alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions Activity

Compare commits

base: alexlebens:renovate/major-unified-vault
Branches Tags
alexlebens:main alexlebens:renovate/major-unified-vault alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-ntfy alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:tmp/secrets-5
..
compare: alexlebens:tmp/secrets-5
Branches Tags
alexlebens:renovate/major-unified-vault alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-ntfy alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:main alexlebens:tmp/secrets-5

2 Commits
renovate/m ... tmp/secret

Author SHA1 Message Date
Alex Lebens
f2280ff40a feat: add more
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 12m40s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 14m29s
Details
2026-04-21 21:13:37 -05:00
Alex Lebens
e104eae55e feat: convert many
Some checks failed
lint-test-helm / lint-helm (pull_request) Successful in 9m13s
Details
lint-test-helm / validate-kubeconform (pull_request) Failing after 10m43s
Details
2026-04-21 20:47:16 -05:00
298 changed files with 2203 additions and 1178 deletions
Expand all files Collapse all files

14
clusters/cl01tl/helm/actual/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

4
clusters/cl01tl/helm/authentik/templates/ingress.yaml
View File

@@ -5,8 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}-tailscale
tailscale.com/proxy-class: no-metrics
{{- include "custom.labels" . | nindent 4 }}
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec:
@@ -25,4 +25,4 @@ spec:
service:
name: authentik-server
port:
number: 80
name: http

14
clusters/cl01tl/helm/blocky/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

4
clusters/cl01tl/helm/cilium/templates/http-route.yaml
View File

@@ -20,8 +20,6 @@ spec:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
- kind: Service
name: hubble-ui
port: 80
weight: 100

14
clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

14
clusters/cl01tl/helm/coredns/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

14
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

9
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
View File

@@ -1,16 +1,15 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: synology-iscsi-config-secret
name: synology-iscsi-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: synology-iscsi-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: synology-iscsi-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: driver-config-file.yaml
remoteRef:

7
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
View File

@@ -1,11 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: democratic-csi-synology-iscsi
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: democratic-csi-synology-iscsi
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

2
clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
View File

@@ -3,7 +3,7 @@ democratic-csi:
image:
registry: ghcr.io/democratic-csi/democratic-csi
tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
existingConfigSecret: synology-iscsi-config-secret
existingConfigSecret: synology-iscsi-config
config:
driver: synology-iscsi
resources:

14
clusters/cl01tl/helm/descheduler/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

2
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -5,7 +5,7 @@ description: Directus
keywords:
- directus
- content-management-system
home: https://docs.alexlebens.dev/applications/descheduler/
home: https://docs.alexlebens.dev/applications/directus/
sources:
- https://github.com/directus/directus
- https://github.com/directus/directus/pkgs/container/directus

14
clusters/cl01tl/helm/directus/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

133
clusters/cl01tl/helm/directus/templates/external-secret.yaml
View File

@@ -5,13 +5,20 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: key
remoteRef:
key: /cl01tl/directus/key
property: key
- secretKey: secret
remoteRef:
key: /cl01tl/directus/key
property: secret
- secretKey: admin-email
remoteRef:
key: /cl01tl/directus/config
@@ -20,38 +27,6 @@ spec:
remoteRef:
key: /cl01tl/directus/config
property: admin-password
- secretKey: secret
remoteRef:
key: /cl01tl/directus/config
property: secret
- secretKey: key
remoteRef:
key: /cl01tl/directus/config
property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /authentik/oidc/directus
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/directus
property: secret
---
apiVersion: external-secrets.io/v1
@@ -61,18 +36,67 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-metric-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: metric-token
remoteRef:
key: /cl01tl/directus/metrics
property: metric-token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-valkey-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-valkey-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: user
remoteRef:
key: /cl01tl/directus/valkey
property: user
- secretKey: password
remoteRef:
key: /cl01tl/directus/valkey
property: password
- secretKey: default
remoteRef:
key: /cl01tl/directus/valkey
property: password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /cl01tl/authentik/oidc/directus
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /cl01tl/authentik/oidc/directus
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
@@ -81,12 +105,11 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-bucket-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
@@ -100,31 +123,3 @@ spec:
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_REGION
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-valkey-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-valkey-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: default
remoteRef:
key: /cl01tl/directus/valkey
property: password
- secretKey: user
remoteRef:
key: /cl01tl/directus/valkey
property: user
- secretKey: password
remoteRef:
key: /cl01tl/directus/valkey
property: password

4
clusters/cl01tl/helm/directus/values.yaml
View File

@@ -113,12 +113,12 @@ directus:
- name: AUTH_AUTHENTIK_CLIENT_ID
valueFrom:
secretKeyRef:
name: directus-oidc-secret
name: directus-oidc-authentik
key: OIDC_CLIENT_ID
- name: AUTH_AUTHENTIK_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: directus-oidc-secret
name: directus-oidc-authentik
key: OIDC_CLIENT_SECRET
- name: AUTH_AUTHENTIK_SCOPE
value: openid profile email

14
clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

14
clusters/cl01tl/helm/element-web/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

14
clusters/cl01tl/helm/eraser/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

2
clusters/cl01tl/helm/excalidraw/Chart.yaml
View File

@@ -5,7 +5,7 @@ description: Excalidraw
keywords:
- excalidraw
- drawing
home: https://docs.alexlebens.dev/applications/eraser/
home: https://docs.alexlebens.dev/applications/excalidraw/
sources:
- https://github.com/excalidraw/excalidraw
- https://hub.docker.com/r/excalidraw/excalidraw

14
clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

2
clusters/cl01tl/helm/external-dns/Chart.yaml
View File

@@ -5,7 +5,7 @@ description: External DNS
keywords:
- external-dns
- dns
home: https://docs.alexlebens.dev/applications/eraser/
home: https://docs.alexlebens.dev/applications/external-dns/
sources:
- https://github.com/kubernetes-sigs/external-dns
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns

14
clusters/cl01tl/helm/external-dns/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

36
clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: external-device-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
endpoints:
# Unifi UDM
@@ -48,8 +47,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: iot-device-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
endpoints:
# Airgradient
@@ -82,6 +80,18 @@ spec:
recordType: A
targets:
- 10.230.0.100
# HD Homerun
- dnsName: dv01hr.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.232.1.72
# Pi KVM
- dnsName: dv02kv.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.232.1.71
---
apiVersion: externaldns.k8s.io/v1alpha1
@@ -91,8 +101,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: server-host-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
endpoints:
# Unifi Gateway
@@ -125,6 +134,18 @@ spec:
recordType: A
targets:
- 10.232.1.52
# Desktop
- dnsName: pd05wd.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.230.0.115
# Laptop
- dnsName: pl02mc.alexlebens.net
recordTTL: 180
recordType: A
targets:
- 10.230.0.105
---
apiVersion: externaldns.k8s.io/v1alpha1
@@ -134,8 +155,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cluster-service-names
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
endpoints:
# Treafik Proxy

5
clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
View File

@@ -5,12 +5,11 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: external-dns-unifi-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: api-key
remoteRef:

14
clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

5
clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
View File

@@ -5,13 +5,12 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: external-secrets
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}

10
clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
provider:
vault:
@@ -26,8 +25,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
provider:
vault:
@@ -39,7 +37,7 @@ spec:
mountPath: kubernetes
role: external-secrets
serviceAccountRef:
name: external-secrets
namespace: {{ .Release.Name }}
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
audiences:
- openbao

21
clusters/cl01tl/helm/foldergram/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
foldergram-pictures-collections-nfs-storage
{{- end -}}

9
clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml
View File

@@ -1,14 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: foldergram-pictures-collections-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeName: foldergram-pictures-collections-nfs-storage
volumeName: {{ include "custom.storageNfsName" . }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany

7
clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml
View File

@@ -1,12 +1,11 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: foldergram-pictures-collections-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client

14
clusters/cl01tl/helm/freshrss/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

32
clusters/cl01tl/helm/freshrss/templates/external-secret.yaml
View File

@@ -1,54 +1,52 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: freshrss-install-secret
name: freshrss-install-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: freshrss-install-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: freshrss-install-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: ADMIN_EMAIL
remoteRef:
key: /cl01tl/freshrss/config
property: ADMIN_EMAIL
property: admin-email
- secretKey: ADMIN_PASSWORD
remoteRef:
key: /cl01tl/freshrss/config
property: ADMIN_PASSWORD
property: admin-password
- secretKey: ADMIN_API_PASSWORD
remoteRef:
key: /cl01tl/freshrss/config
property: ADMIN_API_PASSWORD
property: admin-api-password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: freshrss-oidc-secret
name: freshrss-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: freshrss-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: freshrss-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /authentik/oidc/freshrss
key: /cl01tl/authentik/oidc/freshrss
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/freshrss
key: /cl01tl/authentik/oidc/freshrss
property: secret
- secretKey: OIDC_CLIENT_CRYPTO_KEY
remoteRef:
key: /authentik/oidc/freshrss
property: crypto-key
key: /cl01tl/freshrss/key
property: oidc-client-crypto-key

4
clusters/cl01tl/helm/freshrss/values.yaml
View File

@@ -73,9 +73,9 @@ freshrss:
value: preferred_username
envFrom:
- secretRef:
name: freshrss-oidc-secret
name: freshrss-oidc-authentik
- secretRef:
name: freshrss-install-secret
name: freshrss-install-config
resources:
requests:
cpu: 1m

14
clusters/cl01tl/helm/garage/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

21
clusters/cl01tl/helm/garage/templates/external-secret.yaml
View File

@@ -1,26 +1,25 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: garage-token-secret
name: garage-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: garage-token-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: garage-token
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: GARAGE_RPC_SECRET
remoteRef:
key: /cl01tl/garage/token
property: rpc
key: /cl01tl/garage/config
property: rpc-secret
- secretKey: GARAGE_ADMIN_TOKEN
remoteRef:
key: /cl01tl/garage/token
property: admin
key: /cl01tl/garage/config
property: admin-token
- secretKey: GARAGE_METRICS_TOKEN
remoteRef:
key: /cl01tl/garage/token
property: metric
key: /cl01tl/garage/config
property: metrics-token

5
clusters/cl01tl/helm/garage/templates/service.yaml
View File

@@ -6,8 +6,7 @@ metadata:
labels:
app.kubernetes.io/name: garage-main
app.kubernetes.io/service: garage-main
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
ports:
- name: admin
@@ -27,6 +26,6 @@ spec:
protocol: TCP
targetPort: 3902
selector:
app.kubernetes.io/instance: garage
app.kubernetes.io/name: garage
app.kubernetes.io/instance: garage
garage-type: server

10
clusters/cl01tl/helm/garage/values.yaml
View File

@@ -24,7 +24,7 @@ garage:
tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
envFrom:
- secretRef:
name: garage-token-secret
name: garage-token
resources:
requests:
cpu: 10m
@@ -53,7 +53,7 @@ garage:
tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
envFrom:
- secretRef:
name: garage-token-secret
name: garage-token
resources:
requests:
cpu: 10m
@@ -82,7 +82,7 @@ garage:
tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
envFrom:
- secretRef:
name: garage-token-secret
name: garage-token
resources:
requests:
cpu: 10m
@@ -104,7 +104,7 @@ garage:
- name: API_ADMIN_KEY
valueFrom:
secretKeyRef:
name: garage-token-secret
name: garage-token
key: GARAGE_ADMIN_TOKEN
resources:
requests:
@@ -273,7 +273,7 @@ garage:
scrapeTimeout: 2m
path: /metrics
bearerTokenSecret:
name: garage-token-secret
name: garage-token
key: GARAGE_METRICS_TOKEN
route:
webui:

14
clusters/cl01tl/helm/gatus/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

22
clusters/cl01tl/helm/gatus/templates/external-secret.yaml
View File

@@ -1,42 +1,40 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gatus-config-secret
name: gatus-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gatus-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: NTFY_TOKEN
remoteRef:
key: /ntfy/user/cl01tl
key: /cl01tl/ntfy/users/cl01tl
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gatus-oidc-secret
name: gatus-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gatus-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: gatus-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /authentik/oidc/gatus
key: /cl01tl/authentik/oidc/gatus
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/gatus
key: /cl01tl/authentik/oidc/gatus
property: secret

6
clusters/cl01tl/helm/gatus/values.yaml
View File

@@ -20,17 +20,17 @@ gatus:
NTFY_TOKEN:
valueFrom:
secretKeyRef:
name: gatus-config-secret
name: gatus-config
key: NTFY_TOKEN
OIDC_CLIENT_ID:
valueFrom:
secretKeyRef:
name: gatus-oidc-secret
name: gatus-oidc-authentik
key: OIDC_CLIENT_ID
OIDC_CLIENT_SECRET:
valueFrom:
secretKeyRef:
name: gatus-oidc-secret
name: gatus-oidc-authentik
key: OIDC_CLIENT_SECRET
POSTGRES_USER:
valueFrom:

14
clusters/cl01tl/helm/generic-device-plugin/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

7
clusters/cl01tl/helm/generic-device-plugin/templates/namespace.yaml
View File

@@ -1,11 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: generic-device-plugin
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: generic-device-plugin
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

14
clusters/cl01tl/helm/gitea/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

3
clusters/cl01tl/helm/gitea/templates/config-map.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-custom-templates
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
data:
header.tmpl: |
<script defer src="https://rybbit.alexlebens.dev/api/script.js" data-site-id="b515c34a6dcc"></script>

151
clusters/cl01tl/helm/gitea/templates/external-secret.yaml
View File

@@ -1,64 +1,15 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-admin-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: username
remoteRef:
key: /cl01tl/gitea/auth/admin
property: username
- secretKey: password
remoteRef:
key: /cl01tl/gitea/auth/admin
property: password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
key: /authentik/oidc/gitea
property: secret
- secretKey: key
remoteRef:
key: /authentik/oidc/gitea
property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-runner-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-runner-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: token
remoteRef:
@@ -69,80 +20,15 @@ spec:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-renovate-secret
name: gitea-meilisearch-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-renovate-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: gitea-meilisearch-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: RENOVATE_ENDPOINT
remoteRef:
key: /cl01tl/gitea/renovate
property: RENOVATE_ENDPOINT
- secretKey: RENOVATE_GIT_AUTHOR
remoteRef:
key: /cl01tl/gitea/renovate
property: RENOVATE_GIT_AUTHOR
- secretKey: RENOVATE_TOKEN
remoteRef:
key: /cl01tl/gitea/renovate
property: RENOVATE_TOKEN
- secretKey: RENOVATE_GIT_PRIVATE_KEY
remoteRef:
key: /cl01tl/gitea/renovate
property: id_rsa
- secretKey: RENOVATE_GITHUB_COM_TOKEN
remoteRef:
key: /github/gitea-cl01tl
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-renovate-ssh-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-renovate-ssh-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config
remoteRef:
key: /cl01tl/gitea/renovate
property: ssh_config
- secretKey: id_rsa
remoteRef:
key: /cl01tl/gitea/renovate
property: id_rsa
- secretKey: id_rsa.pub
remoteRef:
key: /cl01tl/gitea/renovate
property: id_rsa.pub
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-meilisearch-master-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-meilisearch-master-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
target:
template:
mergePolicy: Merge
@@ -153,4 +39,27 @@ spec:
- secretKey: MEILI_MASTER_KEY
remoteRef:
key: /cl01tl/gitea/meilisearch
property: MEILI_MASTER_KEY
property: master-key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitea-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: secret
remoteRef:
key: /cl01tl/authentik/oidc/gitea
property: secret
- secretKey: key
remoteRef:
key: /cl01tl/authentik/oidc/gitea
property: client

7
clusters/cl01tl/helm/gitea/templates/http-route.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
@@ -21,8 +20,6 @@ spec:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
- kind: Service
name: gitea-http
port: 3000
weight: 100

9
clusters/cl01tl/helm/gitea/templates/ingress.yaml
View File

@@ -1,12 +1,11 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-tailscale
name: {{ .Release.Name }}-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Release.Name }}-tailscale
{{- include "custom.labels" . | nindent 4 }}
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -21,7 +20,7 @@ spec:
http:
paths:
- path: /
pathType: ImplementationSpecific
pathType: Prefix
backend:
service:
name: gitea-http

7
clusters/cl01tl/helm/gitea/templates/namespace.yaml
View File

@@ -1,11 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitea
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

3
clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-themes-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeMode: Filesystem
storageClassName: ceph-filesystem

3
clusters/cl01tl/helm/gitea/templates/service-monitor.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
selector:
matchLabels:

7
clusters/cl01tl/helm/gitea/templates/tcp-route.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: gitea-ssh
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
@@ -16,8 +15,6 @@ spec:
sectionName: ssh
rules:
- backendRefs:
- group: ''
kind: Service
- kind: Service
name: gitea-ssh
port: 22
weight: 100

6
clusters/cl01tl/helm/gitea/values.yaml
View File

@@ -59,7 +59,7 @@ gitea:
oauth:
- name: Authentik
provider: openidConnect
existingSecret: gitea-oidc-secret
existingSecret: gitea-oidc-authentik
autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
iconUrl: https://goauthentik.io/img/icon.png
scopes: "email profile"
@@ -137,7 +137,7 @@ gitea:
- name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR
valueFrom:
secretKeyRef:
name: gitea-meilisearch-master-key-secret
name: gitea-meilisearch-key
key: ISSUE_INDEXER_CONN_STR
valkey-cluster:
enabled: false
@@ -235,7 +235,7 @@ meilisearch:
MEILI_ENV: production
MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
auth:
existingMasterKeySecret: gitea-meilisearch-master-key-secret
existingMasterKeySecret: gitea-meilisearch-key
persistence:
enabled: true
storageClass: ceph-block

14
clusters/cl01tl/helm/grafana-operator/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

78
clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml
View File

@@ -1,98 +1,44 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-auth-secret
name: grafana-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-auth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: grafana-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: admin-user
remoteRef:
key: /cl01tl/grafana/auth
key: /cl01tl/grafana/config
property: admin-user
- secretKey: admin-password
remoteRef:
key: /cl01tl/grafana/auth
key: /cl01tl/grafana/config
property: admin-password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-oauth-secret
name: grafana-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-oauth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: grafana-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: AUTH_CLIENT_ID
remoteRef:
key: /authentik/oidc/grafana
key: /cl01tl/authentik/oidc/grafana
property: client
- secretKey: AUTH_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/grafana
key: /cl01tl/authentik/oidc/grafana
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-operator-postgresql-18-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /digital-ocean/home-infra/postgres-backups
property: access
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /digital-ocean/home-infra/postgres-backups
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grafana-operator-postgresql-18-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/postgres-backups
property: ACCESS_REGION

126
clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-ceph
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -24,8 +23,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-coredns
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -43,8 +41,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-etcd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -62,8 +59,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -81,8 +77,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-loki
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -100,8 +95,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-node-full
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -119,8 +113,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-node-short
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -138,8 +131,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-pods
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -157,8 +149,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-argocd
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -176,8 +167,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-blocky
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -195,8 +185,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-cert-manager
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -214,8 +203,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-cloudnative-pg
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -233,8 +221,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-descheduler
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -252,8 +239,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-external-dns
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -271,8 +257,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-external-secrets
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -290,8 +275,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-gatus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -309,8 +293,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-operator
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -328,8 +311,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-harbor
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -347,8 +329,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-speedtest-exporter
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -366,8 +347,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-spegel
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -385,8 +365,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-traefik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -404,8 +383,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-tdarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -423,8 +401,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-unpoller
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -442,8 +419,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-version-checker-internal
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -461,8 +437,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-version-checker
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -480,8 +455,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-volsync
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -499,8 +473,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-s3
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -518,8 +491,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-authentik
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -537,8 +509,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-gitea
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -556,8 +527,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-ntfy
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -575,8 +545,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-openbao
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -594,8 +563,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-qbittorrent
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -613,8 +581,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-vault
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -632,8 +599,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-unpackerr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -651,8 +617,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-airgradient
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -670,8 +635,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-server-power-consumption
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -689,8 +653,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-immich
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -708,8 +671,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-jellyfin
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -727,8 +689,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-navidrome
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -746,8 +707,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-radarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -765,8 +725,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-servarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -784,8 +743,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-dashboard-sonarr
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:

6
clusters/cl01tl/helm/grafana-operator/templates/grafana-datasource.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-datasource-prometheus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
datasource:
name: Prometheus
@@ -33,8 +32,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-datasource-loki
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
datasource:
name: Loki

15
clusters/cl01tl/helm/grafana-operator/templates/grafana-folder.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-folder-application
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -40,8 +39,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-folder-iot
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -75,8 +73,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-folder-platform
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -110,8 +107,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-folder-service
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:
@@ -145,8 +141,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-folder-system
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
instanceSelector:
matchLabels:

11
clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml
View File

@@ -5,8 +5,7 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grafana-main
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
app: grafana-main
spec:
config:
@@ -66,22 +65,22 @@ spec:
- name: AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: grafana-oauth-secret
name: grafana-oidc-authentik
key: AUTH_CLIENT_ID
- name: AUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: grafana-oauth-secret
name: grafana-oidc-authentik
key: AUTH_CLIENT_SECRET
- name: ADMIN_USER
valueFrom:
secretKeyRef:
name: grafana-auth-secret
name: grafana-config
key: admin-user
- name: ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: grafana-auth-secret
name: grafana-config
key: admin-password
- name: DB_HOST
valueFrom:

24
clusters/cl01tl/helm/grimmory/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.booksNfsName" -}}
grimmory-books-nfs-storage
{{- end -}}
{{- define "custom.booksImportNfsName" -}}
grimmory-books-import-nfs-storage
{{- end -}}

43
clusters/cl01tl/helm/grimmory/templates/external-secret.yaml
View File

@@ -1,42 +1,21 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grimmory-database-secret
name: grimmory-database-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-database-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: grimmory-database-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: password
remoteRef:
key: /cl01tl/grimmory/database
property: password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: grimmory-data-replication-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-data-replication-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: psk.txt
remoteRef:
key: /cl01tl/grimmory/replication
property: psk.txt
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
@@ -45,12 +24,11 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-external
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: access
remoteRef:
@@ -69,18 +47,17 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: access
remoteRef:
key: /garage/home-infra/mariadb-backups
property: access
property: ACCESS_KEY_ID
- secretKey: secret
remoteRef:
key: /garage/home-infra/mariadb-backups
property: secret
property: ACCESS_SECRET_KEY

12
clusters/cl01tl/helm/grimmory/templates/namespace.yaml
View File

@@ -1,13 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: grimmory
annotations:
volsync.backube/privileged-movers: "true"
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}

18
clusters/cl01tl/helm/grimmory/templates/persistent-volume-claim.yaml
View File

@@ -1,14 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grimmory-books-nfs-storage
name: {{ include "custom.booksNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeName: grimmory-books-nfs-storage
volumeName: {{ include "custom.booksNfsName" . }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -20,14 +19,13 @@ spec:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grimmory-books-import-nfs-storage
name: {{ include "custom.booksImportNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-books-import-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeName: grimmory-books-import-nfs-storage
volumeName: {{ include "custom.booksImportNfsName" . }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany

16
clusters/cl01tl/helm/grimmory/templates/persistent-volume.yaml
View File

@@ -1,12 +1,11 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: grimmory-books-nfs-storage
name: {{ include "custom.booksNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
apiVersion: v1
kind: PersistentVolume
metadata:
name: grimmory-books-import-nfs-storage
name: {{ include "custom.booksImportNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: grimmory-books-import-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
@@ -40,7 +38,7 @@ spec:
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Books Import
path: '/volume2/Storage/Books Import'
server: synologybond.alexlebens.net
mountOptions:
- vers=4

4
clusters/cl01tl/helm/grimmory/values.yaml
View File

@@ -27,7 +27,7 @@ grimmory:
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: grimmory-database-secret
name: grimmory-database-config
key: password
- name: GRIMMORY_PORT
value: 6060
@@ -98,7 +98,7 @@ mariadb-cluster:
mariadb:
rootPasswordSecretKeyRef:
generate: false
name: grimmory-database-secret
name: grimmory-database-config
key: password
storage:
size: 5Gi

14
clusters/cl01tl/helm/harbor/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

27
clusters/cl01tl/helm/harbor/templates/external-secret.yaml
View File

@@ -5,12 +5,11 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: harbor-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: HARBOR_ADMIN_PASSWORD
remoteRef:
@@ -18,12 +17,12 @@ spec:
property: admin-password
- secretKey: secretKey
remoteRef:
key: /cl01tl/harbor/config
property: secretKey
key: /cl01tl/harbor/key
property: secret-key
- secretKey: CSRF_KEY
remoteRef:
key: /cl01tl/harbor/core
property: CSRF_KEY
key: /cl01tl/harbor/key
property: csrf-key
- secretKey: secret
remoteRef:
key: /cl01tl/harbor/core
@@ -39,24 +38,20 @@ spec:
- secretKey: JOBSERVICE_SECRET
remoteRef:
key: /cl01tl/harbor/jobservice
property: JOBSERVICE_SECRET
property: secret
- secretKey: REGISTRY_HTTP_SECRET
remoteRef:
key: /cl01tl/harbor/registry
property: REGISTRY_HTTP_SECRET
- secretKey: REGISTRY_REDIS_PASSWORD
remoteRef:
key: /cl01tl/harbor/registry
property: REGISTRY_REDIS_PASSWORD
property: http-secret
- secretKey: REGISTRY_HTPASSWD
remoteRef:
key: /cl01tl/harbor/registry
property: REGISTRY_HTPASSWD
property: ht-passwd
- secretKey: REGISTRY_CREDENTIAL_PASSWORD
remoteRef:
key: /cl01tl/harbor/registry
property: REGISTRY_CREDENTIAL_PASSWORD
property: credential-password
- secretKey: REGISTRY_PASSWD
remoteRef:
key: /cl01tl/harbor/registry
property: REGISTRY_CREDENTIAL_PASSWORD
property: credential-password

21
clusters/cl01tl/helm/headlamp/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
ServiceAccount name
*/}}
{{- define "custom.serviceAccountName" -}}
headlamp-admin
{{- end -}}

13
clusters/cl01tl/helm/headlamp/templates/cluster-role-binding.yaml
View File

@@ -5,16 +5,15 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cluster-admin-oidc
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
- apiGroup: rbac.authorization.k8s.io
kind: User
name: https://authentik.alexlebens.net/application/o/headlamp/#alexanderlebens@gmail.com
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: headlamp-admin
namespace: headlamp
name: {{ include "custom.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

25
clusters/cl01tl/helm/headlamp/templates/external-secret.yaml
View File

@@ -1,38 +1,37 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: headlamp-oidc-secret
name: headlamp-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: headlamp-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: headlamp-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /authentik/oidc/headlamp
key: /cl01tl/authentik/oidc/headlamp
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/headlamp
key: /cl01tl/authentik/oidc/headlamp
property: secret
- secretKey: OIDC_ISSUER_URL
remoteRef:
key: /authentik/oidc/headlamp
key: /cl01tl/authentik/oidc/headlamp
property: issuer
- secretKey: OIDC_SCOPES
remoteRef:
key: /authentik/oidc/headlamp
key: /cl01tl/authentik/oidc/headlamp
property: scopes
- secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL
remoteRef:
key: /authentik/oidc/headlamp
property: validator-issuer-url
key: /cl01tl/authentik/oidc/headlamp
property: issuer
- secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID
remoteRef:
key: /authentik/oidc/headlamp
property: validator-client-id
key: /cl01tl/authentik/oidc/headlamp
property: client

7
clusters/cl01tl/helm/headlamp/templates/service-account.yaml
View File

@@ -1,9 +1,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: headlamp-admin
name: {{ include "custom.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: headlamp-admin
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
{{- include "custom.labels" . | nindent 4 }}

6
clusters/cl01tl/helm/headlamp/values.yaml
View File

@@ -10,7 +10,7 @@ headlamp:
create: false
externalSecret:
enabled: true
name: headlamp-oidc-secret
name: headlamp-oidc-authentik
watchPlugins: true
httpRoute:
enabled: true
@@ -27,11 +27,9 @@ headlamp:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
- kind: Service
name: headlamp
port: 80
weight: 100
resources:
requests:
cpu: 1m

14
clusters/cl01tl/helm/home-assistant/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

28
clusters/cl01tl/helm/home-assistant/templates/external-secret.yaml
View File

@@ -1,42 +1,40 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: home-assistant-code-server-password-secret
name: home-assistant-code-server-password
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: home-assistant-code-server-password-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: home-assistant-code-server-password
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: PASSWORD
remoteRef:
key: /cl01tl/home-assistant/code-server/auth
property: PASSWORD
key: /cl01tl/home-assistant/code-server
property: password
- secretKey: SUDO_PASSWORD
remoteRef:
key: /cl01tl/home-assistant/code-server/auth
property: SUDO_PASSWORD
key: /cl01tl/home-assistant/code-server
property: sudo-password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: home-assistant-token-secret
name: home-assistant-metric-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: home-assistant-token-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: home-assistant-metric-token
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: bearer-token
remoteRef:
key: /cl01tl/home-assistant/auth
key: /cl01tl/home-assistant/config
property: bearer-token

4
clusters/cl01tl/helm/home-assistant/values.yaml
View File

@@ -35,7 +35,7 @@ home-assistant:
value: /config
envFrom:
- secretRef:
name: home-assistant-code-server-password-secret
name: home-assistant-code-server-password
service:
main:
controller: main
@@ -63,7 +63,7 @@ home-assistant:
scrapeTimeout: 1m
path: /api/prometheus
bearerTokenSecret:
name: home-assistant-token-secret
name: home-assistant-metric-token
key: bearer-token
route:
main:

21
clusters/cl01tl/helm/homepage/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
CluserRole Name
*/}}
{{- define "custom.clusterRoleName" -}}
homepage
{{- end -}}

9
clusters/cl01tl/helm/homepage/templates/cluster-role-binding.yaml
View File

@@ -1,16 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: homepage
name: {{ include "custom.clusterRoleName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: homepage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.clusterRoleName" . }}
{{- include "custom.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: homepage
name: {{ include "custom.clusterRoleName" . }}
subjects:
- kind: ServiceAccount
name: homepage

7
clusters/cl01tl/helm/homepage/templates/cluster-role.yaml
View File

@@ -1,12 +1,11 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: homepage
name: {{ include "custom.clusterRoleName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: homepage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.clusterRoleName" . }}
{{- include "custom.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""

33
clusters/cl01tl/helm/homepage/templates/external-secret.yaml
View File

@@ -1,20 +1,19 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: homepage-keys-secret
name: homepage-secrets
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: homepage-keys-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: homepage-secrets
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: HOMEPAGE_VAR_GITEA_API_TOKEN
remoteRef:
key: /cl01tl/gitea/auth/homepage
key: /cl01tl/gitea/users/bot
property: token
- secretKey: HOMEPAGE_VAR_ARGOCD_API_TOKEN
remoteRef:
@@ -34,47 +33,47 @@ spec:
property: key
- secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
remoteRef:
key: /synology/auth/cl01tl
key: /synology/users/remote_stats
property: user
- secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
remoteRef:
key: /synology/auth/cl01tl
key: /synology/users/remote_stats
property: password
- secretKey: HOMEPAGE_VAR_UNIFI_API_KEY
remoteRef:
key: /unifi/auth/cl01tl
key: /unifi/users/cl01tl
property: api-key
- secretKey: HOMEPAGE_VAR_SONARR_KEY
remoteRef:
key: /cl01tl/sonarr4/key
key: /cl01tl/sonarr/key
property: key
- secretKey: HOMEPAGE_VAR_SONARR4K_KEY
remoteRef:
key: /cl01tl/sonarr4-4k/key
key: /cl01tl/sonarr-4k/key
property: key
- secretKey: HOMEPAGE_VAR_SONARRANIME_KEY
remoteRef:
key: /cl01tl/sonarr4-anime/key
key: /cl01tl/sonarr-anime/key
property: key
- secretKey: HOMEPAGE_VAR_RADARR_KEY
remoteRef:
key: /cl01tl/radarr5/key
key: /cl01tl/radarr/key
property: key
- secretKey: HOMEPAGE_VAR_RADARR4K_KEY
remoteRef:
key: /cl01tl/radarr5-4k/key
key: /cl01tl/radarr-4k/key
property: key
- secretKey: HOMEPAGE_VAR_RADARRANIME_KEY
remoteRef:
key: /cl01tl/radarr5-anime/key
key: /cl01tl/radarr-anime/key
property: key
- secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY
remoteRef:
key: /cl01tl/radarr5-standup/key
key: /cl01tl/radarr-standup/key
property: key
- secretKey: HOMEPAGE_VAR_LIDARR_KEY
remoteRef:
key: /cl01tl/lidarr2/key
key: /cl01tl/lidarr/key
property: key
- secretKey: HOMEPAGE_VAR_PROWLARR_KEY
remoteRef:

2
clusters/cl01tl/helm/homepage/values.yaml
View File

@@ -22,7 +22,7 @@ homepage:
value: home.alexlebens.net
envFrom:
- secretRef:
name: homepage-keys-secret
name: homepage-secrets
resources:
requests:
cpu: 1m

14
clusters/cl01tl/helm/houndarr/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

14
clusters/cl01tl/helm/immich/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

18
clusters/cl01tl/helm/immich/templates/external-secrets.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: immich-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: immich-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: immich.json
remoteRef:
key: /cl01tl/immich/config
property: immich.json

18
clusters/cl01tl/helm/immich/templates/secret-provider-class.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: immich-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: immich-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: immich
objects: |
- objectName: immich.json
fileName: immich.json
secretPath: secret/data/cl01tl/immich/config
secretKey: immich.json

16
clusters/cl01tl/helm/immich/values.yaml
View File

@@ -4,6 +4,8 @@ immich:
type: deployment
replicas: 1
strategy: Recreate
serviceAccount:
name: immich
containers:
main:
image:
@@ -86,6 +88,10 @@ immich:
gpu.intel.com/i915: 1
cpu: 10m
memory: 500Mi
serviceAccount:
immich:
enabled: true
staticToken: true
service:
main:
controller: main
@@ -135,9 +141,13 @@ immich:
value: /
persistence:
config:
enabled: true
type: secret
name: immich-config-secret
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: immich-config
advancedMounts:
main:
main:

14
clusters/cl01tl/helm/intel-device-plugin/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

7
clusters/cl01tl/helm/intel-device-plugin/templates/namespace.yaml
View File

@@ -1,11 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: intel-device-plugin
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: intel-device-plugin
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

24
clusters/cl01tl/helm/jellyfin/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,24 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
jellyfin-nfs-storage
{{- end -}}
{{- define "custom.storageYoutubeNfsName" -}}
jellyfin-youtube-nfs-storage
{{- end -}}

22
clusters/cl01tl/helm/jellyfin/templates/external-secret.yaml
View File

@@ -1,38 +1,36 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: jellyfin-exporter-secret
name: jellyfin-metric-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: jellyfin-exporter-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: jellyfin-metric-token
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: token
remoteRef:
key: /cl01tl/jellyfin/exporter
key: /cl01tl/jellyfin/metrics
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: jellyfin-meilisearch-master-key-secret
name: jellyfin-meilisearch-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: jellyfin-meilisearch-master-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: jellyfin-meilisearch-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: MEILI_MASTER_KEY
remoteRef:
key: /cl01tl/jellyfin/meilisearch
property: MEILI_MASTER_KEY
property: master-key

18
clusters/cl01tl/helm/jellyfin/templates/persistent-volume-claim.yaml
View File

@@ -1,14 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: jellyfin-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeName: jellyfin-nfs-storage
volumeName: {{ include "custom.storageNfsName" . }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -20,14 +19,13 @@ spec:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-youtube-nfs-storage
name: {{ include "custom.storageYoutubeNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: jellyfin-youtube-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageYoutubeNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeName: jellyfin-youtube-nfs-storage
volumeName: {{ include "custom.storageYoutubeNfsName" . }}
storageClassName: nfs-client
accessModes:
- ReadOnlyMany

14
clusters/cl01tl/helm/jellyfin/templates/persistent-volume.yaml
View File

@@ -1,12 +1,11 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: jellyfin-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-youtube-nfs-storage
name: {{ include "custom.storageYoutubeNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: jellyfin-youtube-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageYoutubeNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client

4
clusters/cl01tl/helm/jellyfin/values.yaml
View File

@@ -48,7 +48,7 @@ jellyfin:
- name: TOKEN
valueFrom:
secretKeyRef:
name: jellyfin-exporter-secret
name: jellyfin-metric-token
key: token
service:
main:
@@ -133,7 +133,7 @@ meilisearch:
MEILI_ENV: production
MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
auth:
existingMasterKeySecret: jellyfin-meilisearch-master-key-secret
existingMasterKeySecret: jellyfin-meilisearch-key
persistence:
enabled: true
storageClass: ceph-block

14
clusters/cl01tl/helm/jellystat/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

15
clusters/cl01tl/helm/jellystat/templates/external-secret.yaml
View File

@@ -1,26 +1,25 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: jellystat-secret
name: jellystat-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: jellystat-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: jellystat-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: secret-key
remoteRef:
key: /cl01tl/jellystat/auth
key: /cl01tl/jellystat/key
property: secret-key
- secretKey: user
remoteRef:
key: /cl01tl/jellystat/auth
key: /cl01tl/jellystat/config
property: user
- secretKey: password
remoteRef:
key: /cl01tl/jellystat/auth
key: /cl01tl/jellystat/cconfig
property: password

6
clusters/cl01tl/helm/jellystat/values.yaml
View File

@@ -15,17 +15,17 @@ jellystat:
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: jellystat-secret
name: jellystat-config
key: secret-key
- name: JS_USER
valueFrom:
secretKeyRef:
name: jellystat-secret
name: jellystat-config
key: user
- name: JS_PASSWORD
valueFrom:
secretKeyRef:
name: jellystat-secret
name: jellystat-config
key: password
- name: POSTGRES_USER
valueFrom:

14
clusters/cl01tl/helm/karakeep/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

95
clusters/cl01tl/helm/karakeep/templates/external-secret.yaml
View File

@@ -1,48 +1,80 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: karakeep-key-secret
name: karakeep-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: karakeep-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: karakeep-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: key
remoteRef:
key: /cl01tl/karakeep/key
property: key
- secretKey: prometheus-token
remoteRef:
key: /cl01tl/karakeep/key
property: prometheus-token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: karakeep-oidc-secret
name: karakeep-metric-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: karakeep-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: karakeep-key-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: prometheus-token
remoteRef:
key: /cl01tl/karakeep/metrics
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: karakeep-meilisearch-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: karakeep-meilisearch-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: MEILI_MASTER_KEY
remoteRef:
key: /cl01tl/karakeep/meilisearch
property: master-key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: karakeep-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: karakeep-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: AUTHENTIK_CLIENT_ID
remoteRef:
key: /authentik/oidc/karakeep
key: /cl01tl/authentik/oidc/karakeep
property: client
- secretKey: AUTHENTIK_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/karakeep
key: /cl01tl/authentik/oidc/karakeep
property: secret
---
@@ -53,12 +85,11 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: karakeep-bucket-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
@@ -72,23 +103,11 @@ spec:
remoteRef:
key: /garage/home-infra/karakeep-assets
property: ACCESS_REGION
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: karakeep-meilisearch-master-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: karakeep-meilisearch-master-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: MEILI_MASTER_KEY
- secretKey: BUCKET
remoteRef:
key: /cl01tl/karakeep/meilisearch
property: MEILI_MASTER_KEY
key: /garage/home-infra/karakeep-assets
property: BUCKET
- secretKey: ENDPOINT
remoteRef:
key: /garage/config
property: ENDPOINT_LOCAL

24
clusters/cl01tl/helm/karakeep/values.yaml
View File

@@ -19,22 +19,28 @@ karakeep:
- name: NEXTAUTH_SECRET
valueFrom:
secretKeyRef:
name: karakeep-key-secret
name: karakeep-key
key: key
- name: PROMETHEUS_AUTH_TOKEN
valueFrom:
secretKeyRef:
name: karakeep-key-secret
name: karakeep-metric-token
key: prometheus-token
- name: ASSET_STORE_S3_ENDPOINT
value: http://garage-main.garage:3900
valueFrom:
secretKeyRef:
name: karakeep-bucket-garage
key: ENDPOINT
- name: ASSET_STORE_S3_REGION
valueFrom:
secretKeyRef:
name: karakeep-bucket-garage
key: ACCESS_REGION
- name: ASSET_STORE_S3_BUCKET
value: karakeep-assets
valueFrom:
secretKeyRef:
name: karakeep-bucket-garage
key: BUCKET
- name: ASSET_STORE_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
@@ -52,7 +58,7 @@ karakeep:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: karakeep-meilisearch-master-key-secret
name: karakeep-meilisearch-key
key: MEILI_MASTER_KEY
- name: BROWSER_WEB_URL
value: http://karakeep.karakeep:9222
@@ -67,12 +73,12 @@ karakeep:
- name: OAUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: karakeep-oidc-secret
name: karakeep-oidc-authentik
key: AUTHENTIK_CLIENT_ID
- name: OAUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: karakeep-oidc-secret
name: karakeep-oidc-authentik
key: AUTHENTIK_CLIENT_SECRET
- name: OLLAMA_BASE_URL
value: http://ollama-server-3.ollama:11434
@@ -126,7 +132,7 @@ karakeep:
authorization:
credentials:
key: prometheus-token
name: karakeep-key-secret
name: karakeep-metric-token
persistence:
data:
forceRename: karakeep
@@ -144,7 +150,7 @@ meilisearch:
MEILI_ENV: production
MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
auth:
existingMasterKeySecret: karakeep-meilisearch-master-key-secret
existingMasterKeySecret: karakeep-meilisearch-key
persistence:
enabled: true
storageClass: ceph-block

21
clusters/cl01tl/helm/kiwix/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,21 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
kiwix-nfs-storage
{{- end -}}

9
clusters/cl01tl/helm/kiwix/templates/persistent-volume-claim.yaml
View File

@@ -1,14 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kiwix-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kiwix-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
volumeName: kiwix-nfs-storage
volumeName: {{ include "custom.storageNfsName" . }}
storageClassName: nfs-client
accessModes:
- ReadWriteMany

7
clusters/cl01tl/helm/kiwix/templates/persistent-volume.yaml
View File

@@ -1,12 +1,11 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: kiwix-nfs-storage
name: {{ include "custom.storageNfsName" . }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kiwix-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client

Some files were not shown because too many files have changed in this diff Show More