alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions 2 Activity

Compare commits

merge into: alexlebens:renovate/unified-grafanaloki
Branches Tags
alexlebens:main alexlebens:manifests alexlebens:renovate/cilium-1.x alexlebens:renovate/unified-grafanaloki alexlebens:renovate/headlamp-0.x
...
pull from: alexlebens:main
Branches Tags
alexlebens:main alexlebens:manifests alexlebens:renovate/cilium-1.x alexlebens:renovate/unified-grafanaloki alexlebens:renovate/headlamp-0.x

4 Commits
renovate/u ... main

Author SHA1 Message Date
Renovate Bot
ff1c5e557e chore(deps): update blastbeng/spotisub docker tag to v0.3.7 (#3791)
Some checks are pending
render-manifests-push / render-manifests-push (push) Has been skipped
Details
renovate / renovate (push) Waiting to run
Details
lint-test-helm / lint-helm (push) Successful in 22s
Details
2026-02-06 17:08:26 +00:00
Alex Lebens
618aecb676 feat: add spotisub
Some checks failed
lint-test-helm / lint-helm (push) Successful in 21s
Details
render-manifests-push / render-manifests-push (push) Successful in 1m26s
Details
lint-test-docker / lint-docker-compose (push) Successful in 29s
Details
renovate / renovate (push) Has been cancelled
Details
2026-02-06 11:06:15 -06:00
Alex Lebens
3bd5707b62 fix: change timezone 2026-02-06 11:06:15 -06:00
Renovate Bot
1c1fd7877b chore(deps): update helm release external-secrets to v2 (#3788)
All checks were successful
render-manifests-push / render-manifests-push (push) Has been skipped
Details
lint-test-helm / lint-helm (push) Successful in 20s
Details
renovate / renovate (push) Successful in 2m2s
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets](https://github.com/external-secrets/external-secrets) | major | `1.3.2` → `2.0.0` |

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets)</summary>

### [`v2.0.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.0.0)

[Compare Source](https://github.com/external-secrets/external-secrets/compare/v1.3.2...v2.0.0)

### BREAKING CHANGE

Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42.

Image: `ghcr.io/external-secrets/external-secrets:v2.0.0`
Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

#### What's Changed

##### General

- chore: bump charts to 1.3.2 by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5923](https://github.com/external-secrets/external-secrets/pull/5923)
- feat(charts): add hostAliases support by [@&#8203;janlauber](https://github.com/janlauber) in [#&#8203;5866](https://github.com/external-secrets/external-secrets/pull/5866)
- chore: remove unmaintained secret stores by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5918](https://github.com/external-secrets/external-secrets/pull/5918)
- docs(infisical): document al provider auth methods by [@&#8203;varonix0](https://github.com/varonix0) in [#&#8203;5929](https://github.com/external-secrets/external-secrets/pull/5929)
- chore: Get validating webhook failurePolicy for Secretstore dynamically by [@&#8203;LochanRn](https://github.com/LochanRn) in [#&#8203;5605](https://github.com/external-secrets/external-secrets/pull/5605)

#### New Contributors

- [@&#8203;LochanRn](https://github.com/LochanRn) made their first contribution in [#&#8203;5605](https://github.com/external-secrets/external-secrets/pull/5605)

**Full Changelog**: <https://github.com/external-secrets/external-secrets/compare/v1.3.2...v2.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zLjYiLCJ1cGRhdGVkSW5WZXIiOiI0My4zLjYiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19-->

Reviewed-on: #3788
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-02-06 15:41:50 +00:00
15 changed files with 382 additions and 5 deletions
Expand all files Collapse all files

1
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -157,6 +157,7 @@ blocky:
sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
spotisub IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl

6
clusters/cl01tl/helm/external-secrets/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: external-secrets
repository: https://charts.external-secrets.io
version: 1.3.2
digest: sha256:7b7c6dee59f2ea630f0e7a1124aeeda52cdff23769136300384b28210e03945a
generated: "2026-02-03T21:41:32.061135319Z"
version: 2.0.0
digest: sha256:3833a9f099d80f50e8a7c9874138b9eba42c18fe5f5f5dc605031f7c44bd3971
generated: "2026-02-06T15:40:39.917039721Z"

2
clusters/cl01tl/helm/external-secrets/Chart.yaml
View File

@@ -12,7 +12,7 @@ sources:
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies:
- name: external-secrets
version: 1.3.2
version: 2.0.0
repository: https://charts.external-secrets.io
icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
# renovate: datasource=github-releases depName=external-secrets/external-secrets

2
clusters/cl01tl/helm/freshrss/values.yaml
View File

@@ -88,7 +88,7 @@ freshrss:
- name: PUID
value: "568"
- name: TZ
value: US/Central
value: America/Chicago
- name: FRESHRSS_ENV
value: production
- name: CRON_MIN

3
clusters/cl01tl/helm/gatus/values.yaml
View File

@@ -310,6 +310,9 @@ gatus:
- name: lidarr
url: https://lidarr.alexlebens.net
<<: *defaults
- name: spotisub
url: https://spotisub.alexlebens.net
<<: *defaults
- name: yubal-playlist
url: https://yubal-playlist.alexlebens.net
<<: *defaults

6
clusters/cl01tl/helm/homepage/values.yaml
View File

@@ -661,6 +661,12 @@ homepage:
href: https://yubal-playlist.alexlebens.net
siteMonitor: http://yubal-playlist.yubal-playlist:80
statusStyle: dot
- Spotisub:
icon: sh-spotify.webp
description: Replicate Spotify playlist
href: https://spotisub.alexlebens.net
siteMonitor: http://spotisub.spotisub:80
statusStyle: dot
- slskd:
icon: sh-slskd.webp
description: slskd

6
clusters/cl01tl/helm/spotisub/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
digest: sha256:3b63381e4968f95ce2d99fae620f3d1ae6af295b1bacc4ed0fbe9f1ccb0e9405
generated: "2026-02-06T11:04:57.311195-06:00"

21
clusters/cl01tl/helm/spotisub/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: spotisub
version: 1.0.0
description: Spotisub
keywords:
- spotisub
- music
- spotify
home: https://wiki.alexlebens.dev/s/
sources:
- https://github.com/blastbeng/spotisub
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: spotisub
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
# renovate: datasource=github-releases depName=blastbeng/spotisub
appVersion: v0.3.6

93
clusters/cl01tl/helm/spotisub/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,93 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: spotisub-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: spotisub-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: spotify-client-id
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /spotify/andrew
metadataPolicy: None
property: client-id
- secretKey: spotify-client-secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /spotify/andrew
metadataPolicy: None
property: client-secret
- secretKey: spotify-redirect-uri
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /spotify/andrew
metadataPolicy: None
property: redirect-uri
- secretKey: subsonic-user
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/navidrome/andrew
metadataPolicy: None
property: user
- secretKey: subsonic-password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/navidrome/andrew
metadataPolicy: None
property: password
- secretKey: lidarr-key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/lidarr2/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: spotisub-wireguard-conf
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: spotisub-wireguard-conf
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: private-key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /protonvpn/conf/cl01tl
metadataPolicy: None
property: private-key
- secretKey: proton-email
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /protonvpn/conf/cl01tl
metadataPolicy: None
property: email
- secretKey: proton-password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /protonvpn/conf/cl01tl
metadataPolicy: None
property: password

11
clusters/cl01tl/helm/spotisub/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Namespace
metadata:
name: spotisub
labels:
app.kubernetes.io/name: spotisub
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

17
clusters/cl01tl/helm/spotisub/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: spotisub-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: spotisub-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: spotisub-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

23
clusters/cl01tl/helm/spotisub/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: spotisub-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: spotisub-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Music Youtube/
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

194
clusters/cl01tl/helm/spotisub/values.yaml Normal file
View File

@@ -0,0 +1,194 @@
spotisub:
controllers:
main:
type: deployment
replicas: 0
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: blastbeng/spotisub
tag: v0.3.7
pullPolicy: IfNotPresent
env:
- name: SPOTIPY_CLIENT_ID
valueFrom:
secretKeyRef:
name: spotisub-config-secret
key: spotify-client-id
- name: SPOTIPY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: spotisub-config-secret
key: spotify-client-secret
- name: SPOTIPY_REDIRECT_URI
valueFrom:
secretKeyRef:
name: spotisub-config-secret
key: spotify-redirect-uri
- name: SUBSONIC_API_HOST
value: http://navidrome-main.navidrome
- name: SUBSONIC_API_PORT
value: 80
- name: SUBSONIC_API_USER
valueFrom:
secretKeyRef:
name: spotisub-config-secret
key: subsonic-user
- name: SUBSONIC_API_PASS
valueFrom:
secretKeyRef:
name: spotisub-config-secret
key: subsonic-password
- name: PLAYLIST_PREFIX
value: "Spotify - "
- name: NUM_USER_PLAYLISTS
value: 0
- name: ARTIST_GEN_SCHED
value: 0
- name: RECOMEND_GEN_SCHED
value: 0
- name: SPOTDL_ENABLED
value: 1
- name: SPOTDL_OUT_FORMAT
value: "/mnt/store/Music Youtube/Andrew Lebens/{artist}/{album} ({year})/{artists} - {album} - {track-number} - {title}.{output-ext}"
- name: LIDARR_ENABLED
value: 1
- name: LIDARR_IP
value: http://lidarr.lidarr
- name: LIDARR_PORT
value: 80
- name: LIDARR_TOKEN
valueFrom:
secretKeyRef:
name: spotisub-config-secret
key: lidarr-key
probes:
liveness:
enabled: true
custom: true
spec:
exec:
command:
- /bin/sh
- -c
- "curl -s http://127.0.0.1:5183/api/v1/utils/healthcheck | grep -q 'Ok!'"
failureThreshold: 5
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 15
resources:
requests:
cpu: 10m
memory: 128Mi
gluetun:
image:
repository: ghcr.io/qdm12/gluetun
tag: v3.41.0@sha256:6b54856716d0de56e5bb00a77029b0adea57284cf5a466f23aad5979257d3045
pullPolicy: IfNotPresent
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "(ip rule del table 51820; ip -6 rule del table 51820) || true"]
env:
- name: VPN_SERVICE_PROVIDER
value: protonvpn
- name: VPN_TYPE
value: wireguard
- name: WIREGUARD_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: spotisub-wireguard-conf
key: private-key
- name: UPDATER_PROTONVPN_EMAIL
valueFrom:
secretKeyRef:
name: spotisub-wireguard-conf
key: proton-email
- name: UPDATER_PROTONVPN_PASSWORD
valueFrom:
secretKeyRef:
name: spotisub-wireguard-conf
key: proton-password
- name: FIREWALL_OUTBOUND_SUBNETS
value: 10.0.0.0/8
- name: FIREWALL_INPUT_PORTS
value: 5183
- name: DNS_UPSTREAM_RESOLVER_TYPE
value: dot
securityContext:
privileged: True
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
probes:
liveness:
enabled: true
custom: true
spec:
exec:
command:
- /gluetun-entrypoint
- healthcheck
failureThreshold: 5
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 15
resources:
limits:
devic.es/tun: "1"
requests:
devic.es/tun: "1"
cpu: 10m
memory: 128Mi
service:
main:
controller: main
ports:
http:
port: 80
targetPort: 5183
protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- spotisub.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: spotisub
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence:
cache:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 1Gi
retain: true
advancedMounts:
main:
main:
- path: /home/user/spotisub/cache
readOnly: false
music:
existingClaim: spotisub-nfs-storage
advancedMounts:
main:
main:
- path: /mnt/store/Music Youtube/
readOnly: false

1
hosts/ps08rp/blocky/config.yml
View File

@@ -132,6 +132,7 @@ customDNS:
sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
spotisub IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl

1
hosts/ps09rp/blocky/config.yml
View File

@@ -153,6 +153,7 @@ customDNS:
sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
spotisub IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl