /scripts/snapshot.sh
- |
apk add --no-cache jq;
echo ">> Running Vault snapshot"
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
echo ">> Completed Vault snapshot"
envFrom:
- secretRef:
name: vault-snapshot-agent-token
env:
- name: VAULT_ADDR
value: http://vault-active.vault.svc.cluster.local:8200
resources:
requests:
cpu: 10m
memory: 64Mi
containers:
s3-backup-local:
s3-backup:
image:
repository: d3fk/s3cmd
tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
@@ -193,136 +204,43 @@ snapshot:
- /bin/sh
args:
- -ec
- /scripts/backup.sh
envFrom:
- secretRef:
name: vault-backup-ntfy-secret
- |
echo ">> Running S3 backup for Vault snapshot"
s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm -f /opt/backup/vault-snapshot-s3.snap;
echo ">> Completed S3 backup for Vault snapshot"
env:
- name: BUCKET
valueFrom:
secretKeyRef:
name: vault-s3cmd-local-config
name: vault-s3cmd-config
key: BUCKET
- name: TARGET
value: Local
s3-backup-remote:
image:
repository: d3fk/s3cmd
tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- /scripts/backup.sh
envFrom:
- secretRef:
name: vault-backup-ntfy-secret
env:
- name: BUCKET
valueFrom:
secretKeyRef:
name: vault-s3cmd-remote-config
key: BUCKET
- name: TARGET
value: Remote
s3-backup-external:
image:
repository: d3fk/s3cmd
tag: latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- /scripts/backup.sh
envFrom:
- secretRef:
name: vault-backup-ntfy-secret
env:
- name: BUCKET
valueFrom:
secretKeyRef:
name: vault-s3cmd-external-config
key: BUCKET
- name: TARGET
value: External
resources:
requests:
cpu: 100m
memory: 128Mi
persistence:
snapshot-script:
enabled: true
type: configMap
name: vault-snapshot-script
defaultMode: 0755
config:
existingClaim: vault-nfs-storage-backup
advancedMounts:
snapshot:
snapshot:
- path: /scripts/snapshot.sh
subPath: snapshot.sh
backup-script:
enabled: true
type: configMap
name: vault-backup-script
defaultMode: 0755
advancedMounts:
snapshot:
s3-backup-local:
- path: /scripts/backup.sh
subPath: backup.sh
s3-backup-remote:
- path: /scripts/backup.sh
subPath: backup.sh
s3-backup-external:
- path: /scripts/backup.sh
subPath: backup.sh
s3cmd-local-config:
- path: /opt/backup
readOnly: false
s3-backup:
- path: /opt/backup
readOnly: false
s3cmd-config:
enabled: true
type: secret
name: vault-s3cmd-local-config
name: vault-s3cmd-config
advancedMounts:
snapshot:
s3-backup-local:
s3-backup:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
s3cmd-remote-config:
enabled: true
type: secret
name: vault-s3cmd-remote-config
advancedMounts:
snapshot:
s3-backup-remote:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
s3cmd-external-config:
enabled: true
type: secret
name: vault-s3cmd-external-config
advancedMounts:
snapshot:
s3-backup-external:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
backup:
existingClaim: vault-storage-backup
advancedMounts:
snapshot:
snapshot:
- path: /opt/backup
readOnly: false
s3-backup-local:
- path: /opt/backup
readOnly: false
s3-backup-remote:
- path: /opt/backup
readOnly: false
s3-backup-external:
- path: /opt/backup
readOnly: false
unseal:
global:
fullnameOverride: vault-unseal

2
clusters/cl01tl/helm/whodb/values.yaml
View File

@@ -8,7 +8,7 @@ whodb:
main:
image:
repository: clidey/whodb
tag: 0.86.0
tag: 0.85.0
pullPolicy: IfNotPresent
env:
- name: WHODB_OLLAMA_HOST

2
hosts/ps08rp/blocky/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
tailscale-blocky:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-blocky
cap_add:
- net_admin

1
hosts/ps08rp/blocky/config.yml
View File

@@ -105,6 +105,7 @@ customDNS:
huntarr IN CNAME traefik-cl01tl
immich IN CNAME traefik-cl01tl
jellyfin IN CNAME traefik-cl01tl
jellyfin-vue IN CNAME traefik-cl01tl
jellystat IN CNAME traefik-cl01tl
kiwix IN CNAME traefik-cl01tl
komodo IN CNAME traefik-cl01tl

2
hosts/ps09rp/blocky/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
tailscale-blocky:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-blocky
cap_add:
- net_admin

1
hosts/ps09rp/blocky/config.yml
View File

@@ -105,6 +105,7 @@ customDNS:
huntarr IN CNAME traefik-cl01tl
immich IN CNAME traefik-cl01tl
jellyfin IN CNAME traefik-cl01tl
jellyfin-vue IN CNAME traefik-cl01tl
jellystat IN CNAME traefik-cl01tl
kiwix IN CNAME traefik-cl01tl
komodo IN CNAME traefik-cl01tl

2
hosts/ps10rp/blocky/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
tailscale-blocky:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-blocky
cap_add:
- net_admin

4
hosts/ps10rp/garage/compose.yaml
View File

@@ -1,6 +1,6 @@
services:
tailscale-garage:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-garage
cap_add:
- net_admin
@@ -20,7 +20,7 @@ services:
- /dev/net/tun:/dev/net/tun
tailscale-garage-ui:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-garage-ui
cap_add:
- net_admin

2
hosts/ps10rp/gitea/compose.yaml
View File

@@ -1,6 +1,6 @@
services:
tailscale-gitea:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-gitea
cap_add:
- net_admin

2
hosts/ps10rp/homepage/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
tailscale-homepage:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-homepage
cap_add:
- net_admin

2
hosts/ps10rp/node-exporter/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
tailscale-node-exporter:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-node-exporter
cap_add:
- net_admin

2
hosts/ps10rp/tailscale-subnet/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
tailscale:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-subnet
cap_add:
- net_admin

2
hosts/ps10rp/traefik/compose.yaml
View File

@@ -1,7 +1,7 @@
---
services:
tailscale-traefik:
image: ghcr.io/tailscale/tailscale:v1.92.4
image: ghcr.io/tailscale/tailscale:v1.92.3
container_name: tailscale-traefik
cap_add:
- net_admin