alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 5 Actions Activity

Compare commits

base: alexlebens:renovate/unified-cilium
Branches Tags
alexlebens:main alexlebens:renovate/unified-clickhouseclickhouse-server alexlebens:renovate/unified-sahara101movie-roulette alexlebens:renovate/unified-dock.mau.devmautrixwhatsapp alexlebens:renovate/unified-clideywhodb alexlebens:renovate/unified-cilium alexlebens:manifests
..
compare: alexlebens:c5804f311bf3f31affcff08feb0e21c1b8ee7d59
Branches Tags
alexlebens:renovate/unified-clickhouseclickhouse-server alexlebens:renovate/unified-sahara101movie-roulette alexlebens:renovate/unified-dock.mau.devmautrixwhatsapp alexlebens:renovate/unified-clideywhodb alexlebens:renovate/unified-cilium alexlebens:main alexlebens:manifests

1 Commits
renovate/u ... c5804f311b

Author SHA1 Message Date
Renovate Bot
c5804f311b chore(deps): update dependency clidey/whodb to v0.98.0
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 29s
Details
render-manifests-automerge / render-manifests-automerge (pull_request) Has been skipped
Details
render-manifests-merge / render-manifests-merge (pull_request) Successful in 43s
Details
2026-03-09 14:06:20 +00:00
304 changed files with 4138 additions and 4408 deletions
Expand all files Collapse all files

87
.gitea/workflows/lint-test-docker.yaml
View File

@@ -14,21 +14,21 @@ on:
- 'hosts/**' - 'hosts/**'
env: env:
BASE_BRANCH: "origin/${{ github.base_ref }}" BASE_BRANCH: "origin/${{ gitea.base_ref }}"
jobs: jobs:
lint-docker-compose: lint-docker-compose:
runs-on: ubuntu-js runs-on: ubuntu-js
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Check Branch Exists - name: Check Branch Exists
id: check-branch-exists id: check-branch-exists
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'
uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2 uses: GuillaumeFalourd/branch-exists@v1.1
with: with:
branch: "${{ github.base_ref }}" branch: "${{ github.base_ref }}"
@@ -36,22 +36,21 @@ jobs:
id: branch-exists id: branch-exists
if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request' if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
run: | run: |
if [ "${{ github.event_name }}" == "push" ]; then if [ ${{ github.event_name == 'push' }} ]; then
echo ">> Action is from a push event, will continue with linting" echo ">> Action is from a push event, will continue with linting"
else else
echo ">> Branch ${{ github.base_ref }} exists, will continue with linting" echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
fi fi
echo ""
echo "----" echo "----"
echo "exists=true" >> $GITHUB_OUTPUT echo "exists=true" >> $GITEA_OUTPUT
- name: Set Up Node.js - name: Set up Node.js
if: steps.branch-exists.outputs.exists == 'true' if: steps.branch-exists.outputs.exists == 'true'
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 uses: actions/setup-node@v6
with: with:
node-version: '24' node-version: '24'
@@ -59,48 +58,58 @@ jobs:
id: check-dir-changes id: check-dir-changes
if: steps.branch-exists.outputs.exists == 'true' if: steps.branch-exists.outputs.exists == 'true'
run: | run: |
CHANGED_COMPOSE=()
echo ">> Target branch for diff is: ${BASE_BRANCH}" echo ">> Target branch for diff is: ${BASE_BRANCH}"
if [ "${{ github.event_name }}" == "pull_request" ]; then if [ "${{ github.event_name }}" == "pull_request" ]; then
DIFF_TARGET="${BASE_BRANCH}"
echo "" echo ""
echo ">> Checking for changes in a pull request ..." echo ">> Checking for changes in a pull request ..."
GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
else else
DIFF_TARGET="${{ github.event.before }}..HEAD"
echo "" echo ""
echo ">> Checking for changes from a push ..." echo ">> Checking for changes from a push ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
fi fi
CHANGED_COMPOSE=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^hosts/[^/]+/[^/]+/" | cut -d/ -f1,2,3 | sort -u || true) if [ -n "${GIT_DIFF}" ]; then
echo ""
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
if echo "$path" | grep -q -E "hosts/[^/]+/[^/]+"; then
echo ""
echo ">> Adding path: $path"
CHANGED_COMPOSE+=$(echo "$path")
CHANGED_COMPOSE+=$(echo " ")
fi
done
else
echo ""
echo ">> No changes detected"
fi
if [ -n "${CHANGED_COMPOSE}" ]; then if [ -n "${CHANGED_COMPOSE}" ]; then
echo "" echo ""
echo ">> Compose to Lint:" echo ">> Compose to Lint:"
echo "" echo "$(echo "${CHANGED_COMPOSE}" | sort -u)"
echo "${CHANGED_COMPOSE}"
CHANGED_COMPOSE_CSV=$(echo "$CHANGED_COMPOSE" | paste -sd ',' -)
echo ""
echo "----" echo "----"
echo "changes-detected=true" >> $GITHUB_OUTPUT echo "changes-detected=true" >> $GITEA_OUTPUT
echo "compose-dir-csv=${CHANGED_COMPOSE_CSV}" >> $GITHUB_OUTPUT echo "compose-dir<<EOF" >> $GITEA_OUTPUT
echo "compose-dir<<EOF" >> $GITHUB_OUTPUT echo "$(echo "${CHANGED_COMPOSE}" | sort -u)" >> $GITEA_OUTPUT
echo "${CHANGED_COMPOSE}" >> $GITHUB_OUTPUT echo "EOF" >> $GITEA_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
else else
echo "" echo ""
echo ">> Did not find any docker compose files to lint" echo ">> Did not find any docker compose files to lint"
echo ""
echo "----" echo "----"
echo "changes-detected=false" >> $GITHUB_OUTPUT echo "changes-detected=false" >> $GITEA_OUTPUT
fi fi
- name: Lint Docker Compose - name: Lint Docker Compose
@@ -108,27 +117,25 @@ jobs:
env: env:
CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }} CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }}
run: | run: |
echo ">> Running dclint on changed compose files ..." echo ">> Running dclint on changed compose files:"
echo "$CHANGED_COMPOSE"
for COMPOSE in $CHANGED_COMPOSE; do
echo ">> Linting ${COMPOSE} ..."
npx dclint ${COMPOSE}
for compose in $CHANGED_COMPOSE; do
echo ">> Linting $compose ..."
npx dclint $compose
done done
echo ""
echo "----"
- name: ntfy Failed - name: ntfy Failed
uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master uses: niniyas/ntfy-action@master
if: failure() if: failure()
with: with:
url: '${{ secrets.NTFY_URL }}' url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}' topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Docker Compose Test Failure' title: 'Test Failure - Infrastructure'
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed tags: action,failed
details: "Docker linting for compose dirs: ${{ steps.check-dir-changes.outputs.compose-dir-csv }}" details: 'Docker linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-pull.yaml", "clear": true}]'
image: true

311
.gitea/workflows/lint-test-helm.yaml
View File

@@ -15,113 +15,104 @@ on:
env: env:
CLUSTER: cl01tl CLUSTER: cl01tl
BASE_BRANCH: "origin/${{ github.base_ref }}" BASE_BRANCH: "origin/${{ gitea.base_ref }}"
# renovate: datasource=github-releases depName=yannh/kubeconform
KUBECONFORM_VERSION: "v0.6.7"
jobs: jobs:
lint-helm: lint-helm:
runs-on: ubuntu-js runs-on: ubuntu-js
outputs:
chart-dir: ${{ steps.check-dir-changes.outputs.chart-dir }}
chart-dir-csv: ${{ steps.check-dir-changes.outputs.chart-dir-csv }}
changes-detected: ${{ steps.check-dir-changes.outputs.changes-detected }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Check Branch Exists - name: Check Branch Exists
id: check-branch-exists id: check-branch-exists
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'
uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2 uses: GuillaumeFalourd/branch-exists@v1.1
with: with:
branch: ${{ github.base_ref }} branch: ${{ gitea.base_ref }}
- name: Report Branch Exists - name: Report Branch Exists
id: branch-exists id: branch-exists
if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request' if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
run: | run: |
if [ "${{ github.event_name }}" == "push" ]; then if [ ${{ github.event_name == 'push' }} ]; then
echo ">> Action is from a push event, will continue with linting" echo ">> Action is from a push event, will continue with linting"
else else
echo ">> Branch ${{ github.base_ref }} exists, will continue with linting" echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
fi fi
echo ""
echo "----" echo "----"
echo "exists=true" >> $GITHUB_OUTPUT echo "exists=true" >> $GITEA_OUTPUT
- name: Set Up Helm - name: Set up Helm
if: steps.branch-exists.outputs.exists == 'true' if: steps.branch-exists.outputs.exists == 'true'
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5 uses: azure/setup-helm@v4
with: with:
token: ${{ secrets.GITEA_TOKEN }} token: ${{ secrets.GITEA_TOKEN }}
# renovate: datasource=github-releases depName=helm/helm version: v3.19.2
version: v4.1.3
cache: true cache: true
- name: Cache Helm Dependencies
if: steps.branch-exists.outputs.exists == 'true'
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.cache/helm
~/.config/helm
key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
restore-keys: |
helm-cache-${{ runner.os }}-
- name: Check Directories for Changes - name: Check Directories for Changes
id: check-dir-changes id: check-dir-changes
if: steps.branch-exists.outputs.exists == 'true' if: steps.branch-exists.outputs.exists == 'true'
run: | run: |
CHANGED_CHARTS=()
echo ">> Target branch for diff is: ${BASE_BRANCH}" echo ">> Target branch for diff is: ${BASE_BRANCH}"
if [ "${{ github.event_name }}" == "pull_request" ]; then if [ "${{ github.event_name }}" == "pull_request" ]; then
DIFF_TARGET="${BASE_BRANCH}"
echo "" echo ""
echo ">> Checking for changes in a pull request ..." echo ">> Checking for changes in a pull request ..."
GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
else else
DIFF_TARGET="${{ github.event.before }}..HEAD"
echo "" echo ""
echo ">> Checking for changes from a push ..." echo ">> Checking for changes from a push ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
fi fi
CHANGED_CHARTS=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true) if [ -n "${GIT_DIFF}" ]; then
echo ""
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
if echo "$path" | grep -q -E "clusters/[^/]+/helm/[^/]+"; then
echo ""
echo ">> Adding path: $path"
CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
CHANGED_CHARTS+=$(echo "\n")
fi
done
else
echo ""
echo ">> No changes detected"
fi
if [ -n "${CHANGED_CHARTS}" ]; then if [ -n "${CHANGED_CHARTS}" ]; then
echo "" echo ""
echo ">> Chart to Lint:" echo ">> Chart to Lint:"
echo "" echo "$(echo "${CHANGED_CHARTS}" | sort -u)"
echo "${CHANGED_CHARTS}"
CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -)
echo ""
echo "----" echo "----"
echo "changes-detected=true" >> $GITHUB_OUTPUT echo "changes-detected=true" >> $GITEA_OUTPUT
echo "chart-dir-csv=${CHANGED_CHARTS_CSV}" >> $GITHUB_OUTPUT echo "chart-dir<<EOF" >> $GITEA_OUTPUT
echo "chart-dir<<EOF" >> $GITHUB_OUTPUT echo "$(echo "${CHANGED_CHARTS}" | sort -u)" >> $GITEA_OUTPUT
echo "${CHANGED_CHARTS}" >> $GITHUB_OUTPUT echo "EOF" >> $GITEA_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
else else
echo "" echo ""
echo ">> Did not find any helm charts files to lint" echo ">> Did not find any helm charts files to lint"
echo ""
echo "----" echo "----"
echo "changes-detected=false" >> $GITHUB_OUTPUT echo "changes-detected=false" >> $GITEA_OUTPUT
fi fi
- name: Add Repositories - name: Add Repositories
@@ -130,238 +121,68 @@ jobs:
CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }} CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
run: | run: |
echo ">> Adding repositories for chart dependencies ..." echo ">> Adding repositories for chart dependencies ..."
echo "" for dir in ${CHANGED_CHARTS}; do
helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
for DIR in ${CHANGED_CHARTS}; do | tail +2 | head -n -1 \
helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \ | awk '{ print "helm repo add " $1 " " $3 }' \
| tail -n +2 \ | while read cmd; do
| awk 'NF > 0 { print $1, $3 }' \ if [[ "$cmd" == "*oci://*" ]]; then
| while read -r REPO_NAME REPO_URL; do echo ">> Ignoring OCI repo"
if [[ "${REPO_URL}" == oci://* ]]; then else
echo ">> Ignoring OCI repo: ${REPO_URL}" echo ">> Command: $cmd"
echo "$cmd" | sh;
elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
helm repo add "${REPO_NAME}" "${REPO_URL}"
fi fi
done || true done || true
done done
if helm repo list > /dev/null 2>&1; then if helm repo list | tail +2 | read -r; then
echo "" echo ""
echo ">> Update repository cache ..." echo ">> Update repository cache ..."
helm repo update helm repo update
fi fi
echo ""
echo "----" echo "----"
- name: Lint Helm Chart - name: Lint Helm Chart
id: lint
if: steps.check-dir-changes.outputs.changes-detected == 'true' if: steps.check-dir-changes.outputs.changes-detected == 'true'
env: env:
CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }} CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
run: | run: |
EXIT_CODE=0
FAILED_CHARTS=""
echo ">> Running linting on changed charts ..." echo ">> Running linting on changed charts ..."
for DIR in ${CHANGED_CHARTS}; do for dir in ${CHANGED_CHARTS}; do
CHART_PATH="clusters/${CLUSTER}/helm/${DIR}" chart_path=clusters/${CLUSTER}/helm/$dir
CHART_NAME=$(basename "${CHART_PATH}") chart_name=$(basename "$chart_path")
if [ -f "${CHART_PATH}/Chart.yaml" ]; then if [ -f "$chart_path/Chart.yaml" ]; then
echo "" cd $chart_path
echo ">> Building helm dependency for ${CHART_NAME} ..."
helm dependency build "${CHART_PATH}" --skip-refresh
echo "" echo ""
echo ">> Linting helm chart ${CHART_NAME} ..." echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
if ! helm lint "${CHART_PATH}" --namespace "default"; then echo ""
EXIT_CODE=1 echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
if [ -z "${FAILED_CHARTS}" ]; then
FAILED_CHARTS="${DIR}"
else
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
fi
fi
else else
echo "" echo ""
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..." echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi fi
done done
echo ""
echo "----"
echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
exit $EXIT_CODE
- name: ntfy Failed - name: ntfy Failed
uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master uses: niniyas/ntfy-action@master
if: failure() if: failure()
with: with:
url: '${{ secrets.NTFY_URL }}' url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}' topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Helm Test Failure' title: 'Test Failure - Infrastructure'
priority: 3 priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}' headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed tags: action,failed
details: "Helm linting for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.lint.outputs.failed-charts }}" details: 'Helm linting on Pull Request for Infrastructure has failed!'
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-pull.yaml", "clear": true}]'
image: true
validate-kubeconform:
needs: lint-helm
runs-on: ubuntu-js
if: |
needs.lint-helm.result == 'success' &&
needs.lint-helm.outputs.changes-detected == 'true' &&
github.event_name == 'pull_request'
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
- name: Install Kubeconform
run: |
echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
echo ""
echo ">> Extracting Kubeconform ..."
tar xf kubeconform-linux-amd64.tar.gz
echo ""
echo ">> Installing Kubeconform ..."
sudo mv kubeconform /usr/local/bin/
echo ""
echo ">> Verifying installation ..."
kubeconform -v
echo ""
echo "----"
- name: Set Up Helm
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
with:
token: ${{ secrets.GITEA_TOKEN }}
# renovate: datasource=github-releases depName=helm/helm
version: v4.1.3
cache: true
- name: Cache Helm Dependencies
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.cache/helm
~/.config/helm
key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
restore-keys: |
helm-cache-${{ runner.os }}-
- name: Add Repositories
env:
CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
run: |
echo ">> Adding repositories for chart dependencies ..."
echo ""
for DIR in ${CHANGED_CHARTS}; do
helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
| tail -n +2 \
| awk 'NF > 0 { print $1, $3 }' \
| while read -r REPO_NAME REPO_URL; do
if [[ "${REPO_URL}" == oci://* ]]; then
echo ">> Ignoring OCI repo: ${REPO_URL}"
elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
helm repo add "${REPO_NAME}" "${REPO_URL}"
fi
done || true
done
if helm repo list > /dev/null 2>&1; then
echo ""
echo ">> Update repository cache ..."
helm repo update
fi
echo ""
echo "----"
- name: Validate Rendered Templates
id: validate
env:
CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
run: |
SCHEMA_LOCATIONS="-schema-location default -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
EXIT_CODE=0
FAILED_CHARTS=""
for DIR in ${CHANGED_CHARTS}; do
CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
echo ""
echo ">> Validating: ${DIR}"
helm dependency build "${CHART_PATH}" --skip-refresh
if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \
kubeconform \
${SCHEMA_LOCATIONS} \
-ignore-missing-schemas \
-strict \
-summary; then
EXIT_CODE=1
if [ -z "${FAILED_CHARTS}" ]; then
FAILED_CHARTS="${DIR}"
else
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
fi
fi
done
echo ""
echo "----"
echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
exit $EXIT_CODE
- name: ntfy Failed
uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
if: failure()
with:
url: '${{ secrets.NTFY_URL }}'
topic: '${{ secrets.NTFY_TOPIC }}'
title: 'Kubeconform Test Failure'
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Kubeconform for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.validate.outputs.failed-charts }}"
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
image: true image: true

440
.gitea/workflows/render-manifests-automerge.yaml Normal file
View File

@@ -0,0 +1,440 @@
name: render-manifests-automerge
on:
pull_request:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
types:
- closed
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME_BASE: auto/update-manifests-automerge
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-automerge:
runs-on: ubuntu-js
if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }}
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch
id: prepare-manifest-branch
run: |
cd ${MANIFEST_DIR}
BRANCH_NAME="${BRANCH_NAME_BASE}-$(date +%Y%m%d%H%M%S)"
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Creating branch ..."
git checkout -b $BRANCH_NAME
echo "----"
echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITEA_OUTPUT
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd ${MAIN_DIR}
RENDER_DIR=()
echo ">> Checking for changes from HEAD^..HEAD ..."
GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
if [ -n "${GIT_DIFF}" ]; then
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
RENDER_DIR+=$(echo " ")
done
else
echo ">> No changes detected"
fi
if [ -n "${RENDER_DIR}" ]; then
echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Adding repositories for chart dependencies ..."
for dir in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done
if helm repo list | tail +2 | read -r; then
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MANIFEST_DIR}
echo ">> Remove manfiest files and rebuild from source ..."
for dir in ${RENDER_DIR}; do
chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
echo "$chart_path"
rm -rf $chart_path/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Rendering Manifests ..."
for dir in ${RENDER_DIR}; do
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo ""
echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
echo ""
echo ">> Rendering templates ..."
case "$chart_name" in
"stack")
echo ""
echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
*)
echo ""
echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
esac
echo ""
echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain)
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
env:
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
run: |
cd ${MANIFEST_DIR}
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after automerge"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ">> Pushing changes to $REPO_URL ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
echo "----"
echo "push=true" >> $GITEA_OUTPUT
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${BRANCH_NAME}" \
--arg base "${BASE_BRANCH}" \
--arg title "Automated Manifest Update - Automerge" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \
'{head: $head, base: $base, title: $title, body: $body}' )
echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo ">> Pull Request URL: $PR_URL"
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_NUMBER=$(cat response_body.json | jq -r .number)
echo ">> Pull Request Number: $PR_NUMBER"
echo "pull-request-number=${PR_NUMBER}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: Merge Changes
id: merge-changes
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
PAYLOAD=$( jq -n \
--arg Do "merge" \
'{Do: $Do}' )
echo ">> Merging PR with ID: ${PR_NUMBER}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ]; then
echo ">> Pull Request merged successfully!"
echo "pull-request-operation=merged" >> $GITEA_OUTPUT
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
echo "pull-request-operation=failed" >> $GITEA_OUTPUT
exit 1
fi
echo "----"
- name: Cleanup Branch
if: failure()
env:
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
run: |
cd ${MANIFEST_DIR}
echo ">> Removing branch: ${BRANCH_NAME}"
git push origin --delete ${BRANCH_NAME}
echo "----"
- name: ntfy Merged
uses: niniyas/ntfy-action@master
if: steps.merge-changes.outputs.pull-request-operation == 'merged'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Merged - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Automerge Manifest rendering for Infrastructure!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Automerge Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests-automerge.yaml", "clear": true}]'
image: true

390
.gitea/workflows/render-manifests-dispatch.yaml Normal file
View File

@@ -0,0 +1,390 @@
name: render-manifests-dispatch
on:
schedule:
- cron: '0 3 * * *'
workflow_dispatch:
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-dispatch:
runs-on: ubuntu-js
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch
run: |
cd ${MANIFEST_DIR}
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Checking if PR branch exists ..."
if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b $BRANCH_NAME
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd ${MAIN_DIR}
RENDER_DIR=()
echo ">> Triggered on dispatch, will check all paths ..."
RENDER_DIR+=$(ls clusters/cl01tl/helm/)
if [ -n "${RENDER_DIR}" ]; then
echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Adding repositories for chart dependencies ..."
for dir in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done
if helm repo list | tail +2 | read -r; then
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Rendering Manifests ..."
for dir in ${RENDER_DIR}; do
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo ""
echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
echo ""
echo ">> Rendering templates ..."
case "$chart_name" in
"stack")
echo ""
echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
*)
echo ""
echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
esac
echo ""
echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain)
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ">> Pushing changes to $REPO_URL ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
echo "push=true" >> $GITEA_OUTPUT
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

425
.gitea/workflows/render-manifests-merge.yaml Normal file
View File

@@ -0,0 +1,425 @@
name: render-manifests-merge
on:
pull_request:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
types:
- closed
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-merge:
runs-on: ubuntu-js
if: ${{ (github.event.pull_request.merged == true) && !(contains(github.event.pull_request.labels.*.name, 'automerge')) }}
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch
run: |
cd ${MANIFEST_DIR}
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Checking if PR branch exists ..."
if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b $BRANCH_NAME
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd ${MAIN_DIR}
RENDER_DIR=()
echo ">> Checking for changes from HEAD^..HEAD ..."
GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
if [ -n "${GIT_DIFF}" ]; then
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
RENDER_DIR+=$(echo " ")
done
else
echo ">> No changes detected"
fi
if [ -n "${RENDER_DIR}" ]; then
echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Adding repositories for chart dependencies ..."
for dir in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done
if helm repo list | tail +2 | read -r; then
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MANIFEST_DIR}
echo ">> Remove manfiest files and rebuild from source ..."
for dir in ${RENDER_DIR}; do
chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
echo "$chart_path"
rm -rf $chart_path/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Rendering Manifests ..."
for dir in ${RENDER_DIR}; do
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo ""
echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
echo ""
echo ">> Rendering templates ..."
case "$chart_name" in
"stack")
echo ""
echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
*)
echo ""
echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
esac
echo ""
echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain)
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ">> Pushing changes to $REPO_URL ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
echo "push=true" >> $GITEA_OUTPUT
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

423
.gitea/workflows/render-manifests-push.yaml Normal file
View File

@@ -0,0 +1,423 @@
name: render-manifests-push
on:
push:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests-push:
runs-on: ubuntu-js
if: gitea.event.commits[0].author.username != 'renovate-bot'
steps:
- name: Checkout Main
uses: actions/checkout@v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set up Helm
uses: azure/setup-helm@v4
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Prepare Manifest Branch
run: |
cd ${MANIFEST_DIR}
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
echo ">> Checking if PR branch exists ..."
if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b $BRANCH_NAME
fi
echo "----"
- name: Check which Directories have Changes
id: check-dir-changes
run: |
cd ${MAIN_DIR}
RENDER_DIR=()
echo ">> Checking for changes ..."
GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
if [ -n "${GIT_DIFF}" ]; then
echo ">> Changes detected:"
echo "$GIT_DIFF"
for path in $GIT_DIFF; do
RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
RENDER_DIR+=$(echo " ")
done
else
echo ">> No changes detected"
fi
if [ -n "${RENDER_DIR}" ]; then
echo ">> Directories to Render:"
echo "$(echo "${RENDER_DIR}" | sort -u)"
echo "----"
echo "changes-detected=true" >> $GITEA_OUTPUT
echo "render-dir<<EOF" >> $GITEA_OUTPUT
echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
echo "EOF" >> $GITEA_OUTPUT
else
echo "changes-detected=false" >> $GITEA_OUTPUT
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Adding repositories for chart dependencies ..."
for dir in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
| tail +2 | head -n -1 \
| awk '{ print "helm repo add " $1 " " $3 }' \
| while read cmd; do
if [[ "$cmd" == "*oci://*" ]]; then
echo ">> Ignoring OCI repo"
else
echo "$cmd" | sh;
fi
done || true
done
if helm repo list | tail +2 | read -r; then
echo ">> Update repository cache ..."
helm repo update
fi
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MANIFEST_DIR}
echo ">> Remove manfiest files and rebuild from source ..."
for dir in ${RENDER_DIR}; do
chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
echo "$chart_path"
rm -rf $chart_path/*
done
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd ${MAIN_DIR}
echo ">> Rendering Manifests ..."
for dir in ${RENDER_DIR}; do
chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
chart_name=$(basename "$chart_path")
echo ""
echo ""
echo ">> Rendering chart: $chart_name"
echo ">> Chart path $chart_path"
if [ -f "$chart_path/Chart.yaml" ]; then
OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
TEMPLATE=""
mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
cd $chart_path
echo ""
echo ">> Updating helm dependency ..."
helm dependency update --skip-refresh
echo ""
echo ">> Building helm dependency ..."
helm dependency build --skip-refresh
echo ""
echo ">> Linting helm ..."
helm lint --namespace "$chart_name"
echo ""
echo ">> Rendering templates ..."
case "$chart_name" in
"stack")
echo ""
echo ">> Special Rendering for stack into argocd namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
"cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
echo ""
echo ">> Special Rendering for $chart_name into kube-system namespace ..."
TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
*)
echo ""
echo ">> Standard Rendering for $chart_name ..."
TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
;;
esac
echo ""
echo ">> Formating rendered template ..."
echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ""
echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
echo ""
fi
done
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
GIT_CHANGES=$(git status --porcelain)
if [ -n "$GIT_CHANGES" ]; then
echo ">> Changes detected"
git status --porcelain
echo "changes-detected=true" >> $GITEA_OUTPUT
else
echo ">> No changes detected, skipping PR creation"
fi
echo "----"
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
run: |
cd ${MANIFEST_DIR}
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "chore: Update manifests after change"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ">> Pushing changes to $REPO_URL ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
echo "----"
echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
echo "push=true" >> $GITEA_OUTPUT
- name: Check for Pull Request
id: check-for-pull-requst
if: steps.commit-push.outputs.push == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(
curl -X GET \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ">> Pull Request has been found open, will update"
PR_INDEX=$(cat response_body.json | jq -r .[0].number)
echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
echo "pull-request-index=true" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
echo ">> Pull Request found, but was closed"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
else
echo ">> Pull Request not found"
echo "pull-request-exists=false" >> $GITEA_OUTPUT
fi
echo "----"
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
run: |
cd ${MANIFEST_DIR}
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
PAYLOAD=$( jq -n \
--arg head "${HEAD_BRANCH}" \
--arg base "${BASE_BRANCH}" \
--arg assignee "${ASSIGNEE}" \
--arg title "Automated Manifest Update" \
--arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
'{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
echo ">> With Payload of:"
echo "$PAYLOAD"
HTTP_STATUS=$(
curl -X POST \
--silent \
--write-out '%{http_code}' \
--output response_body.json \
--dump-header response_headers.txt \
--data "$PAYLOAD" \
-H "Authorization: token ${GITEA_TOKEN}" \
-H "Content-Type: application/json" \
"$API_ENDPOINT" 2> response_errors.txt
)
echo ">> HTTP Status Code: $HTTP_STATUS"
echo ">> Response Output ..."
echo "----"
cat response_body.json
echo "----"
cat response_headers.txt
echo "----"
cat response_errors.txt
echo "----"
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
PR_URL=$(cat response_body.json | jq -r .html_url)
echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
PR_ID=$(cat response_body.json | jq -r .id)
echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
echo "pull-request-operation=created" >> $GITEA_OUTPUT
elif [ "$HTTP_STATUS" == "422" ]; then
echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
elif [ "$HTTP_STATUS" == "409" ]; then
echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
else
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
exit 1
fi
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@master
if: steps.create-pull-request.outputs.pull-request-operation == 'created'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render PR Created - Infrastructure"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure - Infrastructure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
image: true

624
.gitea/workflows/render-manifests.yaml
View File

@@ -1,624 +0,0 @@
name: render-manifests
on:
schedule:
- cron: '0 15 * * *'
workflow_dispatch:
pull_request:
branches:
- main
paths:
- 'clusters/cl01tl/helm/**'
types:
- closed
env:
CLUSTER: cl01tl
BASE_BRANCH: manifests
BRANCH_NAME_BASE: auto/update-manifests
ASSIGNEE: alexlebens
MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
jobs:
render-manifests:
runs-on: ubuntu-js
if: >-
github.event_name == 'schedule' ||
github.event_name == 'workflow_dispatch' ||
(github.event_name == 'pull_request' && github.event.pull_request.merged == true)
steps:
- name: Checkout Main
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
path: infrastructure
fetch-depth: 0
- name: Checkout Manifests
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: manifests
path: infrastructure-manifests
- name: Set Up Helm
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
with:
token: ${{ secrets.GITEA_TOKEN }}
version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
- name: Cache Helm Dependencies
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: |
~/.cache/helm
~/.config/helm
key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
restore-keys: |
helm-cache-${{ runner.os }}-
- name: Determine Workflow Mode
id: mode
run: |
IS_AUTOMERGE="false"
RENDER_ALL="false"
DIFF_TARGET=""
if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
echo ">> Mode: Dispatch/Schedule (Render All)"
RENDER_ALL="true"
elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
if [[ "${{ contains(github.event.pull_request.labels.*.name, 'automerge') }}" == "true" ]]; then
echo ">> Mode: PR Merged (Automerge)"
IS_AUTOMERGE="true"
else
echo ">> Mode: PR Merged (Standard)"
fi
DIFF_TARGET="HEAD^..HEAD"
fi
echo ""
echo "----"
echo "is-automerge=${IS_AUTOMERGE}" >> "$GITHUB_OUTPUT"
echo "render-all=${RENDER_ALL}" >> "$GITHUB_OUTPUT"
echo "diff-target=${DIFF_TARGET}" >> "$GITHUB_OUTPUT"
- name: Prepare Manifest Branch
id: prepare-manifest-branch
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
run: |
cd "${MANIFEST_DIR}"
echo ">> Configure git to use gitea-bot as user ..."
git config user.name "gitea-bot"
git config user.email "gitea-bot@alexlebens.net"
if [[ "$IS_AUTOMERGE" == "true" ]]; then
BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-${PR_NUMBER}"
echo ""
echo ">> Creating branch ${BRANCH_NAME} ..."
git checkout -B "$BRANCH_NAME"
else
echo ""
echo ">> Checking if PR branch exists ..."
BRANCH_NAME="${BRANCH_NAME_BASE}"
if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
echo ""
echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
git fetch origin "${BRANCH_NAME}"
git checkout "${BRANCH_NAME}"
git pull --rebase
else
echo ""
echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
git checkout -b "${BRANCH_NAME}"
fi
fi
echo ""
echo "----"
echo "branch-name=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
- name: Check Which Directories Have Changes
id: check-dir-changes
env:
RENDER_ALL: ${{ steps.mode.outputs.render-all }}
DIFF_TARGET: ${{ steps.mode.outputs.diff-target }}
run: |
cd "${MAIN_DIR}"
if [[ "$RENDER_ALL" == "true" ]]; then
echo ">> Triggered on dispatch, will check all paths ..."
RENDER_DIR=$(find "clusters/${CLUSTER}/helm" -mindepth 1 -maxdepth 1 -type d -exec basename {} \; | sort -u)
else
echo ">> Checking for changes from ${DIFF_TARGET} ..."
RENDER_DIR=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
fi
if [ -n "${RENDER_DIR}" ]; then
echo ""
echo ">> Directories to Render:"
echo ""
echo "${RENDER_DIR}"
echo ""
echo "----"
echo "changes-detected=true" >> "$GITHUB_OUTPUT"
echo "render-dir<<EOF" >> "$GITHUB_OUTPUT"
echo "${RENDER_DIR}" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
else
echo ""
echo ">> No chart changes detected"
echo ""
echo "----"
echo "changes-detected=false" >> "$GITHUB_OUTPUT"
fi
- name: Add Repositories
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MAIN_DIR}"
echo ">> Adding repositories for chart dependencies ..."
echo ""
for DIR in ${RENDER_DIR}; do
helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
| tail -n +2 \
| awk 'NF > 0 { print $1, $3 }' \
| while read -r REPO_NAME REPO_URL; do
if [[ "${REPO_URL}" == oci://* ]]; then
echo ">> Ignoring OCI repo: ${REPO_URL}"
elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
helm repo add "${REPO_NAME}" "${REPO_URL}"
fi
done || true
done
if helm repo list > /dev/null 2>&1; then
echo ""
echo ">> Update repository cache ..."
helm repo update
fi
echo ""
echo "----"
- name: Remove Changed Manifest Files
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MANIFEST_DIR}"
echo ">> Remove manifest files and rebuild from source ..."
echo ""
for DIR in ${RENDER_DIR}; do
CHART_PATH="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}"
echo "${CHART_PATH}"
rm -rf "${CHART_PATH}"/*
done
echo ""
echo "----"
- name: Render Helm Manifests
id: render-manifests
if: steps.check-dir-changes.outputs.changes-detected == 'true'
env:
RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
run: |
cd "${MAIN_DIR}"
echo ">> Rendering Manifests ..."
render_chart() {
local DIR="$1"
local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
local CHART_NAME=$(basename "${CHART_PATH}")
echo ""
echo ">> Rendering chart: ${CHART_NAME}"
if [ -f "${CHART_PATH}/Chart.yaml" ]; then
local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
mkdir -p "${OUTPUT_FOLDER}"
cd "${CHART_PATH}"
helm dependency update --skip-refresh > /dev/null
helm lint --namespace "${CHART_NAME}" --quiet
local NAMESPACE="${CHART_NAME}"
case "${CHART_NAME}" in
"stack")
NAMESPACE="argocd"
echo ">> Special Rendering into 'argocd' namespace ..."
;;
"cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
NAMESPACE="kube-system"
echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
;;
*)
echo ">> Standard Rendering ..."
esac
echo ">> Formating rendered template ..."
local TEMPLATE
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
# Format and split rendered template
echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
# Strip comments again to ensure formatting correctness
for file in "$OUTPUT_FOLDER"/*; do
yq -i '... comments=""' $file
done
echo ">> Manifests for ${CHART_NAME} rendered successfully to $OUTPUT_FOLDER:"
echo ""
ls $OUTPUT_FOLDER
echo ""
else
echo ""
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
fi
}
export -f render_chart
export MAIN_DIR CLUSTER MANIFEST_DIR
# Run rendering in parallel
for DIR in ${RENDER_DIR}; do
echo "${DIR}"
done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
echo ""
echo "----"
- name: Check for Changes
id: check-changes
if: steps.check-dir-changes.outputs.changes-detected == 'true'
run: |
cd "${MANIFEST_DIR}"
GIT_CHANGES=$(git status --porcelain)
if [ -n "${GIT_CHANGES}" ]; then
echo ">> Changes detected"
git status --porcelain
CHANGED_CHARTS=$(echo "$GIT_CHANGES" | grep -oE "clusters/${CLUSTER}/manifests/[^/]+" | awk -F '/' '{print $4}' | sort -u | paste -sd ',' -)
echo ""
echo "----"
echo "changes-detected=true" >> "$GITHUB_OUTPUT"
echo "changed-charts-csv=${CHANGED_CHARTS}" >> "$GITHUB_OUTPUT"
else
echo ">> No changes detected, skipping PR creation"
echo ""
echo "----"
fi
- name: Commit and Push Changes
id: commit-push
if: steps.check-changes.outputs.changes-detected == 'true'
env:
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
run: |
cd "${MANIFEST_DIR}"
MSG="chore: Update manifests after change"
if [[ "$IS_AUTOMERGE" == "true" ]]; then
MSG="chore: Update manifests after automerge"
fi
echo ">> Commiting changes to ${BRANCH_NAME} ..."
git add .
git commit -m "${MSG}"
REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
echo ""
echo ">> Pushing changes to ${REPO_URL} ..."
git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
echo ""
echo "----"
echo "push=true" >> "$GITHUB_OUTPUT"
echo "head-branch=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
- name: Check for Pull Request
id: check-for-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
run: |
cd "${MANIFEST_DIR}"
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
echo ">> With Endpoint of:"
echo "$API_ENDPOINT"
HTTP_STATUS=$(curl -X GET -s -w '%{http_code}' -o response_body.json -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
echo ""
echo ">> Pull Request has been found open, will update"
echo ""
echo "----"
echo "pull-request-exists=$(cat response_body.json | jq -r .[0].number)" >> "$GITHUB_OUTPUT"
else
echo ""
echo ">> Pull Request not found"
echo ""
echo "----"
echo "pull-request-exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Create Pull Request
id: create-pull-request
if: steps.commit-push.outputs.push == 'true' && (steps.mode.outputs.is-automerge == 'true' || steps.check-for-pull-request.outputs.pull-request-exists == 'false')
env:
IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
EVENT_NAME: ${{ github.event_name }}
ACTOR: ${{ github.actor }}
SHA: ${{ github.sha }}
REF: ${{ github.ref_name }}
run: |
cd "${MANIFEST_DIR}"
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
BODY=$(printf "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.\n\n### Details\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
if [[ "$IS_AUTOMERGE" == "true" ]]; then
TITLE="Automated Manifest Update - Automerge"
BODY=$(printf "%s\n\n_This PR is expected to be automerged._" "${BODY}")
else
TITLE="Automated Manifest Update"
fi
PAYLOAD=$(jq -n --arg head "${HEAD_BRANCH}" --arg base "${BASE_BRANCH}" --arg assignee "${ASSIGNEE}" --arg title "${TITLE}" --arg body "${BODY}" '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}')
HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
if [ "$HTTP_STATUS" == "201" ]; then
echo ">> Pull Request created successfully!"
echo ""
echo "----"
echo "pull-request-id=$(jq -r .id response_body.json)" >> "$GITHUB_OUTPUT"
echo "pull-request-number=$(jq -r .number response_body.json)" >> "$GITHUB_OUTPUT"
echo "pull-request-operation=created" >> "$GITHUB_OUTPUT"
elif [[ "$HTTP_STATUS" == "422" || "$HTTP_STATUS" == "409" ]]; then
echo ""
echo ">> Failed to create PR (Already exists)"
echo ""
echo "----"
else
echo ""
echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
echo ""
echo "----"
exit 1
fi
- name: Update Pull Request
id: update-pull-request
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
PR_NUMBER: ${{ steps.check-for-pull-request.outputs.pull-request-exists }}
CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
EVENT_NAME: ${{ github.event_name }}
ACTOR: ${{ github.actor }}
SHA: ${{ github.sha }}
REF: ${{ github.ref_name }}
run: |
cd "${MANIFEST_DIR}"
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}"
EXISTING_BODY=$(jq -r '.[0].body' response_body.json)
NEW_DETAILS=$(printf "### Update Details (%s)\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "$(date -u +'%Y-%m-%d %H:%M UTC')" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
UPDATED_BODY=$(printf "%s\n\n%s" "${EXISTING_BODY}" "${NEW_DETAILS}")
PAYLOAD=$(jq -n --arg body "${UPDATED_BODY}" '{body: $body}')
HTTP_STATUS=$(curl -X PATCH -s -w '%{http_code}' -o update_response.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
if [ "$HTTP_STATUS" == "201" ] || [ "$HTTP_STATUS" == "200" ]; then
echo ">> Pull Request updated successfully!"
echo ""
echo "----"
echo "pull-request-operation=updated" >> "$GITHUB_OUTPUT"
else
echo ">> Failed to update PR, HTTP status code: $HTTP_STATUS"; exit 1
echo ""
echo "----"
fi
- name: Merge Changes
id: merge-changes
if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'true'
env:
GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
GITEA_URL: ${{ secrets.REPO_URL }}
PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
run: |
cd "${MANIFEST_DIR}"
API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
PAYLOAD=$(jq -n --arg Do "merge" '{Do: $Do}')
HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
if [ "$HTTP_STATUS" == "200" ]; then
echo ">> Pull Request merged successfully!"
echo ""
echo "----"
echo "pull-request-operation=merged" >> "$GITHUB_OUTPUT"
else
echo ">> Failed to merge PR, HTTP status code: $HTTP_STATUS"; exit 1
echo ""
echo "----"
fi
- name: Cleanup Branch
if: failure() && steps.mode.outputs.is-automerge == 'true'
env:
BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
run: |
cd "${MANIFEST_DIR}"
echo ">> Removing branch: ${BRANCH_NAME}"
git push origin --delete "${BRANCH_NAME}" || true
echo ""
echo "----"
- name: ntfy Created
uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
if: steps.create-pull-request.outputs.pull-request-operation == 'created' && steps.mode.outputs.is-automerge == 'false'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render - Open PR"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Created renderd manifests for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
- name: ntfy Updated
uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render - PR Updated"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Updated rendered manifests PR for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
- name: ntfy Merged
uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
if: steps.merge-changes.outputs.pull-request-operation == 'merged'
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render - Automerged"
priority: 3
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,successfully,completed
details: "Automerged manifest rendering for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
- name: ntfy Failed
uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
if: failure()
with:
url: "${{ secrets.NTFY_URL }}"
topic: "${{ secrets.NTFY_TOPIC }}"
title: "Manifest Render Failure"
priority: 4
headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
tags: action,failed
details: "Manifest rendering for Infrastructure has failed!"
icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'

6
.gitea/workflows/renovate.yaml
View File

@@ -13,10 +13,10 @@ on:
jobs: jobs:
renovate: renovate:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: ghcr.io/renovatebot/renovate:43.95.0@sha256:47096353b25eec6ac930f81bbe36686b70e6a40c82b426d53e967b1b57acd6c5 container: ghcr.io/renovatebot/renovate:43
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 uses: actions/checkout@v6
- name: Renovate - name: Renovate
run: renovate run: renovate
@@ -25,7 +25,7 @@ jobs:
RENOVATE_ENDPOINT: ${{ vars.INSTANCE_URL }} RENOVATE_ENDPOINT: ${{ vars.INSTANCE_URL }}
RENOVATE_REPOSITORIES: alexlebens/infrastructure RENOVATE_REPOSITORIES: alexlebens/infrastructure
RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net> RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net>
LOG_LEVEL: debug LOG_LEVEL: info
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }} RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }} RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }} RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}

6
.pre-commit-config.yaml
View File

@@ -1,6 +1,6 @@
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v6.0.0 rev: v2.3.0
hooks: hooks:
- id: end-of-file-fixer - id: end-of-file-fixer
- id: trailing-whitespace - id: trailing-whitespace
@@ -9,9 +9,7 @@ repos:
exclude: '^.*\/templates\/.*$' exclude: '^.*\/templates\/.*$'
args: args:
- --multi - --multi
- id: check-merge-conflict
- id: check-json
- repo: https://github.com/IamTheFij/docker-pre-commit - repo: https://github.com/IamTheFij/docker-pre-commit
rev: v3.0.1 rev: v2.0.0
hooks: hooks:
- id: docker-compose-check - id: docker-compose-check

3
clusters/cl01tl/helm/actual/Chart.yaml
View File

@@ -5,12 +5,11 @@ description: Actual
keywords: keywords:
- actual - actual
- budget - budget
home: https://docs.alexlebens.dev/applications/actual/ home: https://wiki.alexlebens.dev/s/86192f45-94b7-45de-872c-6ef3fec7df5e
sources: sources:
- https://github.com/actualbudget/actual - https://github.com/actualbudget/actual
- https://github.com/actualbudget/actual/pkgs/container/actual - https://github.com/actualbudget/actual/pkgs/container/actual
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:

21
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -4,18 +4,20 @@ actual:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: ghcr.io/actualbudget/actual repository: ghcr.io/actualbudget/actual
tag: 26.3.0@sha256:eb8bc26f53025e07e464594c12d77c52c4b95840c8dadd9b95c4f0c4660f8ad2 tag: 26.3.0
pullPolicy: IfNotPresent
env: env:
- name: ACTUAL_PORT - name: TZ
value: 5006 value: US/Central
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 50Mi memory: 128Mi
probes: probes:
liveness: liveness:
enabled: true enabled: true
@@ -52,8 +54,11 @@ actual:
- actual.alexlebens.net - actual.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: actual - group: ''
kind: Service
name: actual
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -64,6 +69,7 @@ actual:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 2Gi size: 2Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -75,8 +81,7 @@ volsync-target-data:
enabled: true enabled: true
schedule: 0 8 * * * schedule: 0 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 0 9 * * *
external: external:
enabled: true enabled: true
schedule: 0 10 * * * schedule: 0 9 * * *

10
clusters/cl01tl/helm/argo-workflows/Chart.lock
View File

@@ -1,12 +1,12 @@
dependencies: dependencies:
- name: argo-workflows - name: argo-workflows
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 1.0.6 version: 0.47.4
- name: argo-events - name: argo-events
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 2.4.21 version: 2.4.20
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.10.0 version: 7.8.0
digest: sha256:5635bfe609d8a901df257ef3e6cb469396a21bdd4c6f96e7e33f84036019c52b digest: sha256:772ba83a6e0fa6a7e3633ff1fff0f8221b45a1f36ec890489cfa383330d99f81
generated: "2026-03-24T16:59:01.228848139Z" generated: "2026-02-27T18:14:32.22595048Z"

14
clusters/cl01tl/helm/argo-workflows/Chart.yaml
View File

@@ -7,26 +7,26 @@ keywords:
- argo-events - argo-events
- workflows - workflows
- events - events
home: https://docs.alexlebens.dev/applications/argo-workflows/ home: https://wiki.alexlebens.dev/s/a268508f-d81d-4b4b-8bd5-9058edaea635
sources: sources:
- https://github.com/argoproj/argo-workflows - https://github.com/argoproj/argo-workflows
- https://github.com/argoproj/argo-events - https://github.com/argoproj/argo-events
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-workflows - https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-events - https://github.com/argoproj/argo-helm/tree/main/charts
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: argo-workflows - name: argo-workflows
version: 1.0.6 version: 0.47.4
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
- name: argo-events - name: argo-events
version: 2.4.21 version: 2.4.20
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.10.0 version: 7.8.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: datasource=github-releases depName=argoproj/argo-workflows # renovate: datasource=github-releases depName=argoproj/argo-workflows
appVersion: v4.0.3 appVersion: v4.0.1

6
clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml
View File

@@ -14,9 +14,15 @@ spec:
data: data:
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: secret property: secret
- secretKey: client - secretKey: client
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: client property: client

28
clusters/cl01tl/helm/argo-workflows/templates/http-route.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: argo-workflows
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argo-workflows.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: ''
kind: Service
name: argo-workflows-server
port: 2746
weight: 100

80
clusters/cl01tl/helm/argo-workflows/values.yaml
View File

@@ -1,16 +1,13 @@
argo-workflows: argo-workflows:
crds:
install: true
keep: true
full: true
upgradeJob:
image:
repository: registry.k8s.io/kubectl
tag: v1.35.3
controller: controller:
metricsConfig: metricsConfig:
enabled: true enabled: true
persistence: persistence:
connectionPool:
maxIdleConns: 100
maxOpenConns: 0
nodeStatusOffLoad: true
archive: true
postgresql: postgresql:
host: argo-workflows-postgresql-18-cluster-rw host: argo-workflows-postgresql-18-cluster-rw
port: 5432 port: 5432
@@ -25,34 +22,24 @@ argo-workflows:
ssl: false ssl: false
sslMode: disable sslMode: disable
workflowWorkers: 2 workflowWorkers: 2
workflowTTLWorkers: 2 workflowTTLWorkers: 1
podCleanupWorkers: 2 podCleanupWorkers: 1
cronWorkflowWorkers: 2 cronWorkflowWorkers: 1
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 20Mi memory: 128Mi
serviceMonitor: serviceMonitor:
enabled: true enabled: true
name: workflow-controller
workflowNamespaces: workflowNamespaces:
- argocd
- argo-workflows - argo-workflows
server: server:
authModes: authModes:
- sso - sso
httproute: ingress:
enabled: true enabled: false
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argo-workflows.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
sso: sso:
enabled: true enabled: true
issuer: https://authentik.alexlebens.net/application/o/argo-workflows/ issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
@@ -69,15 +56,15 @@ argo-workflows:
- openid - openid
- email - email
- profile - profile
useStaticCredentials: true
artifactRepository:
archiveLogs: false
argo-events: argo-events:
crds:
install: true
keep: true
controller: controller:
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 32Mi memory: 128Mi
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -86,8 +73,8 @@ argo-events:
enabled: true enabled: true
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 20Mi memory: 128Mi
postgres-18-cluster: postgres-18-cluster:
mode: recovery mode: recovery
recovery: recovery:
@@ -101,9 +88,32 @@ postgres-18-cluster:
destinationBucket: postgres-backups destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true isWALArchiver: true
# - name: garage-remote
# index: 1
# destinationBucket: postgres-backups
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# retentionPolicy: "90d"
# data:
# compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 0 14 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup
# suspend: true
# immediate: true
# schedule: "0 0 4 * * SAT"
# backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external

6
clusters/cl01tl/helm/argocd/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: argo-cd - name: argo-cd
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 9.4.16 version: 9.4.8
digest: sha256:f9ecc47369d4401df61c17f55cc59c9b2d4543f57cf122653abb1a27a4f7bf35 digest: sha256:19ff12a044b26302cd4b5ea8d8df3ec4ccfcecdd5ee7018e799e8fda2561c553
generated: "2026-03-26T21:01:52.678525211Z" generated: "2026-03-08T20:26:40.586416093Z"

8
clusters/cl01tl/helm/argocd/Chart.yaml
View File

@@ -4,8 +4,10 @@ version: 1.0.0
description: Argo CD description: Argo CD
keywords: keywords:
- argo-cd - argo-cd
- delivery
- deployment - deployment
home: https://docs.alexlebens.dev/applications/argo-cd/ - gitops
home: https://wiki.alexlebens.dev/s/8a75cf26-b9df-437e-9cc5-2ef47e871a5f
sources: sources:
- https://github.com/argoproj/argo-cd - https://github.com/argoproj/argo-cd
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
@@ -13,8 +15,8 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: argo-cd - name: argo-cd
version: 9.4.16 version: 9.4.8
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: datasource=github-releases depName=argoproj/argo-cd # renovate: datasource=github-releases depName=argoproj/argo-cd
appVersion: v3.3.5 appVersion: v3.3.2

18
clusters/cl01tl/helm/argocd/templates/external-secret.yaml
View File

@@ -14,11 +14,17 @@ spec:
data: data:
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd key: /authentik/oidc/argocd
metadataPolicy: None
property: secret property: secret
- secretKey: client - secretKey: client
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd key: /authentik/oidc/argocd
metadataPolicy: None
property: client property: client
--- ---
@@ -38,7 +44,10 @@ spec:
data: data:
- secretKey: ntfy-token - secretKey: ntfy-token
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /ntfy/user/cl01tl key: /ntfy/user/cl01tl
metadataPolicy: None
property: token property: token
--- ---
@@ -58,13 +67,22 @@ spec:
data: data:
- secretKey: type - secretKey: type
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None
property: type property: type
- secretKey: url - secretKey: url
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None
property: url property: url
- secretKey: sshPrivateKey - secretKey: sshPrivateKey
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/argocd/credentials/repo/infrastructure key: /cl01tl/argocd/credentials/repo/infrastructure
metadataPolicy: None
property: sshPrivateKey property: sshPrivateKey

148
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -1,11 +1,12 @@
argo-cd: argo-cd:
crds: crds:
install: true install: true
keep: true
configs: configs:
cm: cm:
admin.enabled: true admin.enabled: true
accounts.homepage: apiKey accounts.homepage: apiKey
timeout.reconciliation: 100s
timeout.reconciliation.jitter: 60s
url: https://argocd.alexlebens.net url: https://argocd.alexlebens.net
statusbadge.url: https://argocd.alexlebens.net/ statusbadge.url: https://argocd.alexlebens.net/
statusbadge.enabled: true statusbadge.enabled: true
@@ -32,53 +33,12 @@ argo-cd:
g, homepage, role:readonly g, homepage, role:readonly
controller: controller:
replicas: 1 replicas: 1
resources:
requests:
cpu: 100m
memory: 1Gi
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
rules:
enabled: true
spec:
- alert: ArgoAppMissing
expr: |
absent(argocd_app_info) == 1
for: 15m
labels:
severity: critical
annotations:
summary: "[Argo CD] No reported applications"
description: >
Argo CD has not reported any applications data for the past 15 minutes which
means that it must be down or not functioning properly. This needs to be
resolved for this cloud to continue to maintain state.
- alert: ArgoAppNotSynced
expr: |
argocd_app_info{sync_status!="Synced"} == 1
for: 12h
labels:
severity: warning
annotations:
summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
description: >
The application [{{`{{$labels.name}}`}} has not been synchronized for over
12 hours which means that the state of this cloud has drifted away from the
state inside Git.
dex: dex:
enabled: true enabled: true
resources:
requests:
cpu: 1m
memory: 64Mi
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -89,57 +49,20 @@ argo-cd:
enabled: true enabled: true
redis-ha: redis-ha:
enabled: true enabled: true
image:
repository: redis
tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72
persistentVolume:
enabled: true
redis:
resources:
requests:
cpu: 1000m
memory: 50Mi
haproxy:
enabled: true
image:
repository: haproxy
tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
resources:
requests:
cpu: 5m
memory: 90Mi
metrics:
enabled: true
serviceMonitor:
enabled: true
exporter:
enabled: true
image: ghcr.io/oliver006/redis_exporter
tag: v1.82.0@sha256:6a97d4dd743b533e1f950c677b87d880e44df363c61af3f406fc9e53ed65ee03
serviceMonitor:
enabled: true
prometheusRule:
enabled: true
interval: 30s
rules:
- alert: RedisPodDown
expr: |
redis_up{job="{{ include "redis-ha.fullname" . }}"} == 0
for: 5m
labels:
severity: critical
annotations:
description: Redis pod {{ "{{ $labels.pod }}" }} is down
summary: Redis pod {{ "{{ $labels.pod }}" }} is down
auth: false auth: false
redisSecretInit: redisSecretInit:
enabled: false enabled: false
server: server:
replicas: 2 replicas: 2
resources: extensions:
requests: enabled: true
cpu: 20m extensionList:
memory: 80Mi - name: extension-trivy
env:
- name: EXTENSION_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy.tar
- name: EXTENSION_CHECKSUM_URL
value: https://github.com/mziyabo/argocd-trivy-extension/releases/download/v0.2.0/extension-trivy_checksums.txt
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -153,56 +76,31 @@ argo-cd:
namespace: traefik namespace: traefik
hostnames: hostnames:
- argocd.alexlebens.net - argocd.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
repoServer: repoServer:
replicas: 2 replicas: 2
resources:
requests:
cpu: 1m
memory: 50Mi
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
applicationSet: applicationSet:
replicas: 2 replicas: 2
resources:
requests:
cpu: 10m
memory: 50Mi
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
livenessProbe: livenessProbe:
enabled: true enabled: true
failureThreshold: 3 readinessProbe:
initialDelaySeconds: 60 enabled: true
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
notifications: notifications:
argocdUrl: https://argocd.alexlebens.net enabled: true
context:
argocdUrl: https://argocd.alexlebens.net
secret: secret:
create: false create: false
name: argocd-notifications-secret name: argocd-notifications-secret
@@ -216,10 +114,6 @@ argo-cd:
headers: headers:
- name: Authorization - name: Authorization
value: Bearer $ntfy-token value: Bearer $ntfy-token
resources:
requests:
cpu: 2m
memory: 50Mi
livenessProbe: livenessProbe:
enabled: true enabled: true
readinessProbe: readinessProbe:

7
clusters/cl01tl/helm/audiobookshelf/Chart.yaml
View File

@@ -7,14 +7,11 @@ keywords:
- books - books
- podcasts - podcasts
- audiobooks - audiobooks
home: https://docs.alexlebens.dev/applications/audiobookshelf/ home: https://wiki.alexlebens.dev/s/d4d6719f-cd1c-4b6e-b78e-2d2d7a5097d7
sources: sources:
- https://github.com/advplyr/audiobookshelf - https://github.com/advplyr/audiobookshelf
- https://github.com/caronc/apprise
- https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf - https://github.com/advplyr/audiobookshelf/pkgs/container/audiobookshelf
- https://github.com/caronc/apprise-api/pkgs/container/apprise
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -32,4 +29,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
# renovate: datasource=github-releases depName=advplyr/audiobookshelf # renovate: datasource=github-releases depName=advplyr/audiobookshelf
appVersion: 2.33.1 appVersion: 2.32.1

3
clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
View File

@@ -14,5 +14,8 @@ spec:
data: data:
- secretKey: ntfy-url - secretKey: ntfy-url
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/audiobookshelf/apprise key: /cl01tl/audiobookshelf/apprise
metadataPolicy: None
property: ntfy-url property: ntfy-url

44
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
View File

@@ -1,52 +1,14 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: audiobookshelf-books-nfs-storage name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: audiobookshelf-books-nfs-storage app.kubernetes.io/name: audiobookshelf-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: audiobookshelf-books-nfs-storage volumeName: audiobookshelf-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-audiobooks-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-podcasts-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany

56
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: audiobookshelf-books-nfs-storage name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: audiobookshelf-books-nfs-storage app.kubernetes.io/name: audiobookshelf-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
@@ -15,57 +15,7 @@ spec:
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
nfs: nfs:
path: /volume2/Storage/Books path: /volume2/Storage
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Audiobooks
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Podcasts
server: synologybond.alexlebens.net server: synologybond.alexlebens.net
mountOptions: mountOptions:
- vers=4 - vers=4

60
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -4,29 +4,28 @@ audiobookshelf:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
pod: revisionHistoryLimit: 3
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
containers: containers:
main: main:
image: image:
repository: ghcr.io/advplyr/audiobookshelf repository: ghcr.io/advplyr/audiobookshelf
tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708 tag: 2.32.1
pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
value: America/Chicago value: US/Central
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 200Mi memory: 128Mi
apprise-api: apprise-api:
image: image:
repository: ghcr.io/caronc/apprise repository: caronc/apprise
tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977 tag: v1.3.2
pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
value: America/Chicago value: US/Central
- name: PGID - name: PGID
value: "1000" value: "1000"
- name: PUID - name: PUID
@@ -42,6 +41,10 @@ audiobookshelf:
secretKeyRef: secretKeyRef:
name: audiobookshelf-apprise-config name: audiobookshelf-apprise-config
key: ntfy-url key: ntfy-url
resources:
requests:
cpu: 10m
memory: 128Mi
service: service:
main: main:
controller: main controller: main
@@ -79,8 +82,11 @@ audiobookshelf:
- audiobookshelf.alexlebens.net - audiobookshelf.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: audiobookshelf - group: ''
kind: Service
name: audiobookshelf
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -91,6 +97,7 @@ audiobookshelf:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 2Gi size: 2Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -101,31 +108,18 @@ audiobookshelf:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
- path: /metadata - path: /metadata
readOnly: false readOnly: false
books:
existingClaim: audiobookshelf-books-nfs-storage
advancedMounts:
main:
main:
- path: /mnt/store/Books
readOnly: false
audiobooks: audiobooks:
existingClaim: audiobookshelf-audiobooks-nfs-storage existingClaim: audiobookshelf-nfs-storage
advancedMounts: advancedMounts:
main: main:
main: main:
- path: /mnt/store/Audiobooks - path: /mnt/store/
readOnly: false
podcasts:
existingClaim: audiobookshelf-podcasts-nfs-storage
advancedMounts:
main:
main:
- path: /mnt/store/Podcasts
readOnly: false readOnly: false
volsync-target-config: volsync-target-config:
pvcTarget: audiobookshelf-config pvcTarget: audiobookshelf-config
@@ -133,19 +127,17 @@ volsync-target-config:
enabled: true enabled: true
schedule: 2 8 * * * schedule: 2 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 2 9 * * *
external: external:
enabled: true enabled: true
schedule: 2 10 * * * schedule: 2 9 * * *
volsync-target-metadata: volsync-target-metadata:
pvcTarget: audiobookshelf-metadata pvcTarget: audiobookshelf-metadata
local: local:
enabled: true enabled: true
schedule: 4 8 * * * schedule: 4 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 4 9 * * *
external: external:
enabled: true enabled: true
schedule: 4 10 * * * schedule: 4 9 * * *

10
clusters/cl01tl/helm/authentik/Chart.lock
View File

@@ -4,12 +4,12 @@ dependencies:
version: 2026.2.1 version: 2026.2.1
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0 version: 2.3.0
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.10.0 version: 7.8.0
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0 version: 0.3.0
digest: sha256:8c353c5dad4c3d04d518c1445497f0d1cb64261a4201ae17a2c0874454b807a7 digest: sha256:750757130cded0cd2cc9b64ffdba961b55252587b653151f8ecb1031839fb9c9
generated: "2026-03-15T20:04:35.99407071Z" generated: "2026-03-06T06:33:03.42982917Z"

13
clusters/cl01tl/helm/authentik/Chart.yaml
View File

@@ -6,14 +6,17 @@ keywords:
- authentik - authentik
- sso - sso
- oidc - oidc
- ldap
- idp
- authentication - authentication
home: https://docs.alexlebens.dev/applications/authentik/ home: https://wiki.alexlebens.dev/s/45ca5171-581f-41d2-b6fb-2b0915029a2d
sources: sources:
- https://github.com/goauthentik/authentik - https://github.com/goauthentik/authentik
- https://github.com/cloudflare/cloudflared
- https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/goauthentik/helm - https://github.com/goauthentik/helm
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -22,14 +25,14 @@ dependencies:
repository: https://charts.goauthentik.io/ repository: https://charts.goauthentik.io/
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0 version: 2.3.0
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.10.0 version: 7.8.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.4.0 version: 0.3.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
# renovate: datasource=github-releases depName=goauthentik/authentik # renovate: datasource=github-releases depName=goauthentik/authentik

3
clusters/cl01tl/helm/authentik/templates/external-secret.yaml
View File

@@ -14,5 +14,8 @@ spec:
data: data:
- secretKey: key - secretKey: key
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/authentik/key key: /cl01tl/authentik/key
metadataPolicy: None
property: key property: key

69
clusters/cl01tl/helm/authentik/values.yaml
View File

@@ -30,23 +30,8 @@ authentik:
redis: redis:
host: authentik-valkey host: authentik-valkey
server: server:
replicas: 2 name: server
resources: replicas: 1
requests:
cpu: 20m
memory: 700Mi
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 15
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -54,6 +39,8 @@ authentik:
route: route:
main: main:
enabled: true enabled: true
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
hostnames: hostnames:
- authentik.alexlebens.net - authentik.alexlebens.net
parentRefs: parentRefs:
@@ -61,26 +48,27 @@ authentik:
kind: Gateway kind: Gateway
name: traefik-gateway name: traefik-gateway
namespace: traefik namespace: traefik
httpsRedirect: false
matches:
- path:
type: PathPrefix
value: /
worker: worker:
name: worker name: worker
replicas: 2 replicas: 1
resources:
requests:
cpu: 80m
memory: 650Mi
metrics:
enabled: true
serviceMonitor:
enabled: true
prometheus: prometheus:
rules: rules:
enabled: true enabled: true
postgresql:
enabled: false
redis:
enabled: false
postgres-18-cluster: postgres-18-cluster:
mode: recovery mode: recovery
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:
index: 2 index: 1
backup: backup:
objectStore: objectStore:
- name: garage-local - name: garage-local
@@ -88,9 +76,32 @@ postgres-18-cluster:
destinationBucket: postgres-backups destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true isWALArchiver: true
# - name: garage-remote
# index: 1
# destinationBucket: postgres-backups
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# retentionPolicy: "90d"
# data:
# compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: live-backup - name: live-backup
suspend: false suspend: true
immediate: true immediate: true
schedule: "0 5 14 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup
# suspend: true
# immediate: true
# schedule: "0 0 4 * * SAT"
# backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external

7
clusters/cl01tl/helm/backrest/Chart.yaml
View File

@@ -5,12 +5,11 @@ description: backrest
keywords: keywords:
- backrest - backrest
- backup - backup
home: https://docs.alexlebens.dev/applications/backrest/ home: https://wiki.alexlebens.dev/
sources: sources:
- https://github.com/garethgeorge/backrest - https://github.com/garethgeorge/backrest
- https://github.com/garethgeorge/backrest/pkgs/container/backrest - https://hub.docker.com/r/garethgeorge/backrest
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -28,4 +27,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
# renovate: datasource=github-releases depName=garethgeorge/backrest # renovate: datasource=github-releases depName=garethgeorge/backrest
appVersion: v1.12.1 appVersion: v1.12.0

39
clusters/cl01tl/helm/backrest/values.yaml
View File

@@ -7,8 +7,9 @@ backrest:
containers: containers:
main: main:
image: image:
repository: ghcr.io/garethgeorge/backrest repository: garethgeorge/backrest
tag: v1.12.1@sha256:f4d34bd6fa985d13bdb6c01c5d8727e07708899afa9567d800808357d77b9fb0 tag: v1.12.0
pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago
@@ -22,8 +23,8 @@ backrest:
value: /tmp value: /tmp
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 30Mi memory: 256Mi
service: service:
main: main:
controller: main controller: main
@@ -32,19 +33,6 @@ backrest:
port: 80 port: 80
targetPort: 9898 targetPort: 9898
protocol: TCP protocol: TCP
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: backrest
app.kubernetes.io/instance: backrest
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: http
scheme: http
path: /metrics
interval: 300s
scrapeTimeout: 15s
route: route:
main: main:
kind: HTTPRoute kind: HTTPRoute
@@ -57,8 +45,11 @@ backrest:
- backrest.alexlebens.net - backrest.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: backrest - group: ''
kind: Service
name: backrest
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -69,6 +60,7 @@ backrest:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 10Gi size: 10Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -79,6 +71,7 @@ backrest:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 1Gi size: 1Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -118,19 +111,17 @@ volsync-target-data:
enabled: true enabled: true
schedule: 6 8 * * * schedule: 6 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 6 9 * * *
external: external:
enabled: true enabled: true
schedule: 6 10 * * * schedule: 6 9 * * *
volsync-target-config: volsync-target-config:
pvcTarget: backrest-config pvcTarget: backrest-config
local: local:
enabled: true enabled: true
schedule: 8 8 * * * schedule: 8 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 8 9 * * *
external: external:
enabled: true enabled: true
schedule: 8 10 * * * schedule: 8 9 * * *

4
clusters/cl01tl/helm/bazarr/Chart.yaml
View File

@@ -4,14 +4,14 @@ version: 1.0.0
description: Bazarr description: Bazarr
keywords: keywords:
- bazarr - bazarr
- servarr
- subtitles - subtitles
home: https://docs.alexlebens.dev/applications/bazarr/ home: https://wiki.alexlebens.dev/s/92784d53-1d43-42fd-b509-f42c73454226
sources: sources:
- https://github.com/morpheus65535/bazarr - https://github.com/morpheus65535/bazarr
- https://github.com/linuxserver/docker-bazarr - https://github.com/linuxserver/docker-bazarr
- https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:

23
clusters/cl01tl/helm/bazarr/values.yaml
View File

@@ -4,6 +4,7 @@ bazarr:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
pod: pod:
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000
@@ -14,20 +15,19 @@ bazarr:
main: main:
image: image:
repository: ghcr.io/linuxserver/bazarr repository: ghcr.io/linuxserver/bazarr
tag: v1.5.6-ls342@sha256:9a631194c0dee21c85b5bff59e23610e1ae2f54594e922973949d271102e585e tag: 1.5.6@sha256:94eee5e3e14430b7b144d4556be73963a7daf6f1bddc25586627f426465482ce
pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
value: America/Chicago value: US/Central
- name: PUID - name: PUID
value: 1000 value: 1000
- name: PGID - name: PGID
value: 1000 value: 1000
resources: resources:
limits:
cpu: 100m
requests: requests:
cpu: 1m cpu: 10m
memory: 250Mi memory: 256Mi
service: service:
main: main:
controller: main controller: main
@@ -48,8 +48,11 @@ bazarr:
- bazarr.alexlebens.net - bazarr.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: bazarr - group: ''
kind: Service
name: bazarr
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -60,6 +63,7 @@ bazarr:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -83,8 +87,7 @@ volsync-target-config:
enabled: true enabled: true
schedule: 10 8 * * * schedule: 10 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 10 9 * * *
external: external:
enabled: true enabled: true
schedule: 10 10 * * * schedule: 10 9 * * *

6
clusters/cl01tl/helm/blocky/Chart.lock
View File

@@ -4,6 +4,6 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0 version: 0.3.0
digest: sha256:a5b0099261d772b24a302a106d106cfa82ac07fa14564141e00cf107d708e859 digest: sha256:e1300ab60ad8d986a42144940a64196aa282566e8049975a0981e4e6fc93e206
generated: "2026-03-09T23:06:16.853255429Z" generated: "2026-03-06T06:33:20.716599953Z"

7
clusters/cl01tl/helm/blocky/Chart.yaml
View File

@@ -5,12 +5,11 @@ description: Blocky
keywords: keywords:
- blocky - blocky
- dns - dns
home: https://docs.alexlebens.dev/applications/blocky/ home: https://wiki.alexlebens.dev/s/cf70113d-20bc-48ad-afb8-1e22ed3fd62a
sources: sources:
- https://github.com/0xERR0R/blocky - https://github.com/0xERR0R/blocky
- https://github.com/0xERR0R/blocky/pkgs/container/blocky - https://hub.docker.com/r/spx01/blocky
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -20,7 +19,7 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.4.0 version: 0.3.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
# renovate: datasource=github-releases depName=0xerr0r/blocky # renovate: datasource=github-releases depName=0xerr0r/blocky

15
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -4,18 +4,20 @@ blocky:
type: deployment type: deployment
replicas: 3 replicas: 3
strategy: RollingUpdate strategy: RollingUpdate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: ghcr.io/0xerr0r/blocky repository: ghcr.io/0xerr0r/blocky
tag: v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0 tag: v0.29.0@sha256:a6d99f323d3036a99a3767a52ad612f4d8f3f31167492bfc14d4ea57b24cdfd0
pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
value: America/Chicago value: US/Central
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 100Mi memory: 128Mi
configMaps: configMaps:
config: config:
enabled: true enabled: true
@@ -96,7 +98,7 @@ blocky:
traefik-cl01tl IN A 10.232.1.21 traefik-cl01tl IN A 10.232.1.21
blocky IN A 10.232.1.22 blocky IN A 10.232.1.22
plex-lb IN A 10.232.1.23 cilium-cl01tl IN A 10.232.1.23
;; Application Names ;; Application Names
@@ -108,36 +110,31 @@ blocky:
authentik IN CNAME traefik-cl01tl authentik IN CNAME traefik-cl01tl
backrest IN CNAME traefik-cl01tl backrest IN CNAME traefik-cl01tl
bazarr IN CNAME traefik-cl01tl bazarr IN CNAME traefik-cl01tl
booklore IN CNAME traefik-cl01tl
ceph IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl
code-server IN CNAME traefik-cl01tl code-server IN CNAME traefik-cl01tl
dawarich IN CNAME traefik-cl01tl dawarich IN CNAME traefik-cl01tl
directus IN CNAME traefik-cl01tl directus IN CNAME traefik-cl01tl
excalidraw IN CNAME traefik-cl01tl excalidraw IN CNAME traefik-cl01tl
feishin IN CNAME traefik-cl01tl feishin IN CNAME traefik-cl01tl
foldergram IN CNAME traefik-cl01tl
garage-s3 IN CNAME traefik-cl01tl garage-s3 IN CNAME traefik-cl01tl
garage-webui IN CNAME traefik-cl01tl garage-webui IN CNAME traefik-cl01tl
gatus IN CNAME traefik-cl01tl gatus IN CNAME traefik-cl01tl
gitea IN CNAME traefik-cl01tl gitea IN CNAME traefik-cl01tl
grafana IN CNAME traefik-cl01tl grafana IN CNAME traefik-cl01tl
grimmory IN CNAME traefik-cl01tl
harbor IN CNAME traefik-cl01tl harbor IN CNAME traefik-cl01tl
headlamp IN CNAME traefik-cl01tl headlamp IN CNAME traefik-cl01tl
home IN CNAME traefik-cl01tl home IN CNAME traefik-cl01tl
home-assistant IN CNAME traefik-cl01tl home-assistant IN CNAME traefik-cl01tl
home-assistant-code-server IN CNAME traefik-cl01tl home-assistant-code-server IN CNAME traefik-cl01tl
houndarr IN CNAME traefik-cl01tl
hubble IN CNAME traefik-cl01tl hubble IN CNAME traefik-cl01tl
immich IN CNAME traefik-cl01tl immich IN CNAME traefik-cl01tl
jellyfin IN CNAME traefik-cl01tl jellyfin IN CNAME traefik-cl01tl
jellystat IN CNAME traefik-cl01tl jellystat IN CNAME traefik-cl01tl
kiwix IN CNAME traefik-cl01tl kiwix IN CNAME traefik-cl01tl
komodo IN CNAME traefik-cl01tl komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl lidarr IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
movie-roulette IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl navidrome IN CNAME traefik-cl01tl
ntfy IN CNAME traefik-cl01tl ntfy IN CNAME traefik-cl01tl

9
clusters/cl01tl/helm/grimmory/Chart.lock → clusters/cl01tl/helm/booklore/Chart.lock
View File

@@ -4,9 +4,12 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: mariadb-cluster - name: mariadb-cluster
repository: https://helm.mariadb.com/mariadb-operator repository: https://helm.mariadb.com/mariadb-operator
version: 26.3.0 version: 25.10.4
- name: volsync-target - name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0 version: 0.8.0
digest: sha256:6ee403da03c1bcc0289a9abdef0508344072d51173da996eda69b8305d5feefa - name: volsync-target
generated: "2026-03-23T20:35:19.743257-05:00" repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:d4c7bf75f72f7eab4ad968bf9f55daac9392c9b2df08f8a27c5dc4f8fffb5f57
generated: "2026-03-06T01:06:05.696573273Z"

33
clusters/cl01tl/helm/booklore/Chart.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: v2
name: booklore
version: 1.0.0
description: booklore
keywords:
- booklore
- books
home: https://wiki.alexlebens.dev/
sources:
- https://github.com/booklore-app/BookLore
- https://github.com/booklore-app/booklore/pkgs/container/booklore
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: booklore
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: mariadb-cluster
version: 25.10.4
repository: https://helm.mariadb.com/mariadb-operator
- name: volsync-target
alias: volsync-target-config
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
# renovate: datasource=github-releases depName=booklore-app/BookLore
appVersion: v2.1.0

38
clusters/cl01tl/helm/grimmory/templates/external-secret.yaml → clusters/cl01tl/helm/booklore/templates/external-secret.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grimmory-database-secret name: booklore-database-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-database-secret app.kubernetes.io/name: booklore-database-secret
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
@@ -14,17 +14,20 @@ spec:
data: data:
- secretKey: password - secretKey: password
remoteRef: remoteRef:
key: /cl01tl/grimmory/database conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/booklore/database
metadataPolicy: None
property: password property: password
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grimmory-data-replication-secret name: booklore-data-replication-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-data-replication-secret app.kubernetes.io/name: booklore-data-replication-secret
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
@@ -34,17 +37,20 @@ spec:
data: data:
- secretKey: psk.txt - secretKey: psk.txt
remoteRef: remoteRef:
key: /cl01tl/grimmory/replication conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/booklore/replication
metadataPolicy: None
property: psk.txt property: psk.txt
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grimmory-mariadb-cluster-backup-secret-external name: booklore-mariadb-cluster-backup-secret-external
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-external app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-external
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
@@ -54,21 +60,27 @@ spec:
data: data:
- secretKey: access - secretKey: access
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/mariadb-backups key: /digital-ocean/home-infra/mariadb-backups
metadataPolicy: None
property: access property: access
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /digital-ocean/home-infra/mariadb-backups key: /digital-ocean/home-infra/mariadb-backups
metadataPolicy: None
property: secret property: secret
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grimmory-mariadb-cluster-backup-secret-garage name: booklore-mariadb-cluster-backup-secret-garage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-garage app.kubernetes.io/name: booklore-mariadb-cluster-backup-secret-garage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
@@ -78,9 +90,15 @@ spec:
data: data:
- secretKey: access - secretKey: access
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/mariadb-backups key: /garage/home-infra/mariadb-backups
metadataPolicy: None
property: access property: access
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/mariadb-backups key: /garage/home-infra/mariadb-backups
metadataPolicy: None
property: secret property: secret

4
clusters/cl01tl/helm/grimmory/templates/namespace.yaml → clusters/cl01tl/helm/booklore/templates/namespace.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: grimmory name: booklore
annotations: annotations:
volsync.backube/privileged-movers: "true" volsync.backube/privileged-movers: "true"
labels: labels:
app.kubernetes.io/name: grimmory app.kubernetes.io/name: booklore
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/audit: privileged

12
clusters/cl01tl/helm/grimmory/templates/persistent-volume-claim.yaml → clusters/cl01tl/helm/booklore/templates/persistent-volume-claim.yaml
View File

@@ -1,14 +1,14 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: grimmory-books-nfs-storage name: booklore-books-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-books-nfs-storage app.kubernetes.io/name: booklore-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: grimmory-books-nfs-storage volumeName: booklore-books-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
@@ -20,14 +20,14 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: grimmory-books-import-nfs-storage name: booklore-books-import-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-books-import-nfs-storage app.kubernetes.io/name: booklore-books-import-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: grimmory-books-import-nfs-storage volumeName: booklore-books-import-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany

8
clusters/cl01tl/helm/grimmory/templates/persistent-volume.yaml → clusters/cl01tl/helm/booklore/templates/persistent-volume.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: grimmory-books-nfs-storage name: booklore-books-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-books-nfs-storage app.kubernetes.io/name: booklore-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
@@ -26,10 +26,10 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: grimmory-books-import-nfs-storage name: booklore-books-import-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-books-import-nfs-storage app.kubernetes.io/name: booklore-books-import-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:

15
clusters/cl01tl/helm/booklore/templates/replication-destination.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationDestination
metadata:
name: booklore-data-replication-destination
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-replication-destination
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
rsyncTLS:
copyMethod: Direct
accessModes: ["ReadWriteMany"]
destinationPVC: booklore-books-nfs-storage
keySecret: booklore-data-replication-secret

17
clusters/cl01tl/helm/booklore/templates/replication-source.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: booklore-data-replication-source
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: booklore-data-replication-source
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
sourcePVC: booklore-data
trigger:
schedule: "0 0 * * *"
rsyncTLS:
keySecret: booklore-data-replication-secret
address: volsync-rsync-tls-dst-booklore-data-replication-destination
copyMethod: Snapshot

116
clusters/cl01tl/helm/grimmory/values.yaml → clusters/cl01tl/helm/booklore/values.yaml
View File

@@ -1,18 +1,16 @@
grimmory: booklore:
controllers: controllers:
main: main:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
pod: revisionHistoryLimit: 3
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
containers: containers:
main: main:
image: image:
repository: ghcr.io/grimmory-tools/grimmory repository: ghcr.io/booklore-app/booklore
tag: v2.3.0@sha256:9014247f591074529894f81115ca40f899db697e89f72c2fe91ec530e3f19597 tag: v2.1.0
pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago
@@ -21,22 +19,22 @@ grimmory:
- name: GROUP_ID - name: GROUP_ID
value: 1000 value: 1000
- name: DATABASE_URL - name: DATABASE_URL
value: jdbc:mariadb://grimmory-mariadb-cluster-primary.grimmory:3306/booklore value: jdbc:mariadb://booklore-mariadb-cluster-primary.booklore:3306/booklore
- name: DATABASE_USERNAME - name: DATABASE_USERNAME
value: grimmory value: booklore
- name: DATABASE_PASSWORD - name: DATABASE_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: grimmory-database-secret name: booklore-database-secret
key: password key: password
- name: GRIMMORY_PORT - name: BOOKLORE_PORT
value: 6060 value: 6060
- name: SWAGGER_ENABLED - name: SWAGGER_ENABLED
value: false value: false
resources: resources:
requests: requests:
cpu: 10m cpu: 50m
memory: 1Gi memory: 128Mi
service: service:
main: main:
controller: main controller: main
@@ -54,26 +52,41 @@ grimmory:
name: traefik-gateway name: traefik-gateway
namespace: traefik namespace: traefik
hostnames: hostnames:
- grimmory.alexlebens.net - booklore.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: grimmory - group: ''
kind: Service
name: booklore
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
value: / value: /
persistence: persistence:
config: config:
forceRename: grimmory-config forceRename: booklore-config
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
- path: /app/data - path: /app/data
readOnly: false readOnly: false
data:
forceRename: booklore-data
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
retain: true
advancedMounts:
main:
main:
- path: /data
readOnly: false
books-import: books-import:
type: emptyDir type: emptyDir
advancedMounts: advancedMounts:
@@ -81,15 +94,8 @@ grimmory:
main: main:
- path: /bookdrop - path: /bookdrop
readOnly: false readOnly: false
data:
existingClaim: grimmory-books-nfs-storage
advancedMounts:
main:
main:
- path: /data
readOnly: false
ingest: ingest:
existingClaim: grimmory-books-import-nfs-storage existingClaim: booklore-books-import-nfs-storage
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -99,7 +105,7 @@ mariadb-cluster:
mariadb: mariadb:
rootPasswordSecretKeyRef: rootPasswordSecretKeyRef:
generate: false generate: false
name: grimmory-database-secret name: booklore-database-secret
key: password key: password
storage: storage:
size: 5Gi size: 5Gi
@@ -109,14 +115,14 @@ mariadb-cluster:
bootstrapFrom: bootstrapFrom:
s3: s3:
bucket: mariadb-backups-b230a2f5aecf080a4b372c08 bucket: mariadb-backups-b230a2f5aecf080a4b372c08
prefix: cl01tl/grimmory prefix: cl01tl/booklore
endpoint: nyc3.digitaloceanspaces.com endpoint: nyc3.digitaloceanspaces.com
region: us-east-1 region: us-east-1
accessKeyIdSecretKeyRef: accessKeyIdSecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-external name: booklore-mariadb-cluster-backup-secret-external
key: access key: access
secretAccessKeySecretKeyRef: secretAccessKeySecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-external name: booklore-mariadb-cluster-backup-secret-external
key: secret key: secret
tls: tls:
enabled: true enabled: true
@@ -128,22 +134,21 @@ mariadb-cluster:
cleanupPolicy: Delete cleanupPolicy: Delete
requeueInterval: 10h requeueInterval: 10h
users: users:
- name: grimmory - name: booklore
passwordSecretKeyRef: passwordSecretKeyRef:
name: grimmory-database-secret name: booklore-database-secret
key: password key: password
host: '%' host: '%'
maxUserConnections: 100
cleanupPolicy: Delete cleanupPolicy: Delete
requeueInterval: 10h requeueInterval: 10h
retryInterval: 30s retryInterval: 30s
grants: grants:
- name: grimmory - name: booklore
privileges: privileges:
- "ALL PRIVILEGES" - "ALL PRIVILEGES"
database: "booklore" database: "booklore"
table: "*" table: "*"
username: grimmory username: booklore
grantOption: true grantOption: true
host: '%' host: '%'
cleanupPolicy: Delete cleanupPolicy: Delete
@@ -161,14 +166,14 @@ mariadb-cluster:
storage: storage:
s3: s3:
bucket: mariadb-backups-b230a2f5aecf080a4b372c08 bucket: mariadb-backups-b230a2f5aecf080a4b372c08
prefix: cl01tl/grimmory prefix: cl01tl/booklore
endpoint: nyc3.digitaloceanspaces.com endpoint: nyc3.digitaloceanspaces.com
region: us-east-1 region: us-east-1
accessKeyIdSecretKeyRef: accessKeyIdSecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-external name: booklore-mariadb-cluster-backup-secret-external
key: access key: access
secretAccessKeySecretKeyRef: secretAccessKeySecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-external name: booklore-mariadb-cluster-backup-secret-external
key: secret key: secret
tls: tls:
enabled: true enabled: true
@@ -183,14 +188,14 @@ mariadb-cluster:
storage: storage:
s3: s3:
bucket: mariadb-backups bucket: mariadb-backups
prefix: cl01tl/grimmory prefix: cl01tl/booklore
endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900 endpoint: garage-ps10rp.boreal-beaufort.ts.net:3900
region: us-east-1 region: us-east-1
accessKeyIdSecretKeyRef: accessKeyIdSecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-garage name: booklore-mariadb-cluster-backup-secret-garage
key: access key: access
secretAccessKeySecretKeyRef: secretAccessKeySecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-garage name: booklore-mariadb-cluster-backup-secret-garage
key: secret key: secret
tls: tls:
enabled: true enabled: true
@@ -205,26 +210,39 @@ mariadb-cluster:
storage: storage:
s3: s3:
bucket: mariadb-backups bucket: mariadb-backups
prefix: cl01tl/grimmory prefix: cl01tl/booklore
endpoint: garage-main.garage:3900 endpoint: garage-main.garage:3900
region: us-east-1 region: us-east-1
accessKeyIdSecretKeyRef: accessKeyIdSecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-garage name: booklore-mariadb-cluster-backup-secret-garage
key: access key: access
secretAccessKeySecretKeyRef: secretAccessKeySecretKeyRef:
name: grimmory-mariadb-cluster-backup-secret-garage name: booklore-mariadb-cluster-backup-secret-garage
key: secret key: secret
volsync-target-config: volsync-target-config:
pvcTarget: grimmory-config pvcTarget: booklore-config
moverSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
local: local:
enabled: true enabled: true
schedule: 12 8 * * * schedule: 12 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 12 9 * * *
external: external:
enabled: true enabled: true
schedule: 12 10 * * * schedule: 12 9 * * *
volsync-target-data:
pvcTarget: booklore-data
local:
enabled: true
schedule: 14 8 * * *
restic:
cacheCapacity: 10Gi
remote:
enabled: true
schedule: 14 10 * * *
restic:
cacheCapacity: 10Gi
external:
enabled: true
schedule: 14 9 * * *
restic:
cacheCapacity: 10Gi

6
clusters/cl01tl/helm/cert-manager/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: cert-manager - name: cert-manager
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
version: v1.20.0 version: v1.19.4
digest: sha256:1543bd17649cb32982de3cce017fcbed1b44c41d50b76c6471b266f33e261c29 digest: sha256:5c4a0a0568677bfcf4529e6ec6a005957cd1820fd5f1d1f108e74370d409fe88
generated: "2026-03-10T16:06:49.332999536Z" generated: "2026-02-24T19:30:44.415585645Z"

9
clusters/cl01tl/helm/cert-manager/Chart.yaml
View File

@@ -5,7 +5,8 @@ description: Cert Manager
keywords: keywords:
- cert-manager - cert-manager
- certificates - certificates
home: https://docs.alexlebens.dev/applications/cert-manager/ - kubernetes
home: https://wiki.alexlebens.dev/s/368fe718-eedb-40e0-a5a7-fad03cdc6b09
sources: sources:
- https://github.com/cert-manager/cert-manager - https://github.com/cert-manager/cert-manager
- https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager - https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
@@ -13,8 +14,8 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cert-manager - name: cert-manager
version: v1.20.0 version: v1.19.4
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
# renovate: datasource=github-releases depName=cert-manager/cert-manager # renovate: datasource=github-releases depName=cert-manager/cert-manager
appVersion: v1.20.0 appVersion: v1.19.4

5
clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
View File

@@ -2,11 +2,6 @@ apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
name: letsencrypt-issuer name: letsencrypt-issuer
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: letsencrypt-issuer
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
acme: acme:
email: alexanderlebens@gmail.com email: alexanderlebens@gmail.com

3
clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
View File

@@ -14,5 +14,8 @@ spec:
data: data:
- secretKey: api-token - secretKey: api-token
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/alexlebens.net/clusterissuer key: /cloudflare/alexlebens.net/clusterissuer
metadataPolicy: None
property: token property: token

8
clusters/cl01tl/helm/cert-manager/values.yaml
View File

@@ -3,16 +3,10 @@ cert-manager:
enabled: true enabled: true
keep: true keep: true
replicaCount: 2 replicaCount: 2
podDisruptionBudget:
enabled: true
minAvailable: 1
extraArgs: extraArgs:
- --enable-gateway-api - --enable-gateway-api
resources:
requests:
cpu: 10m
memory: 64Mi
prometheus: prometheus:
enabled: true
servicemonitor: servicemonitor:
enabled: true enabled: true
honorLabels: true honorLabels: true

6
clusters/cl01tl/helm/cilium/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: cilium - name: cilium
repository: https://helm.cilium.io/ repository: https://helm.cilium.io/
version: 1.19.2 version: 1.18.6
digest: sha256:11f8eef4733b70c2b9a91ce39fe3c1ea1ad3fa3c46750efb015e03ff6ea3655b digest: sha256:8ea328ac238524b5b423e6289f5e25d05ef64e6aa19cfd5de238f1d5dd533e9b
generated: "2026-03-27T18:04:11.205538328Z" generated: "2026-02-05T12:00:20.15778-06:00"

11
clusters/cl01tl/helm/cilium/Chart.yaml
View File

@@ -4,18 +4,19 @@ version: 1.0.0
description: Cilium description: Cilium
keywords: keywords:
- cilium - cilium
- operator - cni
- network - network
home: https://docs.alexlebens.dev/applications/cilium/ - kubernetes
home: https://wiki.alexlebens.dev/s/9e6f5b17-e186-4af0-81cd-af647b162d3d
sources: sources:
- https://github.com/cilium/cilium - https://github.com/cilium/cilium
- https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium - https://github.com/cilium/charts
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cilium - name: cilium
version: 1.19.2 version: 1.18.6
repository: https://helm.cilium.io/ repository: https://helm.cilium.io/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
# renovate: datasource=github-releases depName=cilium/cilium # renovate: datasource=github-releases depName=cilium/cilium
appVersion: 1.19.2 appVersion: 1.19.1

28
clusters/cl01tl/helm/cilium/values.yaml
View File

@@ -25,24 +25,36 @@ cilium:
- NET_ADMIN - NET_ADMIN
- SYS_ADMIN - SYS_ADMIN
- SYS_RESOURCE - SYS_RESOURCE
l2announcements:
enabled: false
bgpControlPlane: bgpControlPlane:
enabled: false enabled: false
secretsNamespace:
name: kube-system
statusReport:
enabled: true
routerIDAllocation:
mode: "default"
bpf: bpf:
hostLegacyRouting: true hostLegacyRouting: true
devices: end0 enp6s0 devices: end0 enp6s0
ciliumEndpointSlice: ciliumEndpointSlice:
enabled: true enabled: true
ingressController:
enabled: false
gatewayAPI: gatewayAPI:
enabled: true enabled: true
enableAppProtocol: true
enableAlpn: true enableAlpn: true
secretsNamespace: enableAppProtocol: true
create: false gatewayClass:
name: kube-system create: auto
externalIPs:
enabled: true
socketLB: socketLB:
enabled: true enabled: true
hostNamespaceOnly: true hostNamespaceOnly: true
hubble: hubble:
enabled: true
metrics: metrics:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
@@ -56,6 +68,8 @@ cilium:
enabled: true enabled: true
ui: ui:
enabled: true enabled: true
ingress:
enabled: false
ipam: ipam:
mode: "kubernetes" mode: "kubernetes"
ipv4: ipv4:
@@ -63,11 +77,12 @@ cilium:
ipv6: ipv6:
enabled: false enabled: false
kubeProxyReplacement: true kubeProxyReplacement: true
l7Proxy: true
prometheus: prometheus:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true
trustCRDsExist: true trustCRDsExist: true
enabled: true
envoy: envoy:
enabled: true enabled: true
securityContext: securityContext:
@@ -79,11 +94,14 @@ cilium:
- PERFMON - PERFMON
- BPF - BPF
prometheus: prometheus:
enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
operator: operator:
enabled: true
rollOutPods: true rollOutPods: true
prometheus: prometheus:
enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
cgroup: cgroup:

7
clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
View File

@@ -6,11 +6,10 @@ keywords:
- cloudnative-pg - cloudnative-pg
- operator - operator
- postgresql - postgresql
home: https://docs.alexlebens.dev/applications/cloudnative-pg/ - kubernetes
home: https://wiki.alexlebens.dev/s/9fb10833-0278-4e64-a34c-d348d833839f
sources: sources:
- https://github.com/cloudnative-pg/cloudnative-pg - https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/cloudnative-pg/plugin-barman-cloud
- https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
- https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
- https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
maintainers: maintainers:
@@ -22,6 +21,6 @@ dependencies:
- name: plugin-barman-cloud - name: plugin-barman-cloud
version: 0.5.0 version: 0.5.0
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
# renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
appVersion: 1.28.1 appVersion: 1.28.1

16
clusters/cl01tl/helm/cloudnative-pg/values.yaml
View File

@@ -1,16 +1,16 @@
cloudnative-pg: cloudnative-pg:
replicaCount: 2 replicaCount: 2
resources:
requests:
cpu: 10m
memory: 100Mi
monitoring: monitoring:
podMonitorEnabled: true podMonitorEnabled: true
plugin-barman-cloud: plugin-barman-cloud:
replicaCount: 1 replicaCount: 1
image:
registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud
tag: v0.11.0
sidecarImage:
registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud-sidecar
tag: v0.11.0
crds: crds:
create: true create: true
resources:
requests:
cpu: 1m
memory: 20Mi

6
clusters/cl01tl/helm/code-server/Chart.lock
View File

@@ -4,9 +4,9 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0 version: 2.3.0
- name: volsync-target - name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0 version: 0.8.0
digest: sha256:dee0f52096efc543f4db3a5dc2732fd37ae9b7950b264e399a6e74c2f3e7cee6 digest: sha256:13a5bb68bf58c7bf00771a804e3d7291f52e0519b1cf9bece266164dd4bfe5b8
generated: "2026-03-09T22:04:00.58415637Z" generated: "2026-03-06T01:06:30.41359289Z"

14
clusters/cl01tl/helm/code-server/Chart.yaml
View File

@@ -5,14 +5,14 @@ description: Code Server
keywords: keywords:
- code-server - code-server
- code - code
home: https://docs.alexlebens.dev/applications/code-server/ - ide
home: https://wiki.alexlebens.dev/s/233f96bb-db70-47e4-8b22-a8efcbb0f93d
sources: sources:
- https://github.com/coder/code-server - https://github.com/coder/code-server
- https://github.com/linuxserver/docker-code-server - https://github.com/cloudflare/cloudflared
- https://github.com/linuxserver/docker-code-server/pkgs/container/code-server - https://hub.docker.com/r/linuxserver/code-server
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -22,11 +22,11 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0 version: 2.3.0
- name: volsync-target - name: volsync-target
alias: volsync-target-config alias: volsync-target-config
version: 0.8.0 version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
# renovate: datasource=github-releases depName=coder/code-server # renovate: datasource=github-releases depName=linuxserver/docker-code-server
appVersion: 4.112.0 appVersion: 4.108.1

6
clusters/cl01tl/helm/code-server/templates/external-secret.yaml
View File

@@ -14,9 +14,15 @@ spec:
data: data:
- secretKey: PASSWORD - secretKey: PASSWORD
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/code-server/auth key: /cl01tl/code-server/auth
metadataPolicy: None
property: PASSWORD property: PASSWORD
- secretKey: SUDO_PASSWORD - secretKey: SUDO_PASSWORD
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/code-server/auth key: /cl01tl/code-server/auth
metadataPolicy: None
property: SUDO_PASSWORD property: SUDO_PASSWORD

25
clusters/cl01tl/helm/code-server/values.yaml
View File

@@ -4,18 +4,16 @@ code-server:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
pod: revisionHistoryLimit: 3
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
containers: containers:
main: main:
image: image:
repository: ghcr.io/linuxserver/code-server repository: ghcr.io/linuxserver/code-server
tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b tag: 4.109.5@sha256:aa43fb2fc31127e9d2166e903c7f13792351e38658ba29645662a89ff04ff90d
pullPolicy: IfNotPresent
env: env:
- name: TZ - name: TZ
value: America/Chicago value: US/Central
- name: PUID - name: PUID
value: 1000 value: 1000
- name: PGID - name: PGID
@@ -27,8 +25,8 @@ code-server:
name: codeserver-password-secret name: codeserver-password-secret
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 50Mi memory: 128Mi
service: service:
main: main:
controller: main controller: main
@@ -49,8 +47,11 @@ code-server:
- code-server.alexlebens.net - code-server.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: code-server - group: ''
kind: Service
name: code-server
port: 8443 port: 8443
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -61,6 +62,7 @@ code-server:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 2Gi size: 2Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -77,8 +79,7 @@ volsync-target-config:
enabled: true enabled: true
schedule: 16 8 * * * schedule: 16 8 * * *
remote: remote:
enabled: true enabled: false
schedule: 16 9 * * *
external: external:
enabled: true enabled: true
schedule: 16 10 * * * schedule: 16 9 * * *

6
clusters/cl01tl/helm/coredns/Chart.yaml
View File

@@ -5,7 +5,9 @@ description: CoreDNS
keywords: keywords:
- coredns - coredns
- dns - dns
home: https://docs.alexlebens.dev/applications/coredns/ - network
- kubernetes
home: https://wiki.alexlebens.dev/s/43947ec6-a034-449f-8c76-982ac493b072
sources: sources:
- https://github.com/coredns/coredns - https://github.com/coredns/coredns
- https://github.com/coredns/helm - https://github.com/coredns/helm
@@ -15,6 +17,6 @@ dependencies:
- name: coredns - name: coredns
version: 1.45.2 version: 1.45.2
repository: https://coredns.github.io/helm repository: https://coredns.github.io/helm
icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png
# renovate: datasource=github-releases depName=coredns/coredns # renovate: datasource=github-releases depName=coredns/coredns
appVersion: v1.14.2 appVersion: v1.14.2

34
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,18 +1,23 @@
coredns: coredns:
image: image:
repository: registry.k8s.io/coredns/coredns repository: registry.k8s.io/coredns/coredns
tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9 tag: v1.14.1
replicaCount: 3 replicaCount: 3
resources: resources:
limits:
cpu: null
memory: null
requests: requests:
cpu: 30m cpu: 50m
memory: 30Mi memory: 128Mi
rollingUpdate:
maxUnavailable: 1
maxSurge: 25%
terminationGracePeriodSeconds: 30
serviceType: "ClusterIP"
prometheus: prometheus:
service: service:
enabled: true enabled: true
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9153"
monitor: monitor:
enabled: true enabled: true
namespace: kube-system namespace: kube-system
@@ -24,7 +29,18 @@ coredns:
serviceAccount: serviceAccount:
create: true create: true
name: coredns name: coredns
rbac:
create: true
isClusterService: true
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
servers: servers:
- zones: - zones:
- zone: . - zone: .
@@ -61,8 +77,6 @@ coredns:
- name: errors - name: errors
- name: cache - name: cache
parameters: 30 parameters: 30
- name: prometheus
parameters: :9153
- name: forward - name: forward
parameters: . 10.111.232.172 parameters: . 10.111.232.172
- zones: - zones:
@@ -74,8 +88,6 @@ coredns:
- name: errors - name: errors
- name: cache - name: cache
parameters: 30 parameters: 30
- name: prometheus
parameters: :9153
- name: forward - name: forward
parameters: . 10.97.20.219 parameters: . 10.97.20.219
nodeSelector: nodeSelector:
@@ -88,4 +100,6 @@ coredns:
operator: Exists operator: Exists
effect: NoSchedule effect: NoSchedule
deployment: deployment:
skipConfig: false
enabled: true
name: coredns name: coredns

8
clusters/cl01tl/helm/dawarich/Chart.lock
View File

@@ -4,9 +4,9 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.10.0 version: 7.8.0
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0 version: 0.3.0
digest: sha256:7584c2a1613454bbd83b66df46170fd0157df5186842844d483e2dd131398574 digest: sha256:c821fa072d58d7e7704b16dd8a1ca89c24922bbc77e61e360627359c0ca17a94
generated: "2026-03-15T20:04:49.68456485Z" generated: "2026-03-06T06:33:34.529244471Z"

11
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -5,13 +5,10 @@ description: Dawarich
keywords: keywords:
- dawarich - dawarich
- location - location
home: https://docs.alexlebens.dev/applications/dawarich/ home: https://wiki.alexlebens.dev/s/
sources: sources:
- https://github.com/Freika/dawarich - https://github.com/Freika/dawarich
- https://hub.docker.com/r/freikin/dawarich
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -21,12 +18,12 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.10.0 version: 7.8.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.4.0 version: 0.3.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich # renovate: datasource=github-releases depName=Freika/dawarich
appVersion: 1.4.0 appVersion: 1.3.2

9
clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
View File

@@ -14,7 +14,10 @@ spec:
data: data:
- secretKey: key - secretKey: key
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/dawarich/key key: /cl01tl/dawarich/key
metadataPolicy: None
property: key property: key
--- ---
@@ -34,9 +37,15 @@ spec:
data: data:
- secretKey: client - secretKey: client
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/dawarich key: /authentik/oidc/dawarich
metadataPolicy: None
property: client property: client
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/dawarich key: /authentik/oidc/dawarich
metadataPolicy: None
property: secret property: secret

77
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -4,20 +4,15 @@ dawarich:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.4.0@sha256:07adb7643b00d1d8f606c675931d3604317fa3851b91b74ec503df8d50734cb8 tag: 1.3.2
command: pullPolicy: IfNotPresent
- "web-entrypoint.sh" command: ["web-entrypoint.sh"]
args: args: ["bin/rails", "server", "-p", "3000", "-b", "::"]
- "bin/rails"
- "server"
- "-p"
- "3000"
- "-b"
- "::"
env: env:
- name: RAILS_ENV - name: RAILS_ENV
value: production value: production
@@ -91,14 +86,14 @@ dawarich:
value: true value: true
probes: probes:
liveness: liveness:
enabled: true enabled: false
custom: true custom: true
spec: spec:
exec: exec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- "wget -qO - http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"\\s*:\\s*\"ok\"'" - wget -qO - http://127.0.0.1:3000/api/v1/health | grep -Eq '\"status\"\\s*:\\s*\"ok\"'
failureThreshold: 5 failureThreshold: 5
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 10 periodSeconds: 10
@@ -106,16 +101,15 @@ dawarich:
timeoutSeconds: 10 timeoutSeconds: 10
resources: resources:
requests: requests:
cpu: 20m cpu: 10m
memory: 750Mi memory: 128Mi
sidekiq: sidekiq:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.4.0@sha256:07adb7643b00d1d8f606c675931d3604317fa3851b91b74ec503df8d50734cb8 tag: 1.3.2
command: pullPolicy: IfNotPresent
- "sidekiq-entrypoint.sh" command: ["sidekiq-entrypoint.sh"]
args: args: ["sidekiq"]
- "sidekiq"
env: env:
- name: RAILS_ENV - name: RAILS_ENV
value: production value: production
@@ -191,19 +185,23 @@ dawarich:
value: true value: true
probes: probes:
liveness: liveness:
enabled: true enabled: false
custom: true custom: true
spec: spec:
exec: exec:
command: command:
- pgrep - /bin/sh
- -f - -c
- sidekiq - pgrep -f sidekiq
failureThreshold: 5 failureThreshold: 5
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 10 periodSeconds: 10
successThreshold: 1 successThreshold: 1
timeoutSeconds: 10 timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 128Mi
service: service:
main: main:
controller: main controller: main
@@ -240,8 +238,11 @@ dawarich:
- dawarich.alexlebens.net - dawarich.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: dawarich - group: ""
kind: Service
name: dawarich
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -252,6 +253,7 @@ dawarich:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -265,6 +267,7 @@ dawarich:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -278,6 +281,7 @@ dawarich:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 1Gi size: 1Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -309,9 +313,32 @@ postgres-18-cluster:
destinationBucket: postgres-backups destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true isWALArchiver: true
# - name: garage-remote
# index: 1
# destinationBucket: postgres-backups
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# retentionPolicy: "90d"
# data:
# compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 10 14 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup
# suspend: true
# immediate: true
# schedule: "0 0 4 * * SAT"
# backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external

6
clusters/cl01tl/helm/decluttarr/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
digest: sha256:548ae1f8699100a2f6bac11a4a3137402b3eea340c7a3db4d9f1813ad6a11dca
generated: "2026-02-23T22:08:42.516245-06:00"

19
clusters/cl01tl/helm/rclone/Chart.yaml → clusters/cl01tl/helm/decluttarr/Chart.yaml
View File

@@ -1,23 +1,20 @@
apiVersion: v2 apiVersion: v2
name: rclone name: decluttarr
version: 1.0.0 version: 1.0.0
description: Rclone description: decluttarr
keywords: keywords:
- rclone - decluttarr
- job - servarr
- kubernetes
home: https://wiki.alexlebens.dev/s/ home: https://wiki.alexlebens.dev/s/
sources: sources:
- https://github.com/rclone/rclone - https://github.com/ManiMatter/decluttarr
- https://hub.docker.com/r/rclone/rclone
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: app-template - name: app-template
alias: rclone alias: decluttarr
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2 version: 4.6.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/rclone.webp # renovate: datasource=github-releases depName=ManiMatter/decluttarr
# renovate: datasource=github-releases depName=rclone/rclone appVersion: v2.0.0
appVersion: v1.73.3

21
clusters/cl01tl/helm/decluttarr/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: decluttarr-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: decluttarr-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.yaml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/decluttarr/config
metadataPolicy: None
property: config.yaml

32
clusters/cl01tl/helm/decluttarr/values.yaml Normal file
View File

@@ -0,0 +1,32 @@
decluttarr:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/manimatter/decluttarr
tag: v2.0.0
pullPolicy: IfNotPresent
env:
- name: TZ
value: America/Chicago
resources:
requests:
cpu: 10m
memory: 128Mi
persistence:
config:
enabled: true
type: secret
name: decluttarr-config-secret
advancedMounts:
main:
main:
- path: /app/config/config.yaml
readOnly: true
mountPropagation: None
subPath: config.yaml

3
clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
View File

@@ -5,7 +5,8 @@ description: Democratic CSI
keywords: keywords:
- democratic-csi-synology-iscsi - democratic-csi-synology-iscsi
- iscsi - iscsi
home: https://docs.alexlebens.dev/applications/democratic-csi-synology-iscsi/ - kubernetes
home: https://wiki.alexlebens.dev/s/0cc6ba65-024b-4489-952a-fc0f647fd099
sources: sources:
- https://github.com/democratic-csi/democratic-csi - https://github.com/democratic-csi/democratic-csi
- https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi - https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi

3
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
View File

@@ -14,5 +14,8 @@ spec:
data: data:
- secretKey: driver-config-file.yaml - secretKey: driver-config-file.yaml
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/democratic-csi-synology-iscsi/config key: /cl01tl/democratic-csi-synology-iscsi/config
metadataPolicy: None
property: driver-config-file.yaml property: driver-config-file.yaml

7
clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
View File

@@ -3,13 +3,12 @@ democratic-csi:
existingConfigSecret: synology-iscsi-config-secret existingConfigSecret: synology-iscsi-config-secret
config: config:
driver: synology-iscsi driver: synology-iscsi
resources:
requests:
cpu: 1m
memory: 128Mi
csiDriver: csiDriver:
name: "org.democratic-csi.iscsi-synology" name: "org.democratic-csi.iscsi-synology"
controller: controller:
enabled: true
rbac:
enabled: true
replicaCount: 2 replicaCount: 2
storageClasses: storageClasses:
- name: synology-iscsi-delete - name: synology-iscsi-delete

6
clusters/cl01tl/helm/descheduler/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: descheduler - name: descheduler
repository: https://kubernetes-sigs.github.io/descheduler/ repository: https://kubernetes-sigs.github.io/descheduler/
version: 0.35.1 version: 0.35.0
digest: sha256:ed7cc8068b83ac483fda3a781227b35e12a34abdca214b5490e7036c89db1a95 digest: sha256:afa0e5fe35f9287db619de604c82a22c3ab90dfcaa3a845ff30491e47c7a5846
generated: "2026-03-09T21:21:45.788316167Z" generated: "2026-02-19T23:03:22.794515683Z"

7
clusters/cl01tl/helm/descheduler/Chart.yaml
View File

@@ -5,7 +5,8 @@ description: Descheduler
keywords: keywords:
- descheduler - descheduler
- kube-scheduler - kube-scheduler
home: https://docs.alexlebens.dev/applications/descheduler/ - kubernetes
home: https://wiki.alexlebens.dev/s/0c38b7e4-4573-487c-82b0-4eeeb00e1276
sources: sources:
- https://github.com/kubernetes-sigs/descheduler - https://github.com/kubernetes-sigs/descheduler
- https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler - https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
@@ -13,8 +14,8 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: descheduler - name: descheduler
version: 0.35.1 version: 0.35.0
repository: https://kubernetes-sigs.github.io/descheduler/ repository: https://kubernetes-sigs.github.io/descheduler/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: datasource=github-releases depName=kubernetes-sigs/descheduler # renovate: datasource=github-releases depName=kubernetes-sigs/descheduler
appVersion: v0.35.1 appVersion: v0.35.0

41
clusters/cl01tl/helm/descheduler/values.yaml
View File

@@ -1,22 +1,27 @@
descheduler: descheduler:
kind: Deployment kind: Deployment
resources: resources:
limits:
cpu: null
memory: null
requests: requests:
cpu: 10m cpu: 10m
memory: 50Mi memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
deschedulingInterval: 5m deschedulingInterval: 5m
replicas: 3 replicas: 1
leaderElection: leaderElection:
enabled: true enabled: false
leaseDuration: 15s command:
renewDeadline: 10s - "/bin/descheduler"
retryPeriod: 2s cmdOptions:
resourceLock: "leases" v: 3
resourceName: "descheduler" deschedulerPolicyAPIVersion: "descheduler/v1alpha2"
resourceNamespace: "descheduler"
deschedulerPolicy: deschedulerPolicy:
profiles: profiles:
- name: default - name: default
@@ -48,13 +53,13 @@ descheduler:
- name: LowNodeUtilization - name: LowNodeUtilization
args: args:
thresholds: thresholds:
cpu: 20 cpu: 30
memory: 20 memory: 30
pods: 20 pods: 50
targetThresholds: targetThresholds:
cpu: 50 cpu: 60
memory: 50 memory: 40
pods: 60 pods: 80
plugins: plugins:
balance: balance:
enabled: enabled:

8
clusters/cl01tl/helm/directus/Chart.lock
View File

@@ -4,9 +4,9 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.10.0 version: 7.8.0
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.4.0 version: 0.3.0
digest: sha256:dfcb5d35e03ecdc4206227d206d36509319f0dcdaed54363840d71337debb3f7 digest: sha256:65b9b0756236f2281e3eb1a7aaa9d5f85822aa22071f6f49cc6a1ead0ec9373d
generated: "2026-03-15T20:05:03.156596646Z" generated: "2026-03-06T06:33:47.967177348Z"

16
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -4,14 +4,16 @@ version: 1.0.0
description: Directus description: Directus
keywords: keywords:
- directus - directus
- content-management-system - cms
home: https://docs.alexlebens.dev/applications/descheduler/ home: https://wiki.alexlebens.dev/s/c2d242de-dcaa-4801-86a2-c4761dc8bf9b
sources: sources:
- https://github.com/directus/directus - https://github.com/directus/directus
- https://github.com/directus/directus/pkgs/container/directus - https://github.com/cloudflare/cloudflared
- https://github.com/cloudnative-pg/cloudnative-pg
- https://hub.docker.com/r/directus/directus
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -21,12 +23,12 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.10.0 version: 7.8.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.4.0 version: 0.3.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
# renovate: datasource=github-releases depName=directus/directus # renovate: datasource=github-releases depName=directus/directus
appVersion: 11.17.0 appVersion: 11.16.0

58
clusters/cl01tl/helm/directus/templates/external-secret.yaml
View File

@@ -14,19 +14,31 @@ spec:
data: data:
- secretKey: admin-email - secretKey: admin-email
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: admin-email property: admin-email
- secretKey: admin-password - secretKey: admin-password
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: admin-password property: admin-password
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: secret property: secret
- secretKey: key - secretKey: key
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: key property: key
--- ---
@@ -46,11 +58,17 @@ spec:
data: data:
- secretKey: OIDC_CLIENT_ID - secretKey: OIDC_CLIENT_ID
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus key: /authentik/oidc/directus
metadataPolicy: None
property: client property: client
- secretKey: OIDC_CLIENT_SECRET - secretKey: OIDC_CLIENT_SECRET
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus key: /authentik/oidc/directus
metadataPolicy: None
property: secret property: secret
--- ---
@@ -70,37 +88,12 @@ spec:
data: data:
- secretKey: metric-token - secretKey: metric-token
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/metrics key: /cl01tl/directus/metrics
metadataPolicy: None
property: metric-token property: metric-token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-bucket-garage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-bucket-garage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_REGION
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
@@ -118,13 +111,22 @@ spec:
data: data:
- secretKey: default - secretKey: default
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
metadataPolicy: None
property: password property: password
- secretKey: user - secretKey: user
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
metadataPolicy: None
property: user property: user
- secretKey: password - secretKey: password
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
metadataPolicy: None
property: password property: password

11
clusters/cl01tl/helm/directus/templates/object-bucket-claim.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
name: ceph-bucket-directus
labels:
app.kubernetes.io/name: ceph-bucket-directus
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
generateBucketName: bucket-directus
storageClassName: ceph-bucket

61
clusters/cl01tl/helm/directus/values.yaml
View File

@@ -4,11 +4,12 @@ directus:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: ghcr.io/directus/directus repository: directus/directus
tag: 11.17.0@sha256:076269ccbe7d4a0c44ce5f5b7f11e2ea5f7b3e4c4f704c0f88a52805e069c1c6 tag: 11.16.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
env: env:
- name: PUBLIC_URL - name: PUBLIC_URL
@@ -89,22 +90,22 @@ directus:
- name: STORAGE_S3_KEY - name: STORAGE_S3_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-bucket-garage name: ceph-bucket-directus
key: ACCESS_KEY_ID key: AWS_ACCESS_KEY_ID
- name: STORAGE_S3_SECRET - name: STORAGE_S3_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: directus-bucket-garage name: ceph-bucket-directus
key: ACCESS_SECRET_KEY key: AWS_SECRET_ACCESS_KEY
- name: STORAGE_S3_REGION
valueFrom:
secretKeyRef:
name: directus-bucket-garage
key: ACCESS_REGION
- name: STORAGE_S3_BUCKET - name: STORAGE_S3_BUCKET
value: directus-assets valueFrom:
configMapKeyRef:
name: ceph-bucket-directus
key: BUCKET_NAME
- name: STORAGE_S3_REGION
value: us-east-1
- name: STORAGE_S3_ENDPOINT - name: STORAGE_S3_ENDPOINT
value: http://garage-main.garage:3900 value: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
- name: STORAGE_S3_FORCE_PATH_STYLE - name: STORAGE_S3_FORCE_PATH_STYLE
value: true value: true
- name: AUTH_PROVIDERS - name: AUTH_PROVIDERS
@@ -143,7 +144,7 @@ directus:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 1Gi memory: 256Mi
service: service:
main: main:
controller: main controller: main
@@ -179,8 +180,11 @@ directus:
- directus.alexlebens.net - directus.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: directus - group: ''
kind: Service
name: directus
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -198,12 +202,35 @@ postgres-18-cluster:
destinationBucket: postgres-backups destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true isWALArchiver: true
# - name: garage-remote
# index: 1
# destinationBucket: postgres-backups
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# retentionPolicy: "90d"
# data:
# compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 15 14 * * *" schedule: "0 0 0 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup
# suspend: true
# immediate: true
# schedule: "0 0 4 * * SAT"
# backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external
valkey: valkey:
valkey: valkey:
auth: auth:
@@ -212,3 +239,5 @@ valkey:
aclUsers: aclUsers:
default: default:
permissions: "~* &* +@all" permissions: "~* &* +@all"
metrics:
enabled: false

5
clusters/cl01tl/helm/elastic-operator/Chart.yaml
View File

@@ -6,7 +6,8 @@ keywords:
- elastic-operator - elastic-operator
- operator - operator
- elastic-search - elastic-search
home: https://docs.alexlebens.dev/applications/elastic-operator/ - kubernetes
home: https://wiki.alexlebens.dev/s/
sources: sources:
- https://github.com/elastic/cloud-on-k8s - https://github.com/elastic/cloud-on-k8s
- https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator - https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator
@@ -16,6 +17,6 @@ dependencies:
- name: eck-operator - name: eck-operator
version: 3.3.1 version: 3.3.1
repository: https://helm.elastic.co repository: https://helm.elastic.co
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png icon: https://helm.elastic.co/icons/eck.png
# renovate: datasource=github-releases depName=elastic/cloud-on-k8s # renovate: datasource=github-releases depName=elastic/cloud-on-k8s
appVersion: v3.3.1 appVersion: v3.3.1

7
clusters/cl01tl/helm/elastic-operator/values.yaml
View File

@@ -4,13 +4,6 @@ eck-operator:
- stalwart - stalwart
installCRDs: true installCRDs: true
replicaCount: 2 replicaCount: 2
resources:
limits:
cpu: null
memory: null
requests:
cpu: 2m
memory: 50Mi
telemetry: telemetry:
disabled: true disabled: true
config: config:

8
clusters/cl01tl/helm/element-web/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies: dependencies:
- name: element-web - name: element-web
repository: https://ananace.gitlab.io/charts repository: https://ananace.gitlab.io/charts
version: 1.4.33 version: 1.4.31
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0 version: 2.3.0
digest: sha256:63b0e582d42fb42bcf4d96ba4b299e42c434c42f284208596808288543192fe0 digest: sha256:7447f3828246d85acd5a2a75b6d086d8fbe29ee90ad61b96dd25de8dcfefbc4e
generated: "2026-03-24T16:11:50.424321433Z" generated: "2026-03-03T18:08:31.901975101Z"

14
clusters/cl01tl/helm/element-web/Chart.yaml
View File

@@ -4,22 +4,24 @@ version: 1.0.0
description: Element Web description: Element Web
keywords: keywords:
- element-web - element-web
- matrix-chat - chat
home: https://docs.alexlebens.dev/applications/element-web/ - matrix
home: https://wiki.alexlebens.dev/s/e3b03481-1a1d-4b56-8cd9-e75a8dcc0f6c
sources: sources:
- https://github.com/element-hq/element-web - https://github.com/element-hq/element-web
- https://github.com/element-hq/element-web/pkgs/container/element-web - https://github.com/cloudflare/cloudflared
- https://hub.docker.com/r/vectorim/element-web
- https://gitlab.com/ananace/charts/-/tree/master/charts/element-web - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: element-web - name: element-web
version: 1.4.33 version: 1.4.31
repository: https://ananace.gitlab.io/charts repository: https://ananace.gitlab.io/charts
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0 version: 2.3.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
# renovate: datasource=github-releases depName=element-hq/element-web # renovate: datasource=github-releases depName=element-hq/element-web
appVersion: v1.12.13 appVersion: v1.12.11

11
clusters/cl01tl/helm/element-web/values.yaml
View File

@@ -1,8 +1,9 @@
element-web: element-web:
replicaCount: 1 replicaCount: 1
image: image:
repository: ghcr.io/element-hq/element-web repository: vectorim/element-web
tag: v1.12.13@sha256:5107e63026c13ed014f743e485821b7d4b56d275a41e76303859bb14f5f94eb6 tag: v1.12.11
pullPolicy: IfNotPresent
defaultServer: defaultServer:
url: https://matrix.alexlebens.dev url: https://matrix.alexlebens.dev
name: alexlebens.dev name: alexlebens.dev
@@ -17,7 +18,9 @@ element-web:
immediate: true immediate: true
default_theme: dark default_theme: dark
default_country_code: US default_country_code: US
ingress:
enabled: false
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 10Mi memory: 128Mi

6
clusters/cl01tl/helm/eraser/Chart.yaml
View File

@@ -5,10 +5,10 @@ description: Eraser
keywords: keywords:
- eraser - eraser
- images - images
home: https://docs.alexlebens.dev/applications/eraser/ - kubernetes
home: https://wiki.alexlebens.dev/s/bb53ffae-0eda-4ed6-9fdd-894e672b4377
sources: sources:
- https://github.com/eraser-dev/eraser - https://github.com/eraser-dev/eraser
- https://github.com/eraser-dev/eraser/pkgs/container/eraser-manager
- https://github.com/eraser-dev/eraser/tree/main/charts/eraser - https://github.com/eraser-dev/eraser/tree/main/charts/eraser
maintainers: maintainers:
- name: alexlebens - name: alexlebens
@@ -16,6 +16,6 @@ dependencies:
- name: eraser - name: eraser
version: 1.4.1 version: 1.4.1
repository: https://eraser-dev.github.io/eraser/charts repository: https://eraser-dev.github.io/eraser/charts
icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: datasource=github-releases depName=eraser-dev/eraser # renovate: datasource=github-releases depName=eraser-dev/eraser
appVersion: v1.4.1 appVersion: v1.4.1

69
clusters/cl01tl/helm/eraser/values.yaml
View File

@@ -1,37 +1,70 @@
eraser: eraser:
runtimeConfig: runtimeConfig:
apiVersion: eraser.sh/v1alpha3
kind: EraserConfig
manager: manager:
runtime:
name: containerd
address: unix:///run/containerd/containerd.sock
logLevel: info
scheduling: scheduling:
repeatInterval: 24h repeatInterval: 24h
beginImmediately: true beginImmediately: true
profile:
enabled: false
port: 6060
imageJob: imageJob:
successRatio: 1.0
cleanup: cleanup:
delayOnSuccess: 0s delayOnSuccess: 0s
delayOnFailure: 24h delayOnFailure: 24h
nodeFilter:
type: exclude
selectors:
- eraser.sh/cleanup.filter
- kubernetes.io/os=windows
components: components:
collector: collector:
image: enabled: true
repo: ghcr.io/eraser-dev/collector
tag: v1.4.1@sha256:827588ff826c3558bf2c50b1fc94f20122b054dfcf3480c3ffe6f0bae25c3dad
request: request:
cpu: 1m cpu: 10m
memory: 20Mi memory: 128Mi
scanner: scanner:
enabled: false enabled: false
remover:
image:
repo: ghcr.io/eraser-dev/remover
tag: v1.4.1@sha256:e57592157d717588f69c011cd0b6ab783a19a53b447a5350b27e7e66aae67525
request: request:
cpu: 1m cpu: 100m
memory: 20Mi memory: 128Mi
config: "" # |
# cacheDir: /var/lib/trivy
# dbRepo: ghcr.io/aquasecurity/trivy-db
# deleteFailedImages: true
# deleteEOLImages: true
# vulnerabilities:
# ignoreUnfixed: true
# types:
# - os
# - library
# securityChecks:
# - vuln
# severities:
# - CRITICAL
# - HIGH
# - MEDIUM
# - LOW
# ignoredStatuses:
# timeout:
# total: 23h
# perImage: 1h
remover:
request:
cpu: 10m
memory: 128Mi
deploy: deploy:
image: securityContext:
repo: ghcr.io/eraser-dev/eraser-manager allowPrivilegeEscalation: false
tag: v1.4.1@sha256:5f18fb7da4ccad93a8643ece496681f1489b0d7b0ce45e18a94774cf8b6a717d
resources: resources:
limits:
memory: null
requests: requests:
cpu: 1m cpu: 10m
memory: 20Mi memory: 30Mi
nodeSelector:
kubernetes.io/os: linux

3
clusters/cl01tl/helm/excalidraw/Chart.yaml
View File

@@ -4,8 +4,7 @@ version: 1.0.0
description: Excalidraw description: Excalidraw
keywords: keywords:
- excalidraw - excalidraw
- drawing home: https://wiki.alexlebens.dev/
home: https://docs.alexlebens.dev/applications/eraser/
sources: sources:
- https://github.com/excalidraw/excalidraw - https://github.com/excalidraw/excalidraw
- https://hub.docker.com/r/excalidraw/excalidraw - https://hub.docker.com/r/excalidraw/excalidraw

11
clusters/cl01tl/helm/excalidraw/values.yaml
View File

@@ -4,11 +4,13 @@ excalidraw:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: excalidraw/excalidraw repository: excalidraw/excalidraw
tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
pullPolicy: IfNotPresent
env: env:
- name: NODE_ENV - name: NODE_ENV
value: production value: production
@@ -16,8 +18,8 @@ excalidraw:
value: America/Chicago value: America/Chicago
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 10Mi memory: 128Mi
service: service:
main: main:
controller: main controller: main
@@ -38,8 +40,11 @@ excalidraw:
- excalidraw.alexlebens.net - excalidraw.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: excalidraw - group: ''
kind: Service
name: excalidraw
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix

5
clusters/cl01tl/helm/external-dns/Chart.yaml
View File

@@ -5,10 +5,11 @@ description: External DNS
keywords: keywords:
- external-dns - external-dns
- dns - dns
home: https://docs.alexlebens.dev/applications/eraser/ - unifi
- kubernetes
home: https://wiki.alexlebens.dev/s/7b50e4da-5dc1-4f62-baf9-14b5fed64552
sources: sources:
- https://github.com/kubernetes-sigs/external-dns - https://github.com/kubernetes-sigs/external-dns
- https://github.com/kashalls/external-dns-unifi-webhook
- https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns - https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
maintainers: maintainers:
- name: alexlebens - name: alexlebens

3
clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
View File

@@ -14,5 +14,8 @@ spec:
data: data:
- secretKey: api-key - secretKey: api-key
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth/cl01tl key: /unifi/auth/cl01tl
metadataPolicy: None
property: api-key property: api-key

18
clusters/cl01tl/helm/external-dns/values.yaml
View File

@@ -1,27 +1,25 @@
external-dns-unifi: external-dns-unifi:
fullnameOverride: external-dns-unifi fullnameOverride: external-dns-unifi
resources:
requests:
cpu: 1m
memory: 80Mi
serviceMonitor: serviceMonitor:
enabled: true enabled: true
interval: 360m interval: 1m
sources: sources:
- ingress
- crd - crd
- gateway-httproute - gateway-httproute
- gateway-tlsroute - gateway-tlsroute
policy: sync policy: sync
registry: txt
txtOwnerId: default txtOwnerId: default
txtPrefix: k8s. txtPrefix: k8s.
domainFilters: ["alexlebens.net"] domainFilters: ["alexlebens.net"]
excludeDomains: ["alexlebens.dev"] excludeDomains: []
provider: provider:
name: webhook name: webhook
webhook: webhook:
image: image:
repository: ghcr.io/kashalls/external-dns-unifi-webhook repository: ghcr.io/kashalls/external-dns-unifi-webhook
tag: v0.8.2@sha256:7f0ddbbc83a36a2a9d762e25eef9cafcb3adf0493068a27d72ae71087eafe6f0 tag: v0.8.2
env: env:
- name: UNIFI_HOST - name: UNIFI_HOST
value: https://192.168.1.1 value: https://192.168.1.1
@@ -31,14 +29,18 @@ external-dns-unifi:
name: external-dns-unifi-secret name: external-dns-unifi-secret
key: api-key key: api-key
- name: LOG_LEVEL - name: LOG_LEVEL
value: info value: debug
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
port: http-webhook port: http-webhook
initialDelaySeconds: 10
timeoutSeconds: 5
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /readyz path: /readyz
port: http-webhook port: http-webhook
initialDelaySeconds: 10
timeoutSeconds: 5
extraArgs: extraArgs:
- --ignore-ingress-tls-spec - --ignore-ingress-tls-spec

6
clusters/cl01tl/helm/external-secrets/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: external-secrets - name: external-secrets
repository: https://charts.external-secrets.io repository: https://charts.external-secrets.io
version: 2.2.0 version: 2.1.0
digest: sha256:3894df20e1f3d56bc9789177181a84d8ae1402ef76ec6328e417ce5a568738ae digest: sha256:b19563d51f1922403185979c6c442531a7bb13d302e8438b5a18d450259b7245
generated: "2026-03-26T19:19:15.734454-05:00" generated: "2026-03-07T18:02:23.908145348Z"

12
clusters/cl01tl/helm/external-secrets/Chart.yaml
View File

@@ -5,17 +5,15 @@ description: External Secrets
keywords: keywords:
- external-secrets - external-secrets
- secrets - secrets
- operator - vault
home: https://docs.alexlebens.dev/applications/eraser/ home: https://wiki.alexlebens.dev/s/d29044fb-0d63-4500-8853-2971964f356a
sources: sources:
- https://github.com/external-secrets/external-secrets - https://github.com/external-secrets/external-secrets
- https://github.com/external-secrets/external-secrets/pkgs/container/external-secrets
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies: dependencies:
- name: external-secrets - name: external-secrets
alias: external-secrets version: 2.1.0
version: 2.2.0
repository: https://charts.external-secrets.io repository: https://charts.external-secrets.io
icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
# renovate: datasource=github-releases depName=external-secrets/external-secrets # renovate: datasource=github-releases depName=external-secrets/external-secrets
appVersion: v2.2.0 appVersion: v2.1.0

44
clusters/cl01tl/helm/external-secrets/values.yaml
View File

@@ -1,44 +0,0 @@
external-secrets:
replicaCount: 3
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565
installCRDs: true
crds:
createClusterExternalSecret: true
createClusterSecretStore: true
createSecretStore: true
createClusterGenerator: true
createClusterPushSecret: true
createPushSecret: true
leaderElect: true
extendedMetricLabels: true
resources:
requests:
cpu: 5m
memory: 50Mi
serviceMonitor:
enabled: true
livenessProbe:
enabled: true
readinessProbe:
enabled: true
podDisruptionBudget:
enabled: true
minAvailable: 1
webhook:
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565
resources:
requests:
cpu: 1m
memory: 30Mi
certController:
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565
resources:
requests:
cpu: 1m
memory: 60Mi

9
clusters/cl01tl/helm/foldergram/Chart.lock
View File

@@ -1,9 +0,0 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:59100c6fbfb829f9d703b9ee1cf869c4fd77b6ff53c63b0c644a757223027e58
generated: "2026-03-22T12:42:43.150705-05:00"

27
clusters/cl01tl/helm/foldergram/Chart.yaml
View File

@@ -1,27 +0,0 @@
apiVersion: v2
name: foldergram
version: 1.0.0
description: Foldergram
keywords:
- foldergram
- pictures
home: https://docs.alexlebens.dev/applications/foldergram/
sources:
- https://github.com/foldergram/foldergram
- https://github.com/foldergram/foldergram/pkgs/container/foldergram
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: foldergram
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: volsync-target
alias: volsync-target-data
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://raw.githubusercontent.com/foldergram/foldergram/refs/heads/main/client/public/icon-512.png
# renovate: datasource=github-releases depName=foldergram/foldergram
appVersion: v1.0.8

17
clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: foldergram-pictures-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: foldergram-pictures-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: foldergram-pictures-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

23
clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: foldergram-pictures-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: foldergram-pictures-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Pictures
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

86
clusters/cl01tl/helm/foldergram/values.yaml
View File

@@ -1,86 +0,0 @@
foldergram:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
pod:
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
containers:
main:
image:
repository: ghcr.io/foldergram/foldergram
tag: 1.0.8@sha256:3546dc1da4ec12cb27aaecbf77896d708ac7601eb0225e0f6e181d7ef35273f9
pullPolicy: IfNotPresent
env:
- name: IMAGE_DETAIL_SOURCE
value: original
- name: DERIVATIVE_MODE
value: lazy
- name: DATA_ROOT
value: ./data
- name: GALLERY_ROOT
value: /gallery
- name: CSRF_TRUSTED_ORIGINS
value: https://foldergram.alexlebens.net
resources:
requests:
cpu: 1m
memory: 230Mi
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 4141
protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- foldergram.alexlebens.net
rules:
- backendRefs:
- name: foldergram
port: 80
matches:
- path:
type: PathPrefix
value: /
persistence:
cache:
forceRename: foldergram-data
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
advancedMounts:
main:
main:
- path: /app/data
readOnly: false
pictures:
existingClaim: foldergram-pictures-nfs-storage
advancedMounts:
main:
main:
- path: /gallery/pictures
readOnly: true
volsync-target-data:
pvcTarget: foldergram-data
local:
enabled: true
schedule: 46 11 * * *
remote:
enabled: true
schedule: 46 12 * * *
external:
enabled: true
schedule: 46 13 * * *

Some files were not shown because too many files have changed in this diff Show More