alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions Activity

Compare commits

base: alexlebens:renovate/unified-actual
Branches Tags
alexlebens:main alexlebens:renovate/unified-medialyze alexlebens:renovate/unified-actual alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:auto/update-manifests alexlebens:manifests
..
compare: alexlebens:15533704cd611043389bb83aa0b5effe4090ce1e
Branches Tags
alexlebens:renovate/unified-medialyze alexlebens:renovate/unified-actual alexlebens:renovate/unified-gitea alexlebens:renovate/unified-talosctl alexlebens:renovate/unified-cilium alexlebens:auto/update-manifests alexlebens:main alexlebens:manifests

1 Commits
renovate/u ... 15533704cd

Author SHA1 Message Date
Renovate Bot
15533704cd chore(deps): update dependency clidey/whodb to v0.107.0
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 17s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 15s
Details
2026-05-02 20:02:30 +00:00
43 changed files with 812 additions and 58 deletions
Expand all files Collapse all files

2
.gitea/workflows/renovate.yaml
View File

@@ -13,7 +13,7 @@ on:
jobs:
renovate:
runs-on: ubuntu-js
container: ghcr.io/renovatebot/renovate:43.160.6@sha256:ef4afabbfdbddce68c26c843d73f98f65e19e8aabd6c22bee7aa7af5f914a43c
container: ghcr.io/renovatebot/renovate:43.160.4@sha256:00185c0d63462acec8331cc9a94dcd74a763f2765fca0edcc3ff568af1dc8104
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

2
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -8,7 +8,7 @@ actual:
main:
image:
repository: ghcr.io/actualbudget/actual
tag: 26.5.0@sha256:b733ae30c70a66dc4d03577526e53575a0c04eab4f3ab6ace30934776251058c
tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
env:
- name: ACTUAL_PORT
value: 5006

2
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -103,7 +103,7 @@ argo-cd:
enabled: true
image:
repository: haproxy
tag: 3.3.8-alpine@sha256:10690acb357180d5214c6fce59e2cefded6cc72b0f7e3febb323fea95b27e349
tag: 3.3.7-alpine@sha256:2afa53c856e4e9fcc7dfb35b807fcb189896d7e62b38d363f9bedea92bce7f9a
resources:
requests:
cpu: 5m

2
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -23,7 +23,7 @@ audiobookshelf:
apprise-api:
image:
repository: ghcr.io/caronc/apprise
tag: v1.4.1@sha256:25e0577915c2f06233ae1dce077f05c0fc9ba4f0ea89de5aee18a32b2ee9a75c
tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
env:
- name: TZ
value: America/Chicago

3
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -134,7 +134,7 @@ blocky:
komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
loki IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl
@@ -162,6 +162,7 @@ blocky:
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl

4
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,7 +1,7 @@
coredns:
image:
repository: coredns/coredns
tag: v1.14.3@sha256:b21d26b915e10acb5bc78715c1e8b6047ab2675389b2bcc18b3a6499d90e74c0
repository: registry.k8s.io/coredns/coredns
tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
replicaCount: 3
resources:
limits:

2
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -42,4 +42,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich
appVersion: 1.7.3
appVersion: 1.7.2

4
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -8,7 +8,7 @@ dawarich:
main:
image:
repository: freikin/dawarich
tag: 1.7.3@sha256:519ea4152381a3f58ae42859f530f5a433073e3f48f196fac3533432642b72b2
tag: 1.7.2@sha256:642c225e9b8f041565e6129871e71eb51e42e95a6c576d0025beff2aa0bcd4a0
command:
- "web-entrypoint.sh"
args:
@@ -126,7 +126,7 @@ dawarich:
sidekiq:
image:
repository: freikin/dawarich
tag: 1.7.3@sha256:519ea4152381a3f58ae42859f530f5a433073e3f48f196fac3533432642b72b2
tag: 1.7.2@sha256:642c225e9b8f041565e6129871e71eb51e42e95a6c576d0025beff2aa0bcd4a0
command:
- "sidekiq-entrypoint.sh"
args:

1
clusters/cl01tl/helm/elastic-operator/values.yaml
View File

@@ -1,5 +1,6 @@
eck-operator:
managedNamespaces:
- stalwart
- tubearchivist
installCRDs: true
replicaCount: 2

6
clusters/cl01tl/helm/element-web/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: element-web
repository: https://ananace.gitlab.io/charts
version: 1.4.36
version: 1.4.34
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.6.0
digest: sha256:36b3f340ee46f20961fdaac41724528c6c3d4b34bf26d97779da7e33087250a1
generated: "2026-05-03T00:56:23.054212477Z"
digest: sha256:e988be9f997351a8f658bf5151ec4fb04ae7d877389c9bf01b7331e1a58005ef
generated: "2026-04-24T21:06:15.882448748Z"

2
clusters/cl01tl/helm/element-web/Chart.yaml
View File

@@ -15,7 +15,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: element-web
version: 1.4.36
version: 1.4.34
repository: https://ananace.gitlab.io/charts
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts

6
clusters/cl01tl/helm/gatus/values.yaml
View File

@@ -212,6 +212,12 @@ gatus:
- name: authentik
url: https://authentik.alexlebens.net
<<: *defaults
- name: roundcube
url: https://mail.alexlebens.net
<<: *defaults
- name: stalwart
url: https://stalwart.alexlebens.net
<<: *defaults
- name: ntfy
url: https://ntfy.alexlebens.net
<<: *defaults

2
clusters/cl01tl/helm/grimmory/Chart.yaml
View File

@@ -28,4 +28,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grimmory.png
# renovate: datasource=github-releases depName=grimmory-tools/grimmory
appVersion: v3.0.3
appVersion: v3.0.2

2
clusters/cl01tl/helm/grimmory/values.yaml
View File

@@ -12,7 +12,7 @@ grimmory:
main:
image:
repository: ghcr.io/grimmory-tools/grimmory
tag: v3.0.3@sha256:a903a2b44c308bd1738b6f7cdb5a2e5a2a1ae23a092f30eb68581e2be1af50cd
tag: v3.0.2@sha256:4557a78321add7d70bef7c0b89c2617c8c023246ae39698bc2cbe636f8c97f9b
env:
- name: TZ
value: America/Chicago

18
clusters/cl01tl/helm/homepage/values.yaml
View File

@@ -487,6 +487,24 @@ homepage:
href: https://authentik.alexlebens.net
siteMonitor: http://authentik-server.authentik:80
statusStyle: dot
- Email Client:
icon: sh-roundcube.webp
description: Roundcube
href: https://mail.alexlebens.net
siteMonitor: http://roundcube.roundcube:80
statusStyle: dot
- Email Server:
icon: sh-stalwart.webp
description: Stalwart
href: https://stalwart.alexlebens.net
siteMonitor: http://stalwart.stalwart:80
statusStyle: dot
namespace: stalwart
app: stalwart
podSelector: >-
app.kubernetes.io/instance in (
stalwart
)
- Notifications:
icon: sh-ntfy.webp
description: ntfy

8
clusters/cl01tl/helm/loki/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: loki
repository: oci://ghcr.io/grafana-community/helm-charts
version: 13.5.0
repository: https://grafana.github.io/helm-charts
version: 6.55.0
- name: alloy
repository: https://grafana.github.io/helm-charts
version: 1.8.0
digest: sha256:bef475f5b6770e4b582b4499e38417789b2bb59ce0ee93c0390daef780e5728d
generated: "2026-05-02T19:36:44.416322-05:00"
digest: sha256:e3c7508c21ed7737f692387ca79a0c001c3393edbedff7b05c60325469a4fb2b
generated: "2026-04-24T17:01:55.023153925Z"

6
clusters/cl01tl/helm/loki/Chart.yaml
View File

@@ -9,14 +9,14 @@ home: https://docs.alexlebens.dev/applications/loki/
sources:
- https://github.com/grafana/loki
- https://github.com/grafana/alloy
- https://github.com/grafana-community/helm-charts/tree/main/charts/loki
- https://github.com/grafana/loki/tree/main/production/helm/loki
- https://github.com/grafana/alloy/tree/main/operations/helm/charts/alloy
maintainers:
- name: alexlebens
dependencies:
- name: loki
version: 13.5.0
repository: oci://ghcr.io/grafana-community/helm-charts
version: 6.55.0
repository: https://grafana.github.io/helm-charts
- name: alloy
version: 1.8.0
repository: https://grafana.github.io/helm-charts

20
clusters/cl01tl/helm/loki/values.yaml
View File

@@ -1,5 +1,5 @@
loki:
deploymentMode: Monolithic
deploymentMode: SingleBinary
loki:
auth_enabled: false
limits_config:
@@ -31,6 +31,8 @@ loki:
pool_config:
remote_timeout: 10s
remote_timeout: 10s
enterprise:
enabled: false
gateway:
enabled: true
resources:
@@ -39,18 +41,6 @@ loki:
memory: 20Mi
basicAuth:
enabled: false
route:
main:
enabled: true
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
hostnames:
- loki.alexlebens.net
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
singleBinary:
replicas: 1
resources:
@@ -58,16 +48,14 @@ loki:
cpu: 100m
memory: 800Mi
persistence:
enabled: true
size: 150Gi
storageClass: synology-iscsi-delete
write:
enabled: false
replicas: 0
read:
enabled: false
replicas: 0
backend:
enabled: false
replicas: 0
alloy:
crds:

3
clusters/cl01tl/helm/mariadb-operator/values.yaml
View File

@@ -2,8 +2,7 @@ mariadb-operator:
crds:
enabled: false
ha:
enabled: false
replicas: 1
enabled: true
metrics:
enabled: true
pdb:

6
clusters/cl01tl/helm/matrix-synapse/Chart.lock
View File

@@ -1,7 +1,7 @@
dependencies:
- name: matrix-synapse
repository: https://ananace.gitlab.io/charts
version: 3.12.26
version: 3.12.25
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
@@ -38,5 +38,5 @@ dependencies:
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:4377d9ff96042ba996b879caf6108260d2eb9d20bccdb26ae7042d96d2772012
generated: "2026-05-03T01:00:09.899197368Z"
digest: sha256:fd3a3d94f4e206577c23fc00a4c0bde760cd812a38aff67f31a6366b69de5bc2
generated: "2026-05-02T01:48:21.626438015Z"

2
clusters/cl01tl/helm/matrix-synapse/Chart.yaml
View File

@@ -26,7 +26,7 @@ maintainers:
- name: alexlebens
dependencies:
- name: matrix-synapse
version: 3.12.26
version: 3.12.25
repository: https://ananace.gitlab.io/charts
- name: app-template
alias: matrix-hookshot

6
clusters/cl01tl/helm/ollama/values.yaml
View File

@@ -21,7 +21,7 @@ ollama:
main:
image:
repository: ollama/ollama
tag: 0.23.0@sha256:5600a652d1081050f398152127c584222546354491f27fe47ccbc6351bc870bd
tag: 0.22.1@sha256:3ca37ec2b9cb6341b62554074205c616778fe98abcf9e4fc50361b79a07407ae
env:
- name: OLLAMA_KEEP_ALIVE
value: 24h
@@ -55,7 +55,7 @@ ollama:
main:
image:
repository: ollama/ollama
tag: 0.23.0@sha256:5600a652d1081050f398152127c584222546354491f27fe47ccbc6351bc870bd
tag: 0.22.1@sha256:3ca37ec2b9cb6341b62554074205c616778fe98abcf9e4fc50361b79a07407ae
env:
- name: OLLAMA_KEEP_ALIVE
value: 24h
@@ -89,7 +89,7 @@ ollama:
main:
image:
repository: ollama/ollama
tag: 0.23.0@sha256:5600a652d1081050f398152127c584222546354491f27fe47ccbc6351bc870bd
tag: 0.22.1@sha256:3ca37ec2b9cb6341b62554074205c616778fe98abcf9e4fc50361b79a07407ae
env:
- name: OLLAMA_KEEP_ALIVE
value: 24h

2
clusters/cl01tl/helm/qbittorrent/values.yaml
View File

@@ -168,7 +168,7 @@ qbittorrent:
apprise-api:
image:
repository: ghcr.io/caronc/apprise
tag: v1.4.1@sha256:25e0577915c2f06233ae1dce077f05c0fc9ba4f0ea89de5aee18a32b2ee9a75c
tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
env:
- name: TZ
value: America/Chicago

12
clusters/cl01tl/helm/roundcube/Chart.lock Normal file
View File

@@ -0,0 +1,12 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:6ea0ffea8d47e3c62657f35ce0dda5d5f67aa13c99107dee396787a6e0c3633c
generated: "2026-04-28T23:36:57.236521514Z"

32
clusters/cl01tl/helm/roundcube/Chart.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v2
name: roundcube
version: 1.0.0
description: Roundcube
keywords:
- roundcube
- email-client
home: https://docs.alexlebens.dev/applications/rclone/
sources:
- https://github.com/roundcube/roundcubemail
- https://hub.docker.com/r/roundcube/roundcubemail
- https://hub.docker.com/_/nginx
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: roundcube
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.12.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 1.1.1
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/roundcube.png
# renovate: datasource=github-releases depName=roundcube/roundcubemail
appVersion: 1.6.15

14
clusters/cl01tl/helm/roundcube/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

17
clusters/cl01tl/helm/roundcube/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: roundcube-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: roundcube-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: DES_KEY
remoteRef:
key: /cl01tl/roundcube/key
property: des-key

236
clusters/cl01tl/helm/roundcube/values.yaml Normal file
View File

@@ -0,0 +1,236 @@
roundcube:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: roundcube/roundcubemail
tag: 1.6.15-fpm-alpine@sha256:0e07c1c66d5a1392f0c47cc79e85e0c60095108f715037d7d0aa3fd8cbe2e780
env:
- name: ROUNDCUBEMAIL_DB_TYPE
value: pgsql
- name: ROUNDCUBEMAIL_DB_HOST
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: host
- name: ROUNDCUBEMAIL_DB_NAME
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: dbname
- name: ROUNDCUBEMAIL_DB_USER
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: user
- name: ROUNDCUBEMAIL_DB_PASSWORD
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: password
- name: ROUNDCUBEMAIL_DES_KEY
valueFrom:
secretKeyRef:
name: roundcube-key
key: DES_KEY
- name: ROUNDCUBEMAIL_DEFAULT_HOST
value: stalwart.stalwart
- name: ROUNDCUBEMAIL_DEFAULT_PORT
value: 143
- name: ROUNDCUBEMAIL_SMTP_SERVER
value: stalwart.stalwart
- name: ROUNDCUBEMAIL_SMTP_PORT
value: 25
- name: ROUNDCUBEMAIL_SKIN
value: elastic
- name: ROUNDCUBEMAIL_PLUGINS
value: archive,zipdownload,newmail_notifier
resources:
requests:
cpu: 1m
memory: 40Mi
nginx:
image:
repository: nginx
tag: 1.30.0-alpine-slim@sha256:830b40ff1beb5e018e56aef2ed1f9fe87a7797e35a555b75fea5c9568e316b04
env:
- name: NGINX_HOST
value: mail.alexlebens.net
- name: NGINX_PHP_CGI
value: roundcube.roundcube:9000
cleandb:
type: cronjob
cronjob:
suspend: false
timeZone: America/Chicago
schedule: 30 4 * * *
backoffLimit: 3
parallelism: 1
containers:
backup:
image:
repository: roundcube/roundcubemail
tag: 1.6.15-fpm-alpine@sha256:0e07c1c66d5a1392f0c47cc79e85e0c60095108f715037d7d0aa3fd8cbe2e780
args:
- bin/cleandb.sh
env:
- name: ROUNDCUBEMAIL_DB_TYPE
value: pgsql
- name: ROUNDCUBEMAIL_DB_HOST
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: host
- name: ROUNDCUBEMAIL_DB_NAME
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: dbname
- name: ROUNDCUBEMAIL_DB_USER
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: user
- name: ROUNDCUBEMAIL_DB_PASSWORD
valueFrom:
secretKeyRef:
name: roundcube-postgresql-18-cluster-app
key: password
- name: ROUNDCUBEMAIL_DES_KEY
valueFrom:
secretKeyRef:
name: roundcube-key
key: DES_KEY
- name: ROUNDCUBEMAIL_DEFAULT_HOST
value: tls://stalwart.stalwart
- name: ROUNDCUBEMAIL_SMTP_SERVER
value: tls://stalwart.stalwart
- name: ROUNDCUBEMAIL_SKIN
value: elastic
- name: ROUNDCUBEMAIL_PLUGINS
value: archive,zipdownload,newmail_notifier
configMaps:
config:
enabled: true
data:
default.conf: |
server {
listen 80 default_server;
server_name _;
root /var/www/html;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ \.php(/|$) {
try_files $uri =404;
fastcgi_pass roundcube:9000;
fastcgi_read_timeout 300;
proxy_read_timeout 300;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
}
client_max_body_size 6m;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
}
service:
main:
controller: main
ports:
mail:
port: 9000
targetPort: 9000
web:
port: 80
targetPort: 80
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- mail.alexlebens.net
rules:
- backendRefs:
- name: roundcube
port: 80
matches:
- path:
type: PathPrefix
value: /
persistence:
config:
enabled: true
type: configMap
name: roundcube-config
advancedMounts:
main:
nginx:
- path: /etc/nginx/conf.d/default.conf
readOnly: true
mountPropagation: None
subPath: default.conf
data:
forceRename: roundcube-data
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 5Gi
advancedMounts:
main:
main:
- path: /var/www/html
readOnly: false
nginx:
- path: /var/www/html
readOnly: false
temp:
type: emptyDir
advancedMounts:
main:
main:
- path: /tmp/roundcube-temp
readOnly: false
postgres-18-cluster:
mode: recovery
recovery:
method: objectStore
objectStore:
index: 1
backup:
objectStore:
- name: garage-local
index: 1
destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true
scheduledBackups:
- name: live-backup
suspend: false
immediate: true
schedule: "0 40 15 * * *"
backupName: garage-local
volsync-target-data:
pvcTarget: roundcube-data
local:
enabled: true
schedule: 12 11 * * *
remote:
enabled: true
schedule: 12 12 * * *
external:
enabled: true
schedule: 12 13 * * *

4
clusters/cl01tl/helm/searxng/values.yaml
View File

@@ -10,7 +10,7 @@ searxng:
main:
image:
repository: searxng/searxng
tag: latest@sha256:b2211b2ad11fc9822ed8d94502a609a862d6587e13f052e18847559586c76b71
tag: latest@sha256:189189aa5ffe9275eaa276bace4732fa64197c1c03f9f01003fa02a0585a766a
env:
- name: SEARXNG_BASE_URL
value: http://searxng-api.searxng:8080
@@ -38,7 +38,7 @@ searxng:
main:
image:
repository: searxng/searxng
tag: latest@sha256:b2211b2ad11fc9822ed8d94502a609a862d6587e13f052e18847559586c76b71
tag: latest@sha256:189189aa5ffe9275eaa276bace4732fa64197c1c03f9f01003fa02a0585a766a
env:
- name: SEARXNG_BASE_URL
value: https://searxng.alexlebens.net/

15
clusters/cl01tl/helm/stalwart/Chart.lock Normal file
View File

@@ -0,0 +1,15 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:dd614761622fa310ad50f400727fa6a6574071c2ac057294364409fdfe0ff545
generated: "2026-05-02T01:49:21.562586412Z"

37
clusters/cl01tl/helm/stalwart/Chart.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: v2
name: stalwart
version: 1.0.0
description: Stalwart
keywords:
- stalwart
- email
home: https://docs.alexlebens.dev/applications/stalwart/
sources:
- https://github.com/stalwartlabs/mail-server
- https://github.com/stalwartlabs/stalwart/pkgs/container/stalwart
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: stalwart
version: 4.6.2
repository: https://bjw-s-labs.github.io/helm-charts/
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.12.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-config
version: 1.1.1
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/stalwart.png
# renovate: datasource=github-releases depName=stalwartlabs/mail-server
appVersion: v0.15.5

14
clusters/cl01tl/helm/stalwart/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

29
clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-stalwart
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: elasticsearch-stalwart
{{- include "custom.labels" . | nindent 4 }}
spec:
# renovate: datasource=docker depName=elasticsearch
version: 9.3.3
auth:
fileRealm:
- secretName: stalwart-elasticsearch-config
nodeSets:
- name: default
count: 2
config:
node.store.allow_mmap: false
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: ceph-block

25
clusters/cl01tl/helm/stalwart/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: stalwart-elasticsearch-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: stalwart-elasticsearch-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: username
remoteRef:
key: /cl01tl/stalwart/elasticsearch
property: username
- secretKey: password
remoteRef:
key: /cl01tl/stalwart/elasticsearch
property: password
- secretKey: roles
remoteRef:
key: /cl01tl/stalwart/elasticsearch
property: roles

10
clusters/cl01tl/helm/stalwart/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

169
clusters/cl01tl/helm/stalwart/templates/prometheus-rule.yaml Normal file
View File

@@ -0,0 +1,169 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: elasticsearch
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: elasticsearch
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: ElasticsearchExporter
rules:
- alert: ElasticsearchHeapUsageTooHigh
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 90 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch Heap Usage Too High (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHeapUsageWarning
expr: (elasticsearch_jvm_memory_used_bytes{area="heap"} / elasticsearch_jvm_memory_max_bytes{area="heap"}) * 100 > 80 and elasticsearch_jvm_memory_max_bytes{area="heap"} > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch Heap Usage warning (instance {{ `{{ $labels.instance }}` }})
description: "The heap usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskOutOfSpace
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 10 and elasticsearch_filesystem_data_size_bytes > 0
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch disk out of space (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 90%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchDiskSpaceLow
expr: elasticsearch_filesystem_data_available_bytes / elasticsearch_filesystem_data_size_bytes * 100 < 20 and elasticsearch_filesystem_data_size_bytes > 0
for: 2m
labels:
severity: warning
annotations:
summary: Elasticsearch disk space low (instance {{ `{{ $labels.instance }}` }})
description: "The disk usage is over 80%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterRed
expr: elasticsearch_cluster_health_status{color="red"} == 1
for: 0m
labels:
severity: critical
annotations:
summary: Elasticsearch Cluster Red (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Red status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchClusterYellow
expr: elasticsearch_cluster_health_status{color="yellow"} == 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch Cluster Yellow (instance {{ `{{ $labels.instance }}` }})
description: "Elastic Cluster Yellow status\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyNodes
expr: elasticsearch_cluster_health_number_of_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# 1m delay allows a restart without triggering an alert.
- alert: ElasticsearchHealthyDataNodes
expr: elasticsearch_cluster_health_number_of_data_nodes < 3
for: 1m
labels:
severity: critical
annotations:
summary: Elasticsearch Healthy Data Nodes (instance {{ `{{ $labels.instance }}` }})
description: "Missing data node in Elasticsearch cluster\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShards
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch relocating shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is relocating shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchRelocatingShardsTooLong
expr: elasticsearch_cluster_health_relocating_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch relocating shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been relocating shards for 15min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShards
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 0m
labels:
severity: info
annotations:
summary: Elasticsearch initializing shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch is initializing shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchInitializingShardsTooLong
expr: elasticsearch_cluster_health_initializing_shards > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch initializing shards too long (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has been initializing shards for 15 min\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchUnassignedShards
expr: elasticsearch_cluster_health_unassigned_shards > 0
for: 2m
labels:
severity: critical
annotations:
summary: Elasticsearch unassigned shards (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has unassigned shards\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchPendingTasks
expr: elasticsearch_cluster_health_number_of_pending_tasks > 0
for: 15m
labels:
severity: warning
annotations:
summary: Elasticsearch pending tasks (instance {{ `{{ $labels.instance }}` }})
description: "Elasticsearch has pending tasks. Cluster works slowly.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchNoNewDocuments
expr: increase(elasticsearch_indices_indexing_index_total{es_data_node="true"}[10m]) < 1
for: 0m
labels:
severity: warning
annotations:
summary: Elasticsearch no new documents (instance {{ `{{ $labels.instance }}` }})
description: "No new documents for 10 min!\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10ms (0.01s) per indexing operation is a rough default. Adjust based on your document size and cluster performance.
- alert: ElasticsearchHighIndexingLatency
expr: rate(elasticsearch_indices_indexing_index_time_seconds_total[5m]) / rate(elasticsearch_indices_indexing_index_total[5m]) > 0.01 and rate(elasticsearch_indices_indexing_index_total[5m]) > 0
for: 10m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Latency (instance {{ `{{ $labels.instance }}` }})
description: "The indexing latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 10000 ops/s is a rough default. Adjust based on your cluster capacity and expected workload.
- alert: ElasticsearchHighIndexingRate
expr: sum(rate(elasticsearch_indices_indexing_index_total[1m]))> 10000
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Indexing Rate (instance {{ `{{ $labels.instance }}` }})
description: "The indexing rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
# Threshold of 100 queries/s is very low for most production clusters. Adjust based on your expected query volume.
- alert: ElasticsearchHighQueryRate
expr: sum(rate(elasticsearch_indices_search_query_total[1m])) > 100
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Rate (instance {{ `{{ $labels.instance }}` }})
description: "The query rate on Elasticsearch cluster is higher than the threshold.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: ElasticsearchHighQueryLatency
expr: rate(elasticsearch_indices_search_query_time_seconds[1m]) / rate(elasticsearch_indices_search_query_total[1m]) > 1 and rate(elasticsearch_indices_search_query_total[1m]) > 0
for: 5m
labels:
severity: warning
annotations:
summary: Elasticsearch High Query Latency (instance {{ `{{ $labels.instance }}` }})
description: "The query latency on Elasticsearch cluster is higher than the threshold (current value: {{ `{{ $value }}` }}s).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

129
clusters/cl01tl/helm/stalwart/values.yaml Normal file
View File

@@ -0,0 +1,129 @@
stalwart:
controllers:
main:
forceRename: stalwart
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/stalwartlabs/stalwart
tag: v0.15.5@sha256:dcf575db2d53d9ef86d6ced8abe4ba491984659a0f8862cc6079ee7b41c3c568
resources:
requests:
cpu: 10m
memory: 100Mi
metrics:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: quay.io/prometheuscommunity/elasticsearch-exporter
tag: v1.10.0@sha256:a6a4d4403f670faf6a94b8c7f9adbca3ead91f26dd64e5ccf95fa69025dc6e58
args:
- '--es.uri=https://elasticsearch-stalwart-es-http.tubearchivist:9200'
- '--es.ssl-skip-verify'
resources:
requests:
cpu: 1m
memory: 10Mi
service:
main:
controller: main
forceRename: stalwart
ports:
http:
port: 80
targetPort: 8080
smtp:
port: 25
targetPort: 25
smtps:
port: 465
targetPort: 465
imap:
port: 143
targetPort: 143
imaps:
port: 993
targetPort: 993
metrics:
controller: metrics
ports:
metrics:
port: 9114
targetPort: 9114
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: stalwart-metrics
app.kubernetes.io/instance: stalwart-metrics
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 10s
path: /metrics
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- stalwart.alexlebens.net
rules:
- backendRefs:
- name: stalwart
port: 80
matches:
- path:
type: PathPrefix
value: /
persistence:
config:
forceRename: stalwart-config
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /opt/stalwart
readOnly: false
postgres-18-cluster:
mode: recovery
recovery:
method: objectStore
objectStore:
index: 1
backup:
objectStore:
- name: garage-local
index: 1
destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true
scheduledBackups:
- name: live-backup
suspend: false
immediate: true
schedule: "0 5 16 * * *"
backupName: garage-local
volsync-target-config:
pvcTarget: stalwart-config
local:
enabled: true
schedule: 28 11 * * *
remote:
enabled: true
schedule: 28 12 * * *
external:
enabled: true
schedule: 28 13 * * *

2
clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml
View File

@@ -8,7 +8,7 @@ metadata:
{{- include "custom.labels" . | nindent 4 }}
spec:
# renovate: datasource=docker depName=elasticsearch
version: 9.3.4
version: 9.3.3
auth:
fileRealm:
- secretName: tubearchivist-elasticsearch-config

2
clusters/cl01tl/helm/vaultwarden/Chart.yaml
View File

@@ -33,4 +33,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/vaultwarden.png
# renovate: datasource=github-releases depName=dani-garcia/vaultwarden
appVersion: 1.36.0
appVersion: 1.35.8

2
clusters/cl01tl/helm/vaultwarden/values.yaml
View File

@@ -8,7 +8,7 @@ vaultwarden:
main:
image:
repository: ghcr.io/dani-garcia/vaultwarden
tag: 1.36.0@sha256:d626d04934cd1192ad8ced1adb975099fca78cec33ab467d2d3c923cde7f3b0c
tag: 1.35.8@sha256:c4f6056fe0c288a052a223cecd263a90d1dda1a0177bb5b054a363a6c7b211d9
env:
- name: DOMAIN
value: https://passwords.alexlebens.dev

3
hosts/ps08rp/blocky/config.yml
View File

@@ -111,7 +111,7 @@ customDNS:
komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
loki IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl
@@ -140,6 +140,7 @@ customDNS:
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl

3
hosts/ps09rp/blocky/config.yml
View File

@@ -132,7 +132,7 @@ customDNS:
komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
loki IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl
@@ -161,6 +161,7 @@ customDNS:
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl

4
renovate.json
View File

@@ -90,10 +90,10 @@
{
"description": "Specific app grouping overrides",
"matchPackageNames": [
"/(^|/|-)(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|rybbit|sonarr|sparkyfitness|tdarr|traefik)/",
"/(^|/|-)(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|roundcube|rybbit|sonarr|sparkyfitness|stalwartlabs|tdarr|traefik)/",
"/^rook(-ceph|/rook|/ceph)/"
],
"groupName": "{{#if packageName}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|rybbit|sonarr|sparkyfitness|tdarr|traefik).*$' '$1' packageName}}}{{else}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|rybbit|sonarr|sparkyfitness|tdarr|traefik).*$' '$1' depName}}}{{/if}}",
"groupName": "{{#if packageName}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|roundcube|rybbit|sonarr|sparkyfitness|stalwartlabs|tdarr|traefik).*$' '$1' packageName}}}{{else}}{{{replace '^.*(argo-cd|bazarr|cilium|dawarich|element-web|home-assistant|immich|komodo|plex|postiz|prowlarr|radarr|rook-ceph|roundcube|rybbit|sonarr|sparkyfitness|stalwartlabs|tdarr|traefik).*$' '$1' depName}}}{{/if}}",
"groupSlug": "unified-{{{groupName}}}"
},
{