alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 7 Actions 1 Activity

Compare commits

base: alexlebens:tmp/volsync-4
Branches Tags
alexlebens:main alexlebens:renovate/major-unified-volsync-target alexlebens:renovate/unified-karakeep alexlebens:renovate/unified-gitea alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:auto/update-manifests alexlebens:tmp/volsync-4 alexlebens:renovate/unified-harbor
..
compare: alexlebens:c4aa5b466f7890df7779a8e7252b99ea46385b17
Branches Tags
alexlebens:renovate/major-unified-volsync-target alexlebens:renovate/unified-karakeep alexlebens:renovate/unified-gitea alexlebens:renovate/unified-cilium alexlebens:main alexlebens:manifests alexlebens:auto/update-manifests alexlebens:tmp/volsync-4 alexlebens:renovate/unified-harbor

1 Commits
tmp/volsyn ... c4aa5b466f

Author SHA1 Message Date
Renovate Bot
c4aa5b466f Update harbor.alexlebens.net/images/site-documentation Docker tag to v0.17.0
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 43s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 43s
Details
2026-04-05 01:24:00 +00:00
643 changed files with 7129 additions and 8608 deletions
Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

320
.gitea/workflows/lint-test-helm.yaml
View File

@@ -16,8 +16,8 @@ on:
env:
CLUSTER: cl01tl
BASE_BRANCH: "origin/${{ github.base_ref }}"
# renovate: datasource=github-releases depName=yannh/kubeconform
KUBECONFORM_VERSION: "v0.6.7"
ARGOCD_VERSION: "v3.3.6"
jobs:
lint-helm:
@@ -102,7 +102,7 @@ jobs:
echo ""
echo "${CHANGED_CHARTS}"
CHANGED_CHARTS_CSV=$(echo "${CHANGED_CHARTS}" | paste -sd ',' -)
CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -)
echo ""
echo "----"
@@ -169,10 +169,9 @@ jobs:
echo ">> Running linting on changed charts ..."
lint_chart() {
local DIR="$1"
local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
local CHART_NAME=$(basename "${CHART_PATH}")
for DIR in ${CHANGED_CHARTS}; do
CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
CHART_NAME=$(basename "${CHART_PATH}")
if [ -f "${CHART_PATH}/Chart.yaml" ]; then
echo ""
@@ -183,8 +182,15 @@ jobs:
echo ">> Linting helm chart ${CHART_NAME} ..."
if ! helm lint "${CHART_PATH}" --namespace "default"; then
echo "${DIR}" > ".failed_chart_${CHART_NAME}"
return 1
EXIT_CODE=1
if [ -z "${FAILED_CHARTS}" ]; then
FAILED_CHARTS="${DIR}"
else
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
fi
fi
else
@@ -192,20 +198,8 @@ jobs:
echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
fi
}
export -f lint_chart
export CLUSTER
for DIR in ${CHANGED_CHARTS}; do
echo "${DIR}"
done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
if ls .failed_chart_* 1> /dev/null 2>&1; then
EXIT_CODE=1
FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
rm -f .failed_chart_*
fi
done
echo ""
echo "----"
@@ -242,17 +236,7 @@ jobs:
with:
fetch-depth: 0
- name: Cache Kubeconform
id: cache-kubeconform
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: /usr/local/bin/kubeconform
key: ${{ runner.os }}-kubeconform-${{ env.KUBECONFORM_VERSION }}
restore-keys: |
${{ runner.os }}-kubeconform-
- name: Install Kubeconform
if: steps.cache-kubeconform.outputs.cache-hit != 'true'
run: |
echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
@@ -265,8 +249,6 @@ jobs:
echo ">> Installing Kubeconform ..."
sudo mv kubeconform /usr/local/bin/
- name: Verify installation
run: |
echo ""
echo ">> Verifying installation ..."
kubeconform -v
@@ -335,38 +317,32 @@ jobs:
EXIT_CODE=0
FAILED_CHARTS=""
validate_chart() {
local DIR="$1"
local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
for DIR in ${CHANGED_CHARTS}; do
CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
echo ""
echo ">> Validating: ${DIR}"
helm dependency build "${CHART_PATH}" --skip-refresh
if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor" | \
if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \
kubeconform \
${SCHEMA_LOCATIONS} \
-ignore-missing-schemas \
-strict \
-summary; then
echo "${DIR}" > ".failed_chart_${DIR}"
return 1
EXIT_CODE=1
if [ -z "${FAILED_CHARTS}" ]; then
FAILED_CHARTS="${DIR}"
else
FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
fi
fi
}
export -f validate_chart
export CLUSTER SCHEMA_LOCATIONS
for DIR in ${CHANGED_CHARTS}; do
echo "${DIR}"
done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
if ls .failed_chart_* 1> /dev/null 2>&1; then
EXIT_CODE=1
FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
rm -f .failed_chart_*
fi
done
echo ""
echo "----"
@@ -389,243 +365,3 @@ jobs:
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
image: true
# argo-diff:
# needs: lint-helm
# runs-on: ubuntu-js
# if: |
# needs.lint-helm.result == 'success' &&
# needs.lint-helm.outputs.changes-detected == 'true' &&
# github.event_name == 'pull_request'
# steps:
# - name: Checkout
# uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# with:
# fetch-depth: 0
# - name: Cache ArgoCD CLI
# id: cache-argocd
# uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
# with:
# path: /usr/local/bin/argocd
# key: ${{ runner.os }}-argocd-${{ env.ARGOCD_VERSION }}
# restore-keys: |
# ${{ runner.os }}-argocd-
# - name: Install ArgoCD CLI
# if: steps.cache-argocd.outputs.cache-hit != 'true'
# run: |
# echo ">> Downloading ArgoCD CLI, version: ${{ env.ARGOCD_VERSION }} ..."
# curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/${{ env.ARGOCD_VERSION }}/argocd-linux-amd64
# echo ""
# echo ">> Installing ArgoCD CLI ..."
# sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
# echo ""
# echo "----"
# - name: Verify installation
# run: |
# echo ""
# echo ">> Verifying installation ..."
# argocd version --client
# echo ""
# echo "----"
# - name: Set Up Helm
# uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
# with:
# token: ${{ secrets.GITEA_TOKEN }}
# # renovate: datasource=github-releases depName=helm/helm
# version: v4.1.3
# cache: true
# - name: Cache Helm Dependencies
# uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
# with:
# path: |
# ~/.cache/helm
# ~/.config/helm
# key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
# restore-keys: |
# helm-cache-${{ runner.os }}-
# - name: Add Repositories
# env:
# CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
# run: |
# echo ">> Adding repositories for chart dependencies ..."
# echo ""
# for DIR in ${CHANGED_CHARTS}; do
# helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
# | tail -n +2 \
# | awk 'NF > 0 { print $1, $3 }' \
# | while read -r REPO_NAME REPO_URL; do
# if [[ "${REPO_URL}" == oci://* ]]; then
# echo ">> Ignoring OCI repo: ${REPO_URL}"
# elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
# helm repo add "${REPO_NAME}" "${REPO_URL}"
# fi
# done || true
# done
# if helm repo list > /dev/null 2>&1; then
# echo ""
# echo ">> Update repository cache ..."
# helm repo update
# fi
# echo ""
# echo "----"
# - name: Render Templates
# id: render
# env:
# CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
# run: |
# for APP_NAME in ${CHANGED_CHARTS}; do
# echo ">> Render templates for ${APP_NAME} ..."
# CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
# OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
# mkdir -p "${OUTPUT_FOLDER}"
# helm dependency build "${CHART_PATH}" --skip-refresh
# NAMESPACE="${APP_NAME}"
# case "${APP_NAME}" in
# "stack")
# NAMESPACE="argocd"
# echo ">> Special Rendering into 'argocd' namespace ..."
# ;;
# "cilium" | "coredns" | "metrics-server")
# NAMESPACE="kube-system"
# echo ">> Special Rendering for ${APP_NAME} into 'kube-system' namespace ..."
# ;;
# *)
# echo ">> Standard Rendering ..."
# esac
# TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
# # Format and split rendered template
# echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
# # Strip comments again to ensure formatting correctness
# for file in "$OUTPUT_FOLDER"/*; do
# yq -i '... comments=""' $file
# done
# echo ""
# echo ">> Templates in output folder: ${OUTPUT_FOLDER}"
# ls ${OUTPUT_FOLDER}
# done
# echo "----"
# - name: Run App Diff
# id: diff
# env:
# ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
# ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
# CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
# run: |
# FAILED_CHARTS=""
# DIFF_FOUND="false"
# EXIT_CODE=0
# for APP_NAME in ${CHANGED_CHARTS}; do
# echo ">> Running argocd app diff for ${APP_NAME} ..."
# if ! argocd app diff "${APP_NAME}" \
# --server "${ARGOCD_SERVER}" \
# --auth-token "${ARGOCD_AUTH_TOKEN}" \
# --revision ${{ github.sha }} \
# --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
# --local-repo-root "." \
# --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
# # ArgoCD diff returns non-zero on diff or error.
# # Let's capture if it actually generated a diff output to post.
# DIFF_FOUND="true"
# # Check if the output contains validation/connection errors
# if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
# echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
# EXIT_CODE=1
# FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
# fi
# fi
# if [ -s "diff_output_${APP_NAME}.txt" ]; then
# echo ">> Argo diff or errors:"
# echo ""
# cat diff_output_${APP_NAME}.txt
# echo ""
# else
# echo ">> No Argo diff found for ${APP_NAME}"
# rm "diff_output_${APP_NAME}.txt"
# fi
# done
# echo "----"
# echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
# echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
# exit $EXIT_CODE
# - name: Post Diff
# if: |
# always() &&
# steps.diff.outputs.diff-detected == 'true' &&
# github.event.pull_request.number != null
# env:
# GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
# run: |
# COMMENT_BODY="### ArgoCD Diff Results
# "
# for f in diff_output_*.txt; do
# APP_NAME=$(echo $f | sed 's/diff_output_//;s/.txt//')
# DIFF_CONTENT=$(cat "$f")
# COMMENT_BODY="${COMMENT_BODY}
# #### App: ${APP_NAME}
# "
# if [ -z "$DIFF_CONTENT" ]; then
# COMMENT_BODY="${COMMENT_BODY} No changes detected."
# else
# COMMENT_BODY="${COMMENT_BODY}
# \`\`\`diff
# ${DIFF_CONTENT}
# \`\`\`"
# fi
# done
# curl -X 'POST' \
# "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
# -H "Authorization: token ${GITEA_TOKEN}" \
# -H "Content-Type: application/json" \
# -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
# - name: ntfy Failed
# uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
# if: failure()
# with:
# url: '${{ secrets.NTFY_URL }}'
# topic: '${{ secrets.NTFY_TOPIC }}'
# title: 'ArgoCD Diff Failure'
# priority: 3
# headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
# tags: action,failed
# details: "ArgoCD diff for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.diff.outputs.failed-charts }}"
# icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
# actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
# image: true

8
.gitea/workflows/render-manifests.yaml
View File

@@ -50,7 +50,7 @@ jobs:
cache: true
- name: Configure Kubeconfig
uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5
uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
with:
method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -273,7 +273,7 @@ jobs:
NAMESPACE="argocd"
echo ">> Special Rendering into 'argocd' namespace ..."
;;
"cilium" | "coredns" | "metrics-server")
"cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
NAMESPACE="kube-system"
echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
;;
@@ -283,7 +283,7 @@ jobs:
echo ">> Formating rendered template ..."
local TEMPLATE
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
# Format and split rendered template
echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -314,7 +314,7 @@ jobs:
for DIR in ${RENDER_DIR}; do
echo "${DIR}"
done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
echo ""
echo "----"

4
.gitea/workflows/renovate.yaml
View File

@@ -12,8 +12,8 @@ on:
jobs:
renovate:
runs-on: ubuntu-js
container: ghcr.io/renovatebot/renovate:43.169.4@sha256:4c84638a2b70b2fe2c3bbf87d25e6f8aba40d83f8ca2b7c0bd3d0f1a4591ef7b
runs-on: ubuntu-latest
container: ghcr.io/renovatebot/renovate:43.104.3@sha256:8248aad190150ce3f1016f9e93b45185679f075c428bca093e724a59f1fd426e
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

8
clusters/cl01tl/helm/actual/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.0.0
digest: sha256:9468b3406ab0d91bf44a1a940eca8648782f3519d0c683d21b33e16c258c9175
generated: "2026-05-07T21:23:05.56246-05:00"
version: 0.8.0
digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
generated: "2026-03-06T01:04:41.514235218Z"

6
clusters/cl01tl/helm/actual/Chart.yaml
View File

@@ -17,11 +17,11 @@ dependencies:
- name: app-template
alias: actual
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
alias: volsync-target-data
version: 2.0.0
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
# renovate: datasource=github-releases depName=actualbudget/actual
appVersion: 26.5.0
appVersion: 26.3.0

14
clusters/cl01tl/helm/actual/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

6
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -8,7 +8,7 @@ actual:
main:
image:
repository: ghcr.io/actualbudget/actual
tag: 26.5.0@sha256:b733ae30c70a66dc4d03577526e53575a0c04eab4f3ab6ace30934776251058c
tag: 26.3.0@sha256:eb8bc26f53025e07e464594c12d77c52c4b95840c8dadd9b95c4f0c4660f8ad2
env:
- name: ACTUAL_PORT
value: 5006
@@ -75,7 +75,7 @@ volsync-target-data:
schedule: 0 8 * * *
remote:
enabled: true
schedule: 0 10 * * 0
schedule: 0 9 * * *
external:
enabled: true
schedule: 0 9 * * 0
schedule: 0 10 * * *

6
clusters/cl01tl/helm/argocd/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: argo-cd
repository: https://argoproj.github.io/argo-helm
version: 9.5.11
digest: sha256:78e2094dde7b3d0326da14640dbc012ce6e6e899f23270dc4d9a13b168c1ef89
generated: "2026-05-02T00:45:16.287556363Z"
version: 9.4.17
digest: sha256:17752dbf03861cf70ee31c9a17373a5175656a2edd00ba5fcd3988a195147da8
generated: "2026-03-28T01:51:34.832601868Z"

4
clusters/cl01tl/helm/argocd/Chart.yaml
View File

@@ -13,8 +13,8 @@ maintainers:
- name: alexlebens
dependencies:
- name: argo-cd
version: 9.5.12
version: 9.4.17
repository: https://argoproj.github.io/argo-helm
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: datasource=github-releases depName=argoproj/argo-cd
appVersion: v3.4.1
appVersion: v3.3.6

14
clusters/cl01tl/helm/argocd/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

52
clusters/cl01tl/helm/argocd/templates/external-secret.yaml
View File

@@ -1,40 +1,70 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-oidc-authentik
name: argocd-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: argocd-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: secret
remoteRef:
key: /cl01tl/authentik/oidc/argocd
key: /authentik/oidc/argocd
property: secret
- secretKey: client
remoteRef:
key: /cl01tl/authentik/oidc/argocd
key: /authentik/oidc/argocd
property: client
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-notifications-ntfy
name: argocd-notifications-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-notifications-ntfy
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: argocd-notifications-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: ntfy-token
remoteRef:
key: /cl01tl/ntfy/users/cl01tl
key: /ntfy/user/cl01tl
property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-gitea-repo-infrastructure-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: type
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: type
- secretKey: url
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: url
- secretKey: sshPrivateKey
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: sshPrivateKey

108
clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml
View File

@@ -1,108 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: haproxy
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: haproxy
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: HAProxyHighHTTP4xxErrorRateBackend
expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyHighHTTP5xxErrorRateBackend
expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyHighHTTP4xxErrorRateServer
expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyHighHTTP5xxErrorRateServer
expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyServerResponseErrors
expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyBackendConnectionErrors
expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
for: 1m
labels:
severity: critical
annotations:
summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyServerConnectionErrors
expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
for: 0m
labels:
severity: critical
annotations:
summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyBackendMaxActiveSession>80%
expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyPendingRequests
expr: sum by (proxy) (haproxy_backend_current_queue) > 0
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyRetryHigh
expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyFrontendSecurityBlockedRequests
expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
for: 2m
labels:
severity: warning
annotations:
summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
description: "HAProxy is blocking requests for security reason\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: HAProxyServerHealthcheckFailure
expr: increase(haproxy_server_check_failures_total[1m]) > 2
for: 0m
labels:
severity: warning
annotations:
summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

60
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -13,8 +13,8 @@ argo-cd:
connectors:
- config:
issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-authentik:client
clientSecret: $argocd-oidc-authentik:secret
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true
scopes:
- openid
@@ -48,31 +48,31 @@ argo-cd:
enabled: true
rules:
enabled: true
spec:
- alert: ArgoAppMissing
expr: |
absent(argocd_app_info) == 1
for: 15m
labels:
severity: critical
annotations:
summary: "[Argo CD] No reported applications"
description: >
Argo CD has not reported any applications data for the past 15 minutes which
means that it must be down or not functioning properly. This needs to be
resolved for this cloud to continue to maintain state.
- alert: ArgoAppNotSynced
expr: |
argocd_app_info{sync_status!="Synced"} == 1
for: 12h
labels:
severity: warning
annotations:
summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
description: >
The application [{{`{{$labels.name}}`}} has not been synchronized for over
12 hours which means that the state of this cloud has drifted away from the
state inside Git.
spec:
- alert: ArgoAppMissing
expr: |
absent(argocd_app_info) == 1
for: 15m
labels:
severity: critical
annotations:
summary: "[Argo CD] No reported applications"
description: >
Argo CD has not reported any applications data for the past 15 minutes which
means that it must be down or not functioning properly. This needs to be
resolved for this cloud to continue to maintain state.
- alert: ArgoAppNotSynced
expr: |
argocd_app_info{sync_status!="Synced"} == 1
for: 12h
labels:
severity: warning
annotations:
summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
description: >
The application [{{`{{$labels.name}}`}} has not been synchronized for over
12 hours which means that the state of this cloud has drifted away from the
state inside Git.
dex:
enabled: true
resources:
@@ -91,7 +91,7 @@ argo-cd:
enabled: true
image:
repository: redis
tag: 8.6.3-alpine@sha256:69f2c586c8a7e9cce4ae1ee9bbaf60bc4bb5f4bb3880e4ed022b1fd758a7cab9
tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72
persistentVolume:
enabled: true
redis:
@@ -103,7 +103,7 @@ argo-cd:
enabled: true
image:
repository: haproxy
tag: 3.3.8-alpine@sha256:10690acb357180d5214c6fce59e2cefded6cc72b0f7e3febb323fea95b27e349
tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
resources:
requests:
cpu: 5m
@@ -205,7 +205,7 @@ argo-cd:
argocdUrl: https://argocd.alexlebens.net
secret:
create: false
name: argocd-notifications-ntfy
name: argocd-notifications-secret
metrics:
enabled: true
serviceMonitor:

10
clusters/cl01tl/helm/audiobookshelf/Chart.lock
View File

@@ -1,12 +1,12 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.0.0
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.0.0
digest: sha256:57c3cc8da25c1dfc8684c5f20f804ce4642abee25cb317097ce6bd17f8bb0504
generated: "2026-05-07T21:23:15.021738-05:00"
version: 0.8.0
digest: sha256:7ee4cfdf7f908401c39b3cda0cf8783b25dcb9cf93e7c911609bab9e303ec5bf
generated: "2026-03-06T01:05:03.534042627Z"

8
clusters/cl01tl/helm/audiobookshelf/Chart.yaml
View File

@@ -21,15 +21,15 @@ dependencies:
- name: app-template
alias: audiobookshelf
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
alias: volsync-target-config
version: 2.0.0
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-metadata
version: 2.0.0
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
# renovate: datasource=github-releases depName=advplyr/audiobookshelf
appVersion: 2.34.0
appVersion: 2.33.1

27
clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
View File

@@ -1,27 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.booksNfsName" -}}
audiobookshelf-books-nfs-storage
{{- end -}}
{{- define "custom.audiobooksNfsName" -}}
audiobookshelf-audiobooks-nfs-storage
{{- end -}}
{{- define "custom.podcastsNfsName" -}}
audiobookshelf-podcasts-nfs-storage
{{- end -}}

25
clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
View File

@@ -1,27 +1,18 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: audiobookshelf-config-apprise
name: audiobookshelf-apprise-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: audiobookshelf-config-apprise
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: audiobookshelf-apprise-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
target:
template:
mergePolicy: Merge
engineVersion: v2
data:
ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}"
name: vault
data:
- secretKey: endpoint
- secretKey: ntfy-url
remoteRef:
key: /cl01tl/ntfy/users/cl01tl
property: internal-endpoint-credential
- secretKey: topic
remoteRef:
key: /cl01tl/ntfy/topics
property: audiobookshelf
key: /cl01tl/audiobookshelf/apprise
property: ntfy-url

27
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
View File

@@ -1,13 +1,14 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "custom.booksNfsName" . }}
name: audiobookshelf-books-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
{{ include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: audiobookshelf-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: {{ include "custom.booksNfsName" . }}
volumeName: audiobookshelf-books-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -19,13 +20,14 @@ spec:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "custom.audiobooksNfsName" . }}
name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: {{ include "custom.audiobooksNfsName" . }}
volumeName: audiobookshelf-audiobooks-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -37,13 +39,14 @@ spec:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "custom.podcastsNfsName" . }}
name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: {{ include "custom.podcastsNfsName" . }}
volumeName: audiobookshelf-podcasts-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany

21
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "custom.booksNfsName" . }}
name: audiobookshelf-books-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: audiobookshelf-books-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "custom.audiobooksNfsName" . }}
name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "custom.podcastsNfsName" . }}
name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client

14
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -12,7 +12,7 @@ audiobookshelf:
main:
image:
repository: ghcr.io/advplyr/audiobookshelf
tag: 2.34.0@sha256:4143292c530f6ac6700afd13360c04f477e4f1a81c1c97c4224b1c7e4330c5c4
tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
env:
- name: TZ
value: America/Chicago
@@ -23,7 +23,7 @@ audiobookshelf:
apprise-api:
image:
repository: ghcr.io/caronc/apprise
tag: v1.4.1@sha256:25e0577915c2f06233ae1dce077f05c0fc9ba4f0ea89de5aee18a32b2ee9a75c
tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
env:
- name: TZ
value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
- name: APPRISE_STATELESS_URLS
valueFrom:
secretKeyRef:
name: audiobookshelf-config-apprise
name: audiobookshelf-apprise-config
key: ntfy-url
service:
main:
@@ -132,10 +132,10 @@ volsync-target-config:
schedule: 2 8 * * *
remote:
enabled: true
schedule: 2 10 * * 0
schedule: 2 9 * * *
external:
enabled: true
schedule: 2 9 * * 0
schedule: 2 10 * * *
volsync-target-metadata:
pvcTarget: audiobookshelf-metadata
local:
@@ -143,7 +143,7 @@ volsync-target-metadata:
schedule: 4 8 * * *
remote:
enabled: true
schedule: 4 10 * * 0
schedule: 4 9 * * *
external:
enabled: true
schedule: 4 9 * * 0
schedule: 4 10 * * *

12
clusters/cl01tl/helm/authentik/Chart.lock
View File

@@ -1,15 +1,15 @@
dependencies:
- name: authentik
repository: https://charts.goauthentik.io/
version: 2026.2.2
version: 2026.2.1
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.6.0
version: 2.4.0
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1
version: 7.11.1
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:808a2347fadb6a48800c0f7355c422c9ed2ce9f7d1ca3b7d64d62574be98e1f8
generated: "2026-05-02T01:46:08.112423002Z"
version: 0.5.0
digest: sha256:4b90c5af4cc7f37b04284aafd75ddda1241c71acb726932e7e21520b5bf98543
generated: "2026-03-31T18:36:26.87524-05:00"

8
clusters/cl01tl/helm/authentik/Chart.yaml
View File

@@ -18,18 +18,18 @@ maintainers:
- name: alexlebens
dependencies:
- name: authentik
version: 2026.2.2
version: 2026.2.1
repository: https://charts.goauthentik.io/
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.6.0
version: 2.4.0
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.12.1
version: 7.11.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.7.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
# renovate: datasource=github-releases depName=goauthentik/authentik

14
clusters/cl01tl/helm/authentik/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

9
clusters/cl01tl/helm/authentik/templates/external-secret.yaml
View File

@@ -1,15 +1,16 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-key
name: authentik-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-key
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: authentik-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: key
remoteRef:

9
clusters/cl01tl/helm/authentik/templates/ingress.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Release.Name }}-tailscale
name: authentik-tailscale
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}-tailscale
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: authentik-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
tailscale.com/proxy-class: no-metrics
annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -25,4 +26,4 @@ spec:
service:
name: authentik-server
port:
name: http
number: 80

3
clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
View File

@@ -5,7 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: allow-outpost-cross-namespace-access
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
from:
- group: gateway.networking.k8s.io

2
clusters/cl01tl/helm/authentik/values.yaml
View File

@@ -4,7 +4,7 @@ authentik:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-key
name: authentik-key-secret
key: key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:

10
clusters/cl01tl/helm/backrest/Chart.lock
View File

@@ -1,12 +1,12 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:76aa807daaf18fe785313337c497bebebb886ba61aa91c8673fda0d2beb7ce4b
generated: "2026-05-07T20:43:17.501180286Z"
version: 0.8.0
digest: sha256:f203538010828e77336f3cf39451a1072c90aeb8ece7c173a3476c49883b46d1
generated: "2026-03-06T01:05:24.935421139Z"

8
clusters/cl01tl/helm/backrest/Chart.yaml
View File

@@ -17,15 +17,15 @@ dependencies:
- name: app-template
alias: backrest
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
alias: volsync-target-config
version: 1.1.1
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-data
version: 1.1.1
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
# renovate: datasource=github-releases depName=garethgeorge/backrest
appVersion: v1.13.0
appVersion: v1.12.1

24
clusters/cl01tl/helm/backrest/templates/_helpers.tpl
View File

@@ -1,24 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
backrest-nfs-storage
{{- end -}}
{{- define "custom.shareNfsName" -}}
backrest-nfs-share
{{- end -}}

18
clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
View File

@@ -1,13 +1,14 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "custom.storageNfsName" . }}
name: backrest-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: backrest-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: {{ include "custom.storageNfsName" . }}
volumeName: backrest-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
@@ -19,13 +20,14 @@ spec:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "custom.shareNfsName" . }}
name: backrest-nfs-share
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: backrest-nfs-share
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: {{ include "custom.shareNfsName" . }}
volumeName: backrest-nfs-share
storageClassName: nfs-client
accessModes:
- ReadWriteMany

14
clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "custom.storageNfsName" . }}
name: backrest-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: backrest-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "custom.shareNfsName" . }}
name: backrest-nfs-share
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: backrest-nfs-share
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client

2
clusters/cl01tl/helm/backrest/values.yaml
View File

@@ -8,7 +8,7 @@ backrest:
main:
image:
repository: ghcr.io/garethgeorge/backrest
tag: v1.13.0@sha256:9c9966b5c285ec791a6b06cb4545fa0247424d05442e12f9558b4322d9f8a15f
tag: v1.12.1@sha256:f4d34bd6fa985d13bdb6c01c5d8727e07708899afa9567d800808357d77b9fb0
env:
- name: TZ
value: America/Chicago

8
clusters/cl01tl/helm/bazarr/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:0adc80cc222c07512735082e4668ae25f349c0eee179b890c27593ef4194070d
generated: "2026-05-07T20:43:27.778874315Z"
version: 0.8.0
digest: sha256:ce88e4cd451613c9dbc25d285700970789ff678452ef277f3c8465dbf6157f1f
generated: "2026-03-06T01:05:44.405374459Z"

8
clusters/cl01tl/helm/bazarr/Chart.yaml
View File

@@ -10,9 +10,7 @@ home: https://docs.alexlebens.dev/applications/bazarr/
sources:
- https://github.com/morpheus65535/bazarr
- https://github.com/linuxserver/docker-bazarr
- https://github.com/onedr0p/exportarr
- https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
- https://github.com/onedr0p/exportarr/pkgs/container/exportarr
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers:
@@ -21,11 +19,11 @@ dependencies:
- name: app-template
alias: bazarr
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: volsync-target
alias: volsync-target-config
version: 1.1.1
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
# renovate: datasource=github-releases depName=linuxserver/docker-bazarr
appVersion: v1.5.6-ls342
appVersion: 1.5.6

21
clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
View File

@@ -1,21 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
bazarr-nfs-storage
{{- end -}}

17
clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: bazarr-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: key
remoteRef:
key: /cl01tl/bazarr/key
property: key

9
clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
View File

@@ -1,13 +1,14 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "custom.storageNfsName" . }}
name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: bazarr-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: {{ include "custom.storageNfsName" . }}
volumeName: bazarr-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany

7
clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: {{ include "custom.storageNfsName" . }}
name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: bazarr-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client

38
clusters/cl01tl/helm/bazarr/values.yaml
View File

@@ -23,28 +23,11 @@ bazarr:
- name: PGID
value: 1000
resources:
limits:
cpu: 100m
requests:
cpu: 10m
cpu: 1m
memory: 250Mi
metrics:
image:
repository: ghcr.io/onedr0p/exportarr
tag: v2.3.0@sha256:af535d94061cf97a52e1661945ffba78c03f9443eae7c0da1a80a5a4be56b520
args: ["bazarr"]
env:
- name: URL
value: http://localhost:6767
- name: PORT
value: 9792
- name: APIKEY
valueFrom:
secretKeyRef:
name: bazarr-key
key: key
- name: ENABLE_ADDITIONAL_METRICS
value: false
- name: ENABLE_UNKNOWN_QUEUE_ITEMS
value: false
service:
main:
controller: main
@@ -52,21 +35,6 @@ bazarr:
http:
port: 80
targetPort: 6767
metrics:
port: 9792
targetPort: 9792
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: bazarr
app.kubernetes.io/instance: bazarr
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 3m
scrapeTimeout: 1m
path: /metrics
route:
main:
kind: HTTPRoute

8
clusters/cl01tl/helm/blocky/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:64754cc5f9a68f6daf6b334255ee33aa7980704ddb803db46a99de7871086387
generated: "2026-05-07T20:43:39.015344585Z"
version: 0.5.0
digest: sha256:49b0e666059bad492ebaa4a20119ce5bbd1959a1ee6b22b271a9ca9529122697
generated: "2026-03-31T18:37:20.549898-05:00"

4
clusters/cl01tl/helm/blocky/Chart.yaml
View File

@@ -17,10 +17,10 @@ dependencies:
- name: app-template
alias: blocky
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: valkey
alias: valkey
version: 0.7.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
# renovate: datasource=github-releases depName=0xerr0r/blocky

14
clusters/cl01tl/helm/blocky/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

9
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -106,7 +106,6 @@ blocky:
audiobookshelf IN CNAME traefik-cl01tl
authentik IN CNAME traefik-cl01tl
backrest IN CNAME traefik-cl01tl
bao IN CNAME traefik-cl01tl
bazarr IN CNAME traefik-cl01tl
ceph IN CNAME traefik-cl01tl
dawarich IN CNAME traefik-cl01tl
@@ -134,7 +133,7 @@ blocky:
komodo IN CNAME traefik-cl01tl
languagetool IN CNAME traefik-cl01tl
lidarr IN CNAME traefik-cl01tl
loki IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl
@@ -143,9 +142,9 @@ blocky:
ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl
photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl
postiz-spotlight IN CNAME traefik-cl01tl
postiz-temporal IN CNAME traefik-cl01tl
postiz IN CNAME traefik-cl01tl
prometheus IN CNAME traefik-cl01tl
prowlarr IN CNAME traefik-cl01tl
qbittorrent IN CNAME traefik-cl01tl
@@ -161,7 +160,7 @@ blocky:
sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl
vault IN CNAME traefik-cl01tl

6
clusters/cl01tl/helm/cert-manager/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.20.2
digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf
generated: "2026-04-13T23:02:59.380767677Z"
version: v1.20.1
digest: sha256:1bf36eba44cf096b40355a697b8cffb302f07f9135374222aabdf686f017b7a9
generated: "2026-03-28T01:35:24.542754563Z"

4
clusters/cl01tl/helm/cert-manager/Chart.yaml
View File

@@ -13,8 +13,8 @@ maintainers:
- name: alexlebens
dependencies:
- name: cert-manager
version: v1.20.2
version: v1.20.1
repository: https://charts.jetstack.io
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
# renovate: datasource=github-releases depName=cert-manager/cert-manager
appVersion: v1.20.2
appVersion: v1.20.1

24
clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
View File

@@ -1,24 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.cloudflareSecretName" -}}
cert-manager-cloudflare-api-token
{{- end -}}
{{- define "custom.cloudflareSecretKey" -}}
api-token
{{- end -}}

7
clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
View File

@@ -5,7 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: letsencrypt-issuer
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
acme:
email: alexanderlebens@gmail.com
@@ -21,5 +22,5 @@ spec:
cloudflare:
email: alexanderlebens@gmail.com
apiTokenSecretRef:
name: {{ include "custom.cloudflareSecretName" . }}
key: {{ include "custom.cloudflareSecretKey" . }}
name: cloudflare-api-token
key: api-token

13
clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
View File

@@ -1,17 +1,18 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ include "custom.cloudflareSecretName" . }}
name: cloudflare-api-token
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: cloudflare-api-token
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: {{ include "custom.cloudflareSecretKey" . }}
- secretKey: api-token
remoteRef:
key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
key: /cloudflare/alexlebens.net/clusterissuer
property: token

44
clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: cert-manager
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: cert-manager
{{- include "custom.labels" . | nindent 4 }}
spec:
groups:
- name: EmbeddedExporter
rules:
- alert: Cert-ManagerAbsent
expr: absent(up{job="cert-manager"})
for: 10m
labels:
severity: critical
annotations:
summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: Cert-ManagerCertificateExpiringSoon
expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
for: 1h
labels:
severity: warning
annotations:
summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: Cert-ManagerCertificateNotReady
expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
for: 10m
labels:
severity: critical
annotations:
summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"
- alert: Cert-ManagerHittingACMERateLimits
expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
for: 5m
labels:
severity: critical
annotations:
summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n VALUE = {{ `{{ $value }}` }}\n LABELS = {{ `{{ $labels }}` }}"

14
clusters/cl01tl/helm/cilium/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

19
clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml Normal file
View File

@@ -0,0 +1,19 @@
# apiVersion: cilium.io/v2
# kind: CiliumBGPAdvertisement
# metadata:
# name: cilium-bgp-advertisements
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-bgp-advertisements
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# advertisements:
# - advertisementType: "Service"
# service:
# addresses:
# - ExternalIP
# - LoadBalancerIP
# selector:
# matchExpressions:
# - {key: somekey, operator: NotIn, values: ['never-used-value']}

22
clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml Normal file
View File

@@ -0,0 +1,22 @@
# apiVersion: cilium.io/v2
# kind: CiliumBGPClusterConfig
# metadata:
# name: cilium-bgp
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-bgp
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# nodeSelector:
# matchLabels:
# node-role.kubernetes.io/bgp: "65020"
# bgpInstances:
# - name: "65020"
# localASN: 65020
# peers:
# - name: "udm-65000"
# peerASN: 65000
# peerAddress: 192.168.1.1
# peerConfigRef:
# name: "cilium-peer"

23
clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml Normal file
View File

@@ -0,0 +1,23 @@
# apiVersion: cilium.io/v2
# kind: CiliumBGPPeerConfig
# metadata:
# name: cilium-peer
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-peer
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# timers:
# holdTimeSeconds: 9
# keepAliveTimeSeconds: 3
# ebgpMultihop: 4
# gracefulRestart:
# enabled: true
# restartTimeSeconds: 15
# families:
# - afi: ipv4
# safi: unicast
# advertisements:
# matchLabels:
# app.kubernetes.io/name: cilium-bgp-advertisements

6
clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
View File

@@ -5,7 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: default-ip-pool
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
blocks:
- start: "10.232.1.21"
@@ -19,7 +20,8 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bgp-ip-pool
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
blocks:
- start: "10.232.2.100"

45
clusters/cl01tl/helm/cilium/templates/gateway.yaml Normal file
View File

@@ -0,0 +1,45 @@
# apiVersion: gateway.networking.k8s.io/v1
# kind: Gateway
# metadata:
# name: cilium-tls-gateway
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-tls-gateway
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt-issuer
# spec:
# addresses:
# - type: IPAddress
# value: 10.232.1.23
# gatewayClassName: cilium
# listeners:
# - allowedRoutes:
# namespaces:
# from: All
# hostname: '*.alexlebens.net'
# name: https
# port: 443
# protocol: HTTPS
# tls:
# certificateRefs:
# - group: ''
# kind: Secret
# name: https-gateway-cert
# namespace: kube-system
# mode: Terminate
# - allowedRoutes:
# namespaces:
# from: All
# hostname: 'alexlebens.net'
# name: https-domain
# port: 443
# protocol: HTTPS
# tls:
# certificateRefs:
# - group: ''
# kind: Secret
# name: https-gateway-cert
# namespace: kube-system
# mode: Terminate

7
clusters/cl01tl/helm/cilium/templates/http-route.yaml
View File

@@ -5,7 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: hubble
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
parentRefs:
- group: gateway.networking.k8s.io
@@ -20,6 +21,8 @@ spec:
type: PathPrefix
value: /
backendRefs:
- kind: Service
- group: ''
kind: Service
name: hubble-ui
port: 80
weight: 100

12
clusters/cl01tl/helm/cloudnative-pg/Chart.lock
View File

@@ -4,12 +4,6 @@ dependencies:
version: 0.28.0
- name: plugin-barman-cloud
repository: https://cloudnative-pg.io/charts/
version: 0.6.0
- name: rclone-bucket
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: rclone-bucket
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:756a06f08b0e8b888049195e02136115f3c3b09dabfb01c934934c9053cfb40b
generated: "2026-05-07T01:19:41.214483969Z"
version: 0.5.0
digest: sha256:3e9b26d00fdb61af60f003bcb327e05d02799eb6088e30aaabd01c49c6021aac
generated: "2026-04-01T20:05:40.198140255Z"

11
clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
View File

@@ -13,7 +13,6 @@ sources:
- https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
- https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
- https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
maintainers:
- name: alexlebens
dependencies:
@@ -21,16 +20,8 @@ dependencies:
version: 0.28.0
repository: https://cloudnative-pg.io/charts/
- name: plugin-barman-cloud
version: 0.6.0
version: 0.5.0
repository: https://cloudnative-pg.io/charts/
- name: rclone-bucket
alias: rclone-postgres-backups-remote
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: rclone-bucket
alias: rclone-postgres-backups-external
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
# renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
appVersion: 1.29.0

14
clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

58
clusters/cl01tl/helm/cloudnative-pg/values.yaml
View File

@@ -14,61 +14,3 @@ plugin-barman-cloud:
requests:
cpu: 1m
memory: 20Mi
rclone-postgres-backups-remote:
nameOverride: postgres-backups-remote-rclone
cronJob:
suspend: false
schedule: 30 6 * * 1
rclone:
source:
bucketName: postgres-backups
destination:
bucketName: postgres-backups
prune:
enabled: true
ageToPrune: 45d
include: "/cl01tl/*/*/*/base/**"
exclude: "**/walls/**"
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/postgres-backups
config:
path: /garage/config
destination:
credentials:
path: /garage/home-infra/postgres-backups
config:
path: /garage/config
rclone-postgres-backups-external:
nameOverride: postgres-backups-external-rclone
cronJob:
suspend: false
schedule: 0 6 * * 1
rclone:
source:
bucketName: postgres-backups
destination:
bucketName: postgres-backups-775957147abfbc73
prune:
enabled: true
ageToPrune: 45d
include: "/cl01tl/*/*/*/base/**"
exclude: "**/walls/**"
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/postgres-backups
config:
path: /garage/config
destination:
credentials:
path: /backblaze/home-infra/postgres-backups
keyIdProperty: AWS_ACCESS_KEY_ID
secretKeyProperty: AWS_SECRET_ACCESS_KEY
regionProperty: AWS_REGION
config:
path: /backblaze/config
endpointProperty: ENDPOINT

3
clusters/cl01tl/helm/coredns/Chart.yaml
View File

@@ -8,7 +8,6 @@ keywords:
home: https://docs.alexlebens.dev/applications/coredns/
sources:
- https://github.com/coredns/coredns
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fcoredns%2Fcoredns
- https://github.com/coredns/helm
maintainers:
- name: alexlebens
@@ -18,4 +17,4 @@ dependencies:
repository: https://coredns.github.io/helm
icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
# renovate: datasource=github-releases depName=coredns/coredns
appVersion: v1.14.3
appVersion: v1.14.2

14
clusters/cl01tl/helm/coredns/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

4
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,7 +1,7 @@
coredns:
image:
repository: coredns/coredns
tag: 1.14.3@sha256:b21d26b915e10acb5bc78715c1e8b6047ab2675389b2bcc18b3a6499d90e74c0
repository: registry.k8s.io/coredns/coredns
tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9
replicaCount: 3
resources:
limits:

19
clusters/cl01tl/helm/dawarich/Chart.lock
View File

@@ -1,21 +1,12 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1
version: 7.11.1
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.1.1
digest: sha256:b91492397614b3b1b4647b93ae752de443b2c7438b0767780667625e28e5d929
generated: "2026-05-07T20:43:49.470766652Z"
version: 0.5.0
digest: sha256:1f513bd53430dd0fbba301ab5577aca85e984394dfdca9f615aae944a09c6bc0
generated: "2026-03-31T18:37:35.858603-05:00"

21
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -12,34 +12,21 @@ sources:
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: dawarich
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.12.1
version: 7.11.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.7.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-storage
version: 1.1.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-public
version: 1.1.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-watched
version: 1.1.1
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich
appVersion: 1.7.5
appVersion: 1.6.1

14
clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

34
clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
View File

@@ -1,52 +1,42 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: dawarich-key
name: dawarich-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: dawarich-key
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: dawarich-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: key
remoteRef:
key: /cl01tl/dawarich/key
property: key
- secretKey: otp-primary-key
remoteRef:
key: /cl01tl/dawarich/key
property: otp-primary-key
- secretKey: otp-deterministic-key
remoteRef:
key: /cl01tl/dawarich/key
property: otp-deterministic-key
- secretKey: otp-derivation-salt
remoteRef:
key: /cl01tl/dawarich/key
property: otp-derivation-salt
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: dawarich-oidc-authentik
name: dawarich-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: dawarich-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: dawarich-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: client
remoteRef:
key: /cl01tl/authentik/oidc/dawarich
key: /authentik/oidc/dawarich
property: client
- secretKey: secret
remoteRef:
key: /cl01tl/authentik/oidc/dawarich
key: /authentik/oidc/dawarich
property: secret

79
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -8,7 +8,7 @@ dawarich:
main:
image:
repository: freikin/dawarich
tag: 1.7.5@sha256:dceef4bf7bd5e6a842d61cdd2a82440a0db34f70dc766e02b0b3b212e13b4ba6
tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
command:
- "web-entrypoint.sh"
args:
@@ -61,12 +61,12 @@ dawarich:
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: dawarich-oidc-authentik
name: dawarich-oidc-secret
key: client
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: dawarich-oidc-authentik
name: dawarich-oidc-secret
key: secret
- name: OIDC_PROVIDER_NAME
value: Authentik
@@ -81,23 +81,8 @@ dawarich:
- name: SECRET_KEY_BASE
valueFrom:
secretKeyRef:
name: dawarich-key
name: dawarich-key-secret
key: key
- name: OTP_ENCRYPTION_PRIMARY_KEY
valueFrom:
secretKeyRef:
name: dawarich-key
key: otp-primary-key
- name: OTP_ENCRYPTION_DETERMINISTIC_KEY
valueFrom:
secretKeyRef:
name: dawarich-key
key: otp-deterministic-key
- name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
valueFrom:
secretKeyRef:
name: dawarich-key
key: otp-derivation-salt
- name: RAILS_LOG_TO_STDOUT
value: true
- name: SELF_HOSTED
@@ -126,7 +111,7 @@ dawarich:
sidekiq:
image:
repository: freikin/dawarich
tag: 1.7.5@sha256:dceef4bf7bd5e6a842d61cdd2a82440a0db34f70dc766e02b0b3b212e13b4ba6
tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
command:
- "sidekiq-entrypoint.sh"
args:
@@ -176,12 +161,12 @@ dawarich:
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: dawarich-oidc-authentik
name: dawarich-oidc-secret
key: client
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: dawarich-oidc-authentik
name: dawarich-oidc-secret
key: secret
- name: OIDC_PROVIDER_NAME
value: Authentik
@@ -196,23 +181,8 @@ dawarich:
- name: SECRET_KEY_BASE
valueFrom:
secretKeyRef:
name: dawarich-key
name: dawarich-key-secret
key: key
- name: OTP_ENCRYPTION_PRIMARY_KEY
valueFrom:
secretKeyRef:
name: dawarich-key
key: otp-primary-key
- name: OTP_ENCRYPTION_DETERMINISTIC_KEY
valueFrom:
secretKeyRef:
name: dawarich-key
key: otp-deterministic-key
- name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
valueFrom:
secretKeyRef:
name: dawarich-key
key: otp-derivation-salt
- name: RAILS_LOG_TO_STDOUT
value: true
- name: SELF_HOSTED
@@ -343,36 +313,3 @@ postgres-18-cluster:
immediate: true
schedule: "0 10 14 * * *"
backupName: garage-local
volsync-target-storage:
pvcTarget: dawarich-storage
local:
enabled: true
schedule: 6 8 * * *
remote:
enabled: true
schedule: 6 9 * * *
external:
enabled: true
schedule: 6 10 * * *
volsync-target-public:
pvcTarget: dawarich-public
local:
enabled: true
schedule: 8 8 * * *
remote:
enabled: true
schedule: 8 9 * * *
external:
enabled: true
schedule: 8 10 * * *
volsync-target-watched:
pvcTarget: dawarich-watched
local:
enabled: true
schedule: 8 8 * * *
remote:
enabled: true
schedule: 8 9 * * *
external:
enabled: true
schedule: 8 10 * * *

14
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

9
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
View File

@@ -1,15 +1,16 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: synology-iscsi-config
name: synology-iscsi-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: synology-iscsi-config
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: synology-iscsi-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: driver-config-file.yaml
remoteRef:

7
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml
View File

@@ -1,10 +1,11 @@
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
name: democratic-csi-synology-iscsi
labels:
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/name: democratic-csi-synology-iscsi
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged

4
clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
View File

@@ -3,7 +3,7 @@ democratic-csi:
image:
registry: ghcr.io/democratic-csi/democratic-csi
tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
existingConfigSecret: synology-iscsi-config
existingConfigSecret: synology-iscsi-config-secret
config:
driver: synology-iscsi
resources:
@@ -47,8 +47,6 @@ democratic-csi:
fsType: ext4
node:
hostPID: true
rbac:
enabled: true
driver:
extraEnv:
- name: ISCSIADM_HOST_STRATEGY

14
clusters/cl01tl/helm/descheduler/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

14
clusters/cl01tl/helm/descheduler/values.yaml
View File

@@ -10,7 +10,7 @@ descheduler:
requests:
cpu: 10m
memory: 50Mi
deschedulingInterval: 2m
deschedulingInterval: 5m
replicas: 3
leaderElection:
enabled: true
@@ -51,13 +51,13 @@ descheduler:
- name: LowNodeUtilization
args:
thresholds:
cpu: 30
memory: 30
pods: 30
cpu: 20
memory: 20
pods: 20
targetThresholds:
cpu: 45
memory: 45
pods: 45
cpu: 50
memory: 50
pods: 60
plugins:
balance:
enabled:

16
clusters/cl01tl/helm/directus/Chart.lock
View File

@@ -1,18 +1,12 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.12.1
version: 7.11.1
- name: valkey
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: rclone-bucket
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: rclone-bucket
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
digest: sha256:3b9360b8254c3b79ddaa5da6f9d030ff954a69529d4a61d67b5e4d7797a0072c
generated: "2026-05-07T20:44:01.505038102Z"
version: 0.5.0
digest: sha256:116183cdff428293215553b7e60be9aefafbbaaaf64c01f1fc974badd3e0754b
generated: "2026-03-31T18:37:42.414041-05:00"

19
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -5,37 +5,28 @@ description: Directus
keywords:
- directus
- content-management-system
home: https://docs.alexlebens.dev/applications/directus/
home: https://docs.alexlebens.dev/applications/descheduler/
sources:
- https://github.com/directus/directus
- https://github.com/directus/directus/pkgs/container/directus
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: directus
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.12.1
version: 7.11.1
repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey
alias: valkey
version: 0.7.0
version: 0.5.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: rclone-bucket
alias: rclone-directus-assets-remote
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
- name: rclone-bucket
alias: rclone-directus-assets-external
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.7.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
# renovate: datasource=github-releases depName=directus/directus
appVersion: 11.17.4
appVersion: 11.17.1

14
clusters/cl01tl/helm/directus/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

133
clusters/cl01tl/helm/directus/templates/external-secret.yaml
View File

@@ -5,20 +5,13 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-config
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: key
remoteRef:
key: /cl01tl/directus/key
property: key
- secretKey: secret
remoteRef:
key: /cl01tl/directus/key
property: secret
- secretKey: admin-email
remoteRef:
key: /cl01tl/directus/config
@@ -27,6 +20,38 @@ spec:
remoteRef:
key: /cl01tl/directus/config
property: admin-password
- secretKey: secret
remoteRef:
key: /cl01tl/directus/config
property: secret
- secretKey: key
remoteRef:
key: /cl01tl/directus/config
property: key
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /authentik/oidc/directus
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /authentik/oidc/directus
property: secret
---
apiVersion: external-secrets.io/v1
@@ -36,67 +61,18 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-metric-token
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: metric-token
remoteRef:
key: /cl01tl/directus/metrics
property: metric-token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-valkey-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-valkey-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: user
remoteRef:
key: /cl01tl/directus/valkey
property: user
- secretKey: password
remoteRef:
key: /cl01tl/directus/valkey
property: password
- secretKey: default
remoteRef:
key: /cl01tl/directus/valkey
property: password
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
key: /cl01tl/authentik/oidc/directus
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
key: /cl01tl/authentik/oidc/directus
property: secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
@@ -105,11 +81,12 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-bucket-garage
{{- include "custom.labels" . | nindent 4 }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
@@ -123,3 +100,31 @@ spec:
remoteRef:
key: /garage/home-infra/directus-assets
property: ACCESS_REGION
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: directus-valkey-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: directus-valkey-config
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: default
remoteRef:
key: /cl01tl/directus/valkey
property: password
- secretKey: user
remoteRef:
key: /cl01tl/directus/valkey
property: user
- secretKey: password
remoteRef:
key: /cl01tl/directus/valkey
property: password

55
clusters/cl01tl/helm/directus/values.yaml
View File

@@ -8,7 +8,7 @@ directus:
main:
image:
repository: ghcr.io/directus/directus
tag: 11.17.4@sha256:eb326f679ae847c0a776f93b972761dc2ebe84980e0b9d274a6bc31cd62809f7
tag: 11.17.1@sha256:1dd2080a50a9f6df2b6f49df15a7734424bbd1a5902983c4b6e447f22027b80b
env:
- name: PUBLIC_URL
value: https://directus.alexlebens.net
@@ -113,12 +113,12 @@ directus:
- name: AUTH_AUTHENTIK_CLIENT_ID
valueFrom:
secretKeyRef:
name: directus-oidc-authentik
name: directus-oidc-secret
key: OIDC_CLIENT_ID
- name: AUTH_AUTHENTIK_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: directus-oidc-authentik
name: directus-oidc-secret
key: OIDC_CLIENT_SECRET
- name: AUTH_AUTHENTIK_SCOPE
value: openid profile email
@@ -210,48 +210,7 @@ valkey:
aclUsers:
default:
permissions: "~* &* +@all"
rclone-directus-assets-remote:
nameOverride: directus-assets-remote-rclone
cronJob:
suspend: false
schedule: 30 6 * * 2
rclone:
source:
bucketName: directus-assets
destination:
bucketName: directus-assets
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/directus-assets
config:
path: /garage/config
destination:
credentials:
path: /garage/home-infra/directus-assets
config:
path: /garage/config
rclone-directus-assets-external:
nameOverride: directus-assets-external-rclone
cronJob:
suspend: false
schedule: 0 6 * * 2
rclone:
source:
bucketName: directus-assets
destination:
bucketName: directus-assets-37363a16b71dc59b
secret:
externalSecret:
source:
credentials:
path: /garage/home-infra/directus-assets
config:
path: /garage/config
destination:
credentials:
path: /backblaze/home-infra/directus-assets
config:
path: /backblaze/config
endpointProperty: ENDPOINT
# No option to configure metrics when auth is enabled
# https://github.com/valkey-io/valkey-helm/issues/135
metrics:
enabled: false

6
clusters/cl01tl/helm/elastic-operator/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: eck-operator
repository: https://helm.elastic.co
version: 3.4.0
digest: sha256:b4787630154471f65ceeb12f65fa24616eab9470e61e089b8e656e42f05f74f1
generated: "2026-05-06T19:10:32.416627028Z"
version: 3.3.2
digest: sha256:ac7a849a6d8244ef56c11f18438c4c76133f92d245228c5a1c8369d42562c177
generated: "2026-04-01T21:30:02.975920565Z"

4
clusters/cl01tl/helm/elastic-operator/Chart.yaml
View File

@@ -14,8 +14,8 @@ maintainers:
- name: alexlebens
dependencies:
- name: eck-operator
version: 3.4.0
version: 3.3.2
repository: https://helm.elastic.co
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png
# renovate: datasource=github-releases depName=elastic/cloud-on-k8s
appVersion: v3.4.0
appVersion: v3.3.2

14
clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

1
clusters/cl01tl/helm/elastic-operator/values.yaml
View File

@@ -1,6 +1,7 @@
eck-operator:
managedNamespaces:
- tubearchivist
- stalwart
installCRDs: true
replicaCount: 2
resources:

8
clusters/cl01tl/helm/element-web/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: element-web
repository: https://ananace.gitlab.io/charts
version: 1.4.36
version: 1.4.33
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.6.0
digest: sha256:36b3f340ee46f20961fdaac41724528c6c3d4b34bf26d97779da7e33087250a1
generated: "2026-05-03T00:56:23.054212477Z"
version: 2.4.0
digest: sha256:63b0e582d42fb42bcf4d96ba4b299e42c434c42f284208596808288543192fe0
generated: "2026-03-24T16:11:50.424321433Z"

6
clusters/cl01tl/helm/element-web/Chart.yaml
View File

@@ -15,11 +15,11 @@ maintainers:
- name: alexlebens
dependencies:
- name: element-web
version: 1.4.36
version: 1.4.33
repository: https://ananace.gitlab.io/charts
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.6.0
version: 2.4.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
# renovate: datasource=github-releases depName=element-hq/element-web
appVersion: v1.12.17
appVersion: v1.12.13

14
clusters/cl01tl/helm/element-web/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

2
clusters/cl01tl/helm/element-web/values.yaml
View File

@@ -2,7 +2,7 @@ element-web:
replicaCount: 1
image:
repository: ghcr.io/element-hq/element-web
tag: v1.12.17@sha256:f4a81a24d49a9c5b97e02e77a3013ec799873e500e69041078a28be98e4f1280
tag: v1.12.13@sha256:5107e63026c13ed014f743e485821b7d4b56d275a41e76303859bb14f5f94eb6
defaultServer:
url: https://matrix.alexlebens.dev
name: alexlebens.dev

7
clusters/cl01tl/helm/eraser/Chart.lock
View File

@@ -2,8 +2,5 @@ dependencies:
- name: eraser
repository: https://eraser-dev.github.io/eraser/charts
version: 1.4.1
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
digest: sha256:b510fa700aade3c4ff5d8cacd8099c6f52d958aff97d436d4fe63abde2200439
generated: "2026-05-07T20:44:14.408868308Z"
digest: sha256:da828de684b0cd82e99994586f3db4f55c43c01607c4d8d0e70e204c7bbbbf5b
generated: "2025-12-03T22:53:20.200917773Z"

6
clusters/cl01tl/helm/eraser/Chart.yaml
View File

@@ -9,19 +9,13 @@ home: https://docs.alexlebens.dev/applications/eraser/
sources:
- https://github.com/eraser-dev/eraser
- https://github.com/eraser-dev/eraser/pkgs/container/eraser-manager
- https://github.com/open-telemetry/opentelemetry-collector-releases/pkgs/container/opentelemetry-collector-releases%2Fopentelemetry-collector
- https://github.com/eraser-dev/eraser/tree/main/charts/eraser
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers:
- name: alexlebens
dependencies:
- name: eraser
version: 1.4.1
repository: https://eraser-dev.github.io/eraser/charts
- name: app-template
alias: eraser-metrics
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png
# renovate: datasource=github-releases depName=eraser-dev/eraser
appVersion: v1.4.1

14
clusters/cl01tl/helm/eraser/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

87
clusters/cl01tl/helm/eraser/values.yaml
View File

@@ -35,90 +35,3 @@ eraser:
requests:
cpu: 1m
memory: 20Mi
eraser-metrics:
global:
nameOverride: eraser-metrics
fullnameOverride: eraser-metrics
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
serviceAccount:
name: eraser-metrics
containers:
main:
image:
repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector
tag: 0.151.0@sha256:49a12827519134ed72881a64247ea43fbf4bdac50cfa41ceb495fc1c684451e2
command:
- /otelcol
- --config=/conf/otel-collector-config.yaml
resources:
requests:
cpu: 10m
memory: 20Mi
configMaps:
config:
enabled: true
forceRename: eraser-config
data:
otel-collector-config.yaml: |
receivers:
otlp:
protocols:
http:
exporters:
prometheus:
endpoint: "0.0.0.0:8889"
send_timestamps: true
metric_expiration: 180m
service:
telemetry:
logs:
encoding: json
pipelines:
metrics:
receivers:
- otlp
exporters:
- prometheus
serviceAccount:
eraser:
enabled: true
service:
main:
controller: main
ports:
http:
port: 4318
targetPort: 4318
metrics:
port: 8889
targetPort: 8889
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: eraser-metrics
app.kubernetes.io/instance: eraser-metrics
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 15s
path: /metrics
persistence:
config:
enabled: true
type: configMap
name: eraser-config
advancedMounts:
main:
main:
- path: /conf/otel-collector-config.yaml
readOnly: true
mountPropagation: None
subPath: otel-collector-config.yaml

6
clusters/cl01tl/helm/excalidraw/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
digest: sha256:297d4f45c64ccbaac66c103774e97bacde3f249cab40afef06c0c1106b62ab79
generated: "2026-05-07T20:44:26.213030206Z"
version: 4.6.2
digest: sha256:e05d84dd266b8b456a8bc7f9a2bb3ab01f4ac926efd1a58cf405b0cdab343d3f
generated: "2026-01-17T18:27:08.062835-06:00"

6
clusters/cl01tl/helm/excalidraw/Chart.yaml
View File

@@ -5,7 +5,7 @@ description: Excalidraw
keywords:
- excalidraw
- drawing
home: https://docs.alexlebens.dev/applications/excalidraw/
home: https://docs.alexlebens.dev/applications/eraser/
sources:
- https://github.com/excalidraw/excalidraw
- https://hub.docker.com/r/excalidraw/excalidraw
@@ -16,7 +16,7 @@ dependencies:
- name: app-template
alias: excalidraw
repository: https://bjw-s-labs.github.io/helm-charts/
version: 5.0.0
version: 4.6.2
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
# renovate: datasource=github-releases depName=excalidraw/excalidraw
appVersion: v0.18.1
appVersion: v0.18.0

14
clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

2
clusters/cl01tl/helm/excalidraw/values.yaml
View File

@@ -8,7 +8,7 @@ excalidraw:
main:
image:
repository: excalidraw/excalidraw
tag: latest@sha256:f7ee194addd607bf831d2af0f0a34463dd4225e426cf35199ef0b12a803398e9
tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
env:
- name: NODE_ENV
value: production

6
clusters/cl01tl/helm/external-dns/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: external-dns
repository: https://kubernetes-sigs.github.io/external-dns/
version: 1.21.1
digest: sha256:c0fc34e2a1fd5a100043c2e22130a3a7910019b655c5e69a50424562f4322f5d
generated: "2026-05-01T02:29:38.018973854Z"
version: 1.20.0
digest: sha256:0da4dec408239ea48de1d95fa8ad7701c4fdc0efe67baa8743507c75e62e2a47
generated: "2026-01-03T23:04:25.142170083Z"

6
clusters/cl01tl/helm/external-dns/Chart.yaml
View File

@@ -5,7 +5,7 @@ description: External DNS
keywords:
- external-dns
- dns
home: https://docs.alexlebens.dev/applications/external-dns/
home: https://docs.alexlebens.dev/applications/eraser/
sources:
- https://github.com/kubernetes-sigs/external-dns
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns
@@ -16,8 +16,8 @@ maintainers:
dependencies:
- name: external-dns
alias: external-dns-unifi
version: 1.21.1
version: 1.20.0
repository: https://kubernetes-sigs.github.io/external-dns/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: datasource=github-releases depName=kubernetes-sigs/external-dns
appVersion: v0.21.0
appVersion: v0.20.0

14
clusters/cl01tl/helm/external-dns/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

Some files were not shown because too many files have changed in this diff Show More