alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 12 Actions Activity

Compare commits

base: alexlebens:renovate/unified-code-server
Branches Tags
alexlebens:main alexlebens:renovate/major-unified-vault alexlebens:renovate/major-unified-kube-prometheus-stack alexlebens:renovate/major-unified-loki alexlebens:renovate/major-unified-grimmory alexlebens:renovate/unified-ui alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-traefik alexlebens:renovate/unified-alloy alexlebens:renovate/unified-gitea alexlebens:renovate/unified-code-server alexlebens:renovate/unified-ntfy alexlebens:renovate/unified-cilium alexlebens:manifests
..
compare: alexlebens:b9fb25dbfea1cfe4e0edbea8066865d35532695e
Branches Tags
alexlebens:renovate/major-unified-vault alexlebens:renovate/major-unified-kube-prometheus-stack alexlebens:renovate/major-unified-loki alexlebens:renovate/major-unified-grimmory alexlebens:renovate/unified-ui alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-traefik alexlebens:renovate/unified-alloy alexlebens:renovate/unified-gitea alexlebens:renovate/unified-code-server alexlebens:renovate/unified-ntfy alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:main

18 Commits
renovate/u ... b9fb25dbfe

Author SHA1 Message Date
Alex Lebens
b9fb25dbfe Merge branch 'tmp/secrets-5' of https://gitea.alexlebens.net/alexlebens/infrastructure into tmp/secrets-5
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 10m10s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 13m10s
Details
2026-04-23 17:44:45 -05:00
Alex Lebens
995efc147b feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 1m0s
Details
lint-test-helm / lint-helm (pull_request) Successful in 9m50s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 11m46s
Details
2026-04-23 17:25:56 -05:00
Alex Lebens
3d58df753b feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 42s
Details
lint-test-helm / lint-helm (pull_request) Successful in 15m53s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 16m48s
Details
2026-04-23 16:40:37 -05:00
Alex Lebens
4cda238587 feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 2m0s
Details
lint-test-helm / lint-helm (pull_request) Successful in 9m32s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 9m26s
Details
2026-04-22 20:12:26 -05:00
Alex Lebens
5cf0638c16 feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 1m10s
Details
lint-test-helm / lint-helm (pull_request) Successful in 8m57s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 10m14s
Details
2026-04-22 19:38:17 -05:00
Alex Lebens
134ce4ae01 feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 1m8s
Details
lint-test-helm / lint-helm (pull_request) Successful in 9m3s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 10m26s
Details
2026-04-22 19:14:38 -05:00
Alex Lebens
8282c9a8fb feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 32s
Details
lint-test-helm / lint-helm (pull_request) Successful in 14m19s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 16m8s
Details
2026-04-22 17:44:05 -05:00
Alex Lebens
6e5435df6d feat: add matrix synapse
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 18s
Details
lint-test-helm / lint-helm (pull_request) Successful in 11m19s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 11m1s
Details
2026-04-22 17:19:58 -05:00
Alex Lebens
152f505392 feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 1m29s
Details
lint-test-helm / lint-helm (pull_request) Successful in 14m5s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 15m47s
Details
2026-04-22 16:30:51 -05:00
Alex Lebens
ea88f7bedc feat: add kubelet-cerT
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 1m50s
Details
lint-test-helm / lint-helm (pull_request) Successful in 15m8s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 17m33s
Details
2026-04-22 15:55:48 -05:00
Alex Lebens
f99d2e89a1 feat: add prom
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 1m25s
Details
lint-test-helm / lint-helm (pull_request) Successful in 8m17s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 9m55s
Details
2026-04-22 15:50:30 -05:00
Alex Lebens
6b02b1d331 feat: remove 2026-04-22 15:50:30 -05:00
Alex Lebens
7116db2e89 fix: wrong indent 2026-04-22 15:50:30 -05:00
Alex Lebens
77e0319ec8 feat: Add ispon 2026-04-22 15:50:30 -05:00
Renovate Bot
b41ef0a840 chore(deps): update searxng/searxng:latest docker digest to 37c616a 2026-04-22 15:50:30 -05:00
Renovate Bot
f1137e7a58 chore(deps): update ghcr.io/linuxserver/lidarr:3.1.2-nightly docker digest to d17f32d 2026-04-22 15:50:30 -05:00
Alex Lebens
f2280ff40a feat: add more
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 12m40s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 14m29s
Details
2026-04-21 21:13:37 -05:00
Alex Lebens
e104eae55e feat: convert many
Some checks failed
lint-test-helm / lint-helm (pull_request) Successful in 9m13s
Details
lint-test-helm / validate-kubeconform (pull_request) Failing after 10m43s
Details
2026-04-21 20:47:16 -05:00
26 changed files with 123 additions and 275 deletions
Expand all files Collapse all files

62
.gitea/workflows/lint-test-helm.yaml
View File

@@ -169,10 +169,9 @@ jobs:
echo ">> Running linting on changed charts ..." echo ">> Running linting on changed charts ..."
lint_chart() { for DIR in ${CHANGED_CHARTS}; do
local DIR="$1" CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}" CHART_NAME=$(basename "${CHART_PATH}")
local CHART_NAME=$(basename "${CHART_PATH}")
if [ -f "${CHART_PATH}/Chart.yaml" ]; then if [ -f "${CHART_PATH}/Chart.yaml" ]; then
echo "" echo ""
@@ -183,8 +182,15 @@ jobs:
echo ">> Linting helm chart ${CHART_NAME} ..." echo ">> Linting helm chart ${CHART_NAME} ..."
if ! helm lint "${CHART_PATH}" --namespace "default"; then if ! helm lint "${CHART_PATH}" --namespace "default"; then
echo "${DIR}" > ".failed_chart_${CHART_NAME}" EXIT_CODE=1
return 1
if [ -z "${FAILED_CHARTS}" ]; then
FAILED_CHARTS="${DIR}"
else
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
fi
fi fi
else else
@@ -192,20 +198,8 @@ jobs:
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..." echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
fi fi
}
export -f lint_chart done
export CLUSTER
for DIR in ${CHANGED_CHARTS}; do
echo "${DIR}"
done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
if ls .failed_chart_* 1> /dev/null 2>&1; then
EXIT_CODE=1
FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
rm -f .failed_chart_*
fi
echo "" echo ""
echo "----" echo "----"
@@ -335,9 +329,8 @@ jobs:
EXIT_CODE=0 EXIT_CODE=0
FAILED_CHARTS="" FAILED_CHARTS=""
validate_chart() { for DIR in ${CHANGED_CHARTS}; do
local DIR="$1" CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
echo "" echo ""
echo ">> Validating: ${DIR}" echo ">> Validating: ${DIR}"
@@ -350,23 +343,18 @@ jobs:
-strict \ -strict \
-summary; then -summary; then
echo "${DIR}" > ".failed_chart_${DIR}" EXIT_CODE=1
return 1
if [ -z "${FAILED_CHARTS}" ]; then
FAILED_CHARTS="${DIR}"
else
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
fi
fi fi
}
export -f validate_chart done
export CLUSTER SCHEMA_LOCATIONS
for DIR in ${CHANGED_CHARTS}; do
echo "${DIR}"
done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
if ls .failed_chart_* 1> /dev/null 2>&1; then
EXIT_CODE=1
FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
rm -f .failed_chart_*
fi
echo "" echo ""
echo "----" echo "----"

2
clusters/cl01tl/helm/excalidraw/Chart.yaml
View File

@@ -19,4 +19,4 @@ dependencies:
version: 4.6.2 version: 4.6.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
# renovate: datasource=github-releases depName=excalidraw/excalidraw # renovate: datasource=github-releases depName=excalidraw/excalidraw
appVersion: v0.18.1 appVersion: v0.18.0

2
clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
View File

@@ -13,5 +13,5 @@ spec:
data: data:
- secretKey: api-key - secretKey: api-key
remoteRef: remoteRef:
key: /unifi/users/cl01tl key: /unifi/auth/cl01tl
property: api-key property: api-key

2
clusters/cl01tl/helm/foldergram/values.yaml
View File

@@ -70,7 +70,7 @@ foldergram:
forceRename: foldergram-data forceRename: foldergram-data
storageClass: synology-iscsi-delete storageClass: synology-iscsi-delete
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 500Gi size: 250Gi
advancedMounts: advancedMounts:
main: main:
main: main:

2
clusters/cl01tl/helm/gitea/values.yaml
View File

@@ -213,7 +213,7 @@ gitea-actions:
registry: docker.io registry: docker.io
repository: docker repository: docker
# renovate: datasource=docker depName=docker # renovate: datasource=docker depName=docker
tag: 29.4.1-dind@sha256:c77e5d7912f9b137cc67051fdc2991d8f5ae22c55ddf532bb836dcb693a04940 tag: 29.4.0-dind@sha256:f80c26212befc1c1988b529495532c6b9180d9b1dab1611f4a1efbe9da8ec821
extraVolumeMounts: extraVolumeMounts:
- name: docker-vol - name: docker-vol
mountPath: /var/lib/docker mountPath: /var/lib/docker

8
clusters/cl01tl/helm/grimmory/templates/external-secret.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grimmory-database-secret name: grimmory-database-config
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: grimmory-database-secret app.kubernetes.io/name: grimmory-database-config
{{- include "custom.labels" . | nindent 4 }} {{- include "custom.labels" . | nindent 4 }}
spec: spec:
secretStoreRef: secretStoreRef:
@@ -33,11 +33,11 @@ spec:
- secretKey: access - secretKey: access
remoteRef: remoteRef:
key: /digital-ocean/home-infra/mariadb-backups key: /digital-ocean/home-infra/mariadb-backups
property: AWS_ACCESS_KEY_ID property: access
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
key: /digital-ocean/home-infra/mariadb-backups key: /digital-ocean/home-infra/mariadb-backups
property: AWS_SECRET_ACCESS_KEY property: secret
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1

4
clusters/cl01tl/helm/grimmory/values.yaml
View File

@@ -27,7 +27,7 @@ grimmory:
- name: DATABASE_PASSWORD - name: DATABASE_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: grimmory-database-secret name: grimmory-database-config
key: password key: password
- name: GRIMMORY_PORT - name: GRIMMORY_PORT
value: 6060 value: 6060
@@ -98,7 +98,7 @@ mariadb-cluster:
mariadb: mariadb:
rootPasswordSecretKeyRef: rootPasswordSecretKeyRef:
generate: false generate: false
name: grimmory-database-secret name: grimmory-database-config
key: password key: password
storage: storage:
size: 5Gi size: 5Gi

2
clusters/cl01tl/helm/home-assistant/values.yaml
View File

@@ -23,7 +23,7 @@ home-assistant:
code-server: code-server:
image: image:
repository: ghcr.io/linuxserver/code-server repository: ghcr.io/linuxserver/code-server
tag: 4.117.0-ls334@sha256:1f384394d473c43ab6a39b2227ba3aa9c95af648ce3a67e1b4da1969c16c7c0d tag: 4.116.0-ls333@sha256:4620adace18935dd6ca79d77e3bc1c379e21875392192f970cf5d6b0fb4aefcd
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago

2
clusters/cl01tl/helm/jellystat/templates/external-secret.yaml
View File

@@ -21,5 +21,5 @@ spec:
property: user property: user
- secretKey: password - secretKey: password
remoteRef: remoteRef:
key: /cl01tl/jellystat/config key: /cl01tl/jellystat/cconfig
property: password property: password

2
clusters/cl01tl/helm/kube-prometheus-stack/templates/external-secret.yaml
View File

@@ -13,7 +13,7 @@ spec:
data: data:
- secretKey: ntfy_password - secretKey: ntfy_password
remoteRef: remoteRef:
key: /cl01tl/ntfy/users/cl01tl key: / cl01tl/ntfy/users/cl01tl
property: password property: password
--- ---

2
clusters/cl01tl/helm/libation/Chart.yaml
View File

@@ -26,4 +26,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/libation.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/libation.png
# renovate: datasource=github-releases depName=rmcrackan/Libation # renovate: datasource=github-releases depName=rmcrackan/Libation
appVersion: 13.3.5 appVersion: 13.3.4

2
clusters/cl01tl/helm/libation/values.yaml
View File

@@ -12,7 +12,7 @@ libation:
main: main:
image: image:
repository: rmcrackan/libation repository: rmcrackan/libation
tag: 13.3.5@sha256:fcfeaa406a3567e3de89d85bf761d17868029c6e8a127922672770cb812b9be8 tag: 13.3.4@sha256:eb0357e8a880ed0049dffd2a99a9d2eda322ed33b3b9e16f4fb93eb15275f396
env: env:
- name: SLEEP_TIME - name: SLEEP_TIME
value: "-1" value: "-1"

80
clusters/cl01tl/helm/matrix-synapse/templates/secret-provider-class.yaml
View File

@@ -16,102 +16,22 @@ spec:
fileName: config.yaml fileName: config.yaml
secretPath: secret/data/cl01tl/matrix-synapse/config secretPath: secret/data/cl01tl/matrix-synapse/config
secretKey: config.yaml secretKey: config.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-oidc-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-oidc-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: oidc.yaml - objectName: oidc.yaml
fileName: oidc.yaml fileName: oidc.yaml
secretPath: secret/data/cl01tl/matrix-synapse/config secretPath: secret/data/cl01tl/matrix-synapse/config
secretKey: oidc.yaml secretKey: oidc.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-hookshot-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-hookshot-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: hookshot-registration.yaml - objectName: hookshot-registration.yaml
fileName: hookshot-registration.yaml fileName: hookshot-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/hookshot secretPath: secret/data/cl01tl/matrix-synapse/hookshot
secretKey: hookshot-registration.yaml secretKey: hookshot-registration.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-mautrix-discord-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-mautrix-discord-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: mautrix-discord-registration.yaml - objectName: mautrix-discord-registration.yaml
fileName: mautrix-discord-registration.yaml fileName: mautrix-discord-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord secretPath: secret/data/cl01tl/matrix-synapse/mautrix-discord
secretKey: mautrix-discord-registration.yaml secretKey: mautrix-discord-registration.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-mautrix-whatsapp-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-mautrix-whatsapp-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: mautrix-whatsapp-registration.yaml - objectName: mautrix-whatsapp-registration.yaml
fileName: mautrix-whatsapp-registration.yaml fileName: mautrix-whatsapp-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp secretPath: secret/data/cl01tl/matrix-synapse/mautrix-whatsapp
secretKey: mautrix-whatsapp-registration.yaml secretKey: mautrix-whatsapp-registration.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: matrix-synapse-double-puppet-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: matrix-synapse-double-puppet-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: matrix-synapse
objects: |
- objectName: double-puppet-registration.yaml - objectName: double-puppet-registration.yaml
fileName: double-puppet-registration.yaml fileName: double-puppet-registration.yaml
secretPath: secret/data/cl01tl/matrix-synapse/double-puppet secretPath: secret/data/cl01tl/matrix-synapse/double-puppet

60
clusters/cl01tl/helm/matrix-synapse/values.yaml
View File

@@ -43,67 +43,11 @@ matrix-synapse:
readOnly: true readOnly: true
volumeAttributes: volumeAttributes:
secretProviderClass: matrix-synapse-config secretProviderClass: matrix-synapse-config
- name: oidc-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-oidc-config
- name: hookshot-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-hookshot-config
- name: mautrix-discord-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-mautrix-discord-config
- name: mautrix-whatsapp-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-mautrix-whatsapp-config
- name: double-puppet-config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: matrix-synapse-double-puppet-config
extraVolumeMounts: extraVolumeMounts:
- name: config - name: config
mountPath: /synapse/config/conf.d/config.yaml mountPath: /synapse/config/conf.d
mountPropagation: None mountPropagation: None
readOnly: true readOnly: true
subPath: config.yaml
- name: oidc-config
mountPath: /synapse/config/conf.d/oidc.yaml
mountPropagation: None
readOnly: true
subPath: oidc.yaml
- name: hookshot-config
mountPath: /synapse/config/conf.d/hookshot-registration.yaml
mountPropagation: None
readOnly: true
subPath: hookshot-registration.yaml
- name: mautrix-discord-config
mountPath: /synapse/config/conf.d/mautrix-discord-registration.yaml
mountPropagation: None
readOnly: true
subPath: mautrix-discord-registration.yaml
- name: mautrix-whatsapp-config
mountPath: /synapse/config/conf.d/mautrix-whatsapp-registration.yaml
mountPropagation: None
readOnly: true
subPath: mautrix-whatsapp-registration.yaml
- name: double-puppet-config
mountPath: /synapse/config/conf.d/double-puppet-registration.yaml
mountPropagation: None
readOnly: true
subPath: double-puppet-registration.yaml
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
@@ -174,8 +118,6 @@ matrix-hookshot:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
serviceAccount:
name: matrix-synapse
containers: containers:
main: main:
image: image:

2
clusters/cl01tl/helm/ollama/values.yaml
View File

@@ -127,7 +127,7 @@ ollama:
- name: WEBUI_SECRET_KEY - name: WEBUI_SECRET_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: open-webui-key name: ollama-key
key: key key: key
- name: DATABASE_URL - name: DATABASE_URL
valueFrom: valueFrom:

2
clusters/cl01tl/helm/openbao/Chart.yaml
View File

@@ -19,7 +19,7 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: openbao - name: openbao
version: 0.27.2 version: 0.27.1
repository: https://openbao.github.io/openbao-helm repository: https://openbao.github.io/openbao-helm
- name: app-template - name: app-template
alias: unseal alias: unseal

105
clusters/cl01tl/helm/openbao/templates/external-secret.yaml
View File

@@ -9,7 +9,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: AWS_ACCESS_KEY_ID - secretKey: AWS_ACCESS_KEY_ID
remoteRef: remoteRef:
@@ -40,20 +40,24 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ENVIRONMENT - secretKey: ENVIRONMENT
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: environment property: ENVIRONMENT
- secretKey: NODES - secretKey: NODES
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: nodes property: NODES
- secretKey: TOKENS - secretKey: TOKENS
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: tokens-1 property: TOKENS_1
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
@@ -67,20 +71,24 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ENVIRONMENT - secretKey: ENVIRONMENT
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: environment property: ENVIRONMENT
- secretKey: NODES - secretKey: NODES
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: nodes property: NODES
- secretKey: TOKENS - secretKey: TOKENS
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: tokens-2 property: TOKENS_2
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
@@ -94,46 +102,61 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ENVIRONMENT - secretKey: ENVIRONMENT
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: environment property: ENVIRONMENT
- secretKey: NODES - secretKey: NODES
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: nodes property: NODES
- secretKey: TOKENS - secretKey: TOKENS
remoteRef: remoteRef:
key: /cl01tl/openbao/unseal key: /cl01tl/openbao/unseal
property: tokens-3 property: TOKENS_3
- secretKey: NOTIFY_QUEUE_URLS
remoteRef:
key: /cl01tl/openbao/unseal
property: NOTIFY_QUEUE_URLS
--- # ---
apiVersion: external-secrets.io/v1 # apiVersion: external-secrets.io/v1
kind: ExternalSecret # kind: ExternalSecret
metadata: # metadata:
name: openbao-ntfy-unseal-config # name: openbao-token
namespace: {{ .Release.Namespace }} # namespace: {{ .Release.Namespace }}
labels: # labels:
app.kubernetes.io/name: openbao-ntfy-unseal-config # app.kubernetes.io/name: openbao-token
{{- include "custom.labels" . | nindent 4 }} # app.kubernetes.io/instance: {{ .Release.Name }}
spec: # app.kubernetes.io/part-of: {{ .Release.Name }}
secretStoreRef: # spec:
kind: ClusterSecretStore # secretStoreRef:
name: openbao # kind: ClusterSecretStore
target: # name: openbao
template: # data:
mergePolicy: Merge # - secretKey: token
engineVersion: v2 # remoteRef:
data: # key: /cl01tl/openbao/token
NOTIFY_QUEUE_URLS: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}/?priority=4&tags=vault,unseal&title=Vault+Unsealed" # property: token
data: # - secretKey: unseal_key_1
- secretKey: endpoint # remoteRef:
remoteRef: # key: /cl01tl/openbao/token
key: /cl01tl/ntfy/users/cl01tl # property: unseal_key_1
property: internal-endpoint-credential # - secretKey: unseal_key_2
- secretKey: topic # remoteRef:
remoteRef: # key: /cl01tl/openbao/token
key: /cl01tl/ntfy/topics # property: unseal_key_2
property: openbao # - secretKey: unseal_key_3
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_3
# - secretKey: unseal_key_4
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_4
# - secretKey: unseal_key_5
# remoteRef:
# key: /cl01tl/openbao/token
# property: unseal_key_5

6
clusters/cl01tl/helm/openbao/values.yaml
View File

@@ -160,8 +160,6 @@ unseal:
envFrom: envFrom:
- secretRef: - secretRef:
name: openbao-unseal-config-1 name: openbao-unseal-config-1
- secretRef:
name: openbao-ntfy-unseal-config
resources: resources:
requests: requests:
cpu: 1m cpu: 1m
@@ -178,8 +176,6 @@ unseal:
envFrom: envFrom:
- secretRef: - secretRef:
name: openbao-unseal-config-2 name: openbao-unseal-config-2
- secretRef:
name: openbao-ntfy-unseal-config
resources: resources:
requests: requests:
cpu: 1m cpu: 1m
@@ -196,8 +192,6 @@ unseal:
envFrom: envFrom:
- secretRef: - secretRef:
name: openbao-unseal-config-3 name: openbao-unseal-config-3
- secretRef:
name: openbao-ntfy-unseal-config
resources: resources:
requests: requests:
cpu: 1m cpu: 1m

2
clusters/cl01tl/helm/paperless-ngx/templates/external-secret.yaml
View File

@@ -55,5 +55,5 @@ spec:
data: data:
- secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS - secretKey: PAPERLESS_SOCIALACCOUNT_PROVIDERS
remoteRef: remoteRef:
key: /cl01tl/authentik/oidc/paperless-ngx key: /authentik/oidc/paperless-ngx
property: PAPERLESS_SOCIALACCOUNT_PROVIDERS property: PAPERLESS_SOCIALACCOUNT_PROVIDERS

4
clusters/cl01tl/helm/qbittorrent/values.yaml
View File

@@ -71,9 +71,9 @@ qbittorrent:
name: protonvpn-wireguard-conf name: protonvpn-wireguard-conf
key: private-key key: private-key
- name: FIREWALL_OUTBOUND_SUBNETS - name: FIREWALL_OUTBOUND_SUBNETS
value: 192.168.1.0/24,10.0.0.0/8 value: 192.168.1.0/24,10.244.0.0/16
- name: FIREWALL_INPUT_PORTS - name: FIREWALL_INPUT_PORTS
value: 8080,9022 value: 5030,50300
- name: VPN_PORT_FORWARDING - name: VPN_PORT_FORWARDING
value: 'on' value: 'on'
- name: VPN_PORT_FORWARDING_UP_COMMAND - name: VPN_PORT_FORWARDING_UP_COMMAND

10
clusters/cl01tl/helm/rclone/templates/external-secret.yaml
View File

@@ -44,7 +44,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:
@@ -79,7 +79,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:
@@ -114,7 +114,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:
@@ -149,7 +149,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:
@@ -184,7 +184,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:

2
clusters/cl01tl/helm/searxng/templates/external-secret.yaml
View File

@@ -9,7 +9,7 @@ metadata:
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: metrics-password - secretKey: metrics-password
remoteRef: remoteRef:

2
clusters/cl01tl/helm/slskd/values.yaml
View File

@@ -73,7 +73,7 @@ slskd:
name: protonvpn-wireguard-conf name: protonvpn-wireguard-conf
key: private-key key: private-key
- name: FIREWALL_OUTBOUND_SUBNETS - name: FIREWALL_OUTBOUND_SUBNETS
value: 192.168.1.0/24,10.0.0.0/8 value: 192.168.1.0/24,10.244.0.0/16
- name: FIREWALL_INPUT_PORTS - name: FIREWALL_INPUT_PORTS
value: 5030,50300 value: 5030,50300
- name: DNS_UPSTREAM_RESOLVER_TYPE - name: DNS_UPSTREAM_RESOLVER_TYPE

2
clusters/cl01tl/helm/tubearchivist/values.yaml
View File

@@ -62,7 +62,7 @@ tubearchivist:
name: protonvpn-wireguard-conf name: protonvpn-wireguard-conf
key: private-key key: private-key
- name: FIREWALL_OUTBOUND_SUBNETS - name: FIREWALL_OUTBOUND_SUBNETS
value: 192.168.1.0/24,10.0.0.0/8 value: 192.168.1.0/24,10.244.0.0/16
- name: FIREWALL_INPUT_PORTS - name: FIREWALL_INPUT_PORTS
value: 80,8000,24000 value: 80,8000,24000
- name: DNS_UPSTREAM_RESOLVER_TYPE - name: DNS_UPSTREAM_RESOLVER_TYPE

27
clusters/cl01tl/helm/vault/templates/external-secret.yaml
View File

@@ -1,24 +1,5 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata:
name: vault-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vault-token
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: token
remoteRef:
key: /cl01tl/vault/token
property: root
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata: metadata:
name: vault-snapshot-agent-role name: vault-snapshot-agent-role
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
@@ -93,7 +74,7 @@ spec:
data: data:
- secretKey: BUCKET - secretKey: BUCKET
remoteRef: remoteRef:
key: /digital-ocean/home-infra/vault-backups key: /digital-ocean/home-infra/vault-backup
property: BUCKET_PATH property: BUCKET_PATH
--- ---
@@ -193,12 +174,12 @@ spec:
data: data:
- secretKey: NTFY_TOKEN - secretKey: NTFY_TOKEN
remoteRef: remoteRef:
key: /cl01tl/ntfy/users/cl01tl key: /ntfy/user/cl01tl
property: token property: token
- secretKey: NTFY_ENDPOINT - secretKey: NTFY_ENDPOINT
remoteRef: remoteRef:
key: /cl01tl/ntfy/config key: /ntfy/user/cl01tl
property: internal-endpoint property: endpoint
- secretKey: NTFY_TOPIC - secretKey: NTFY_TOPIC
remoteRef: remoteRef:
key: /cl01tl/ntfy/topics key: /cl01tl/ntfy/topics

2
clusters/cl01tl/helm/yamtrack/templates/external-secret.yaml
View File

@@ -14,7 +14,7 @@ spec:
- secretKey: SECRET - secretKey: SECRET
remoteRef: remoteRef:
key: /cl01tl/yamtrack/config key: /cl01tl/yamtrack/config
property: secret property: SECRET
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1