apiVersion: apps/v1 kind: Deployment metadata: name: home-assistant labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: home-assistant app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant helm.sh/chart: home-assistant-4.6.2 namespace: home-assistant spec: revisionHistoryLimit: 3 replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/controller: main app.kubernetes.io/name: home-assistant app.kubernetes.io/instance: home-assistant template: metadata: labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: home-assistant app.kubernetes.io/name: home-assistant spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true hostIPC: false hostNetwork: false hostPID: false dnsPolicy: ClusterFirst containers: - env: - name: TZ value: US/Central - name: PUID value: "1000" - name: PGID value: "1000" - name: DEFAULT_WORKSPACE value: /config envFrom: - secretRef: name: home-assistant-code-server-password-secret image: ghcr.io/linuxserver/code-server:4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272 imagePullPolicy: IfNotPresent name: code-server resources: requests: cpu: 10m memory: 128Mi volumeMounts: - mountPath: /config/home-assistant name: config - env: - name: TZ value: US/Central image: ghcr.io/home-assistant/home-assistant:2026.3.1 imagePullPolicy: IfNotPresent name: main resources: requests: cpu: 50m memory: 512Mi volumeMounts: - mountPath: /config name: config volumes: - name: config persistentVolumeClaim: claimName: home-assistant-config --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: home-assistant-code-server-password-secret namespace: home-assistant labels: app.kubernetes.io/name: home-assistant-code-server-password-secret app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: PASSWORD remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/home-assistant/code-server/auth metadataPolicy: None property: PASSWORD - secretKey: SUDO_PASSWORD remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/home-assistant/code-server/auth metadataPolicy: None property: SUDO_PASSWORD --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: home-assistant-config-backup-secret-external namespace: home-assistant labels: helm.sh/chart: volsync-target-config-0.8.0 app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant app.kubernetes.io/version: "0.8.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant-config-backup-secret-external spec: secretStoreRef: kind: ClusterSecretStore name: vault target: template: mergePolicy: Merge engineVersion: v2 data: RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/home-assistant/home-assistant-config" data: - secretKey: BUCKET_ENDPOINT remoteRef: conversionStrategy: Default decodingStrategy: None key: /volsync/restic/digital-ocean metadataPolicy: None property: BUCKET_ENDPOINT - secretKey: RESTIC_PASSWORD remoteRef: conversionStrategy: Default decodingStrategy: None key: /volsync/restic/digital-ocean metadataPolicy: None property: RESTIC_PASSWORD - secretKey: AWS_DEFAULT_REGION remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/volsync-backups metadataPolicy: None property: AWS_DEFAULT_REGION - secretKey: AWS_ACCESS_KEY_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/volsync-backups metadataPolicy: None property: AWS_ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /digital-ocean/home-infra/volsync-backups metadataPolicy: None property: AWS_SECRET_ACCESS_KEY --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: home-assistant-config-backup-secret-local namespace: home-assistant labels: helm.sh/chart: volsync-target-config-0.8.0 app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant app.kubernetes.io/version: "0.8.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant-config-backup-secret-local spec: secretStoreRef: kind: ClusterSecretStore name: vault target: template: mergePolicy: Merge engineVersion: v2 data: RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/home-assistant/home-assistant-config" data: - secretKey: BUCKET_ENDPOINT remoteRef: conversionStrategy: Default decodingStrategy: None key: /volsync/restic/garage-local metadataPolicy: None property: BUCKET_ENDPOINT - secretKey: RESTIC_PASSWORD remoteRef: conversionStrategy: Default decodingStrategy: None key: /volsync/restic/garage-local metadataPolicy: None property: RESTIC_PASSWORD - secretKey: AWS_DEFAULT_REGION remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/volsync-backups metadataPolicy: None property: ACCESS_REGION - secretKey: AWS_ACCESS_KEY_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/volsync-backups metadataPolicy: None property: ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/volsync-backups metadataPolicy: None property: ACCESS_SECRET_KEY --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: home-assistant-config-backup-secret-remote namespace: home-assistant labels: helm.sh/chart: volsync-target-config-0.8.0 app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant app.kubernetes.io/version: "0.8.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant-config-backup-secret-remote spec: secretStoreRef: kind: ClusterSecretStore name: vault target: template: mergePolicy: Merge engineVersion: v2 data: RESTIC_REPOSITORY: "{{ .BUCKET_ENDPOINT }}/home-assistant/home-assistant-config" data: - secretKey: BUCKET_ENDPOINT remoteRef: conversionStrategy: Default decodingStrategy: None key: /volsync/restic/garage-remote metadataPolicy: None property: BUCKET_ENDPOINT - secretKey: RESTIC_PASSWORD remoteRef: conversionStrategy: Default decodingStrategy: None key: /volsync/restic/garage-remote metadataPolicy: None property: RESTIC_PASSWORD - secretKey: AWS_DEFAULT_REGION remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/volsync-backups metadataPolicy: None property: ACCESS_REGION - secretKey: AWS_ACCESS_KEY_ID remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/volsync-backups metadataPolicy: None property: ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: conversionStrategy: Default decodingStrategy: None key: /garage/home-infra/volsync-backups metadataPolicy: None property: ACCESS_SECRET_KEY --- apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: home-assistant-token-secret namespace: home-assistant labels: app.kubernetes.io/name: home-assistant-token-secret app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant spec: secretStoreRef: kind: ClusterSecretStore name: vault data: - secretKey: bearer-token remoteRef: conversionStrategy: Default decodingStrategy: None key: /cl01tl/home-assistant/auth metadataPolicy: None property: bearer-token --- apiVersion: gateway.networking.k8s.io/v1alpha2 kind: HTTPRoute metadata: name: home-assistant-code-server labels: app.kubernetes.io/instance: home-assistant app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant helm.sh/chart: home-assistant-4.6.2 namespace: home-assistant spec: parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: traefik-gateway namespace: traefik hostnames: - "home-assistant-code-server.alexlebens.net" rules: - backendRefs: - group: "" kind: Service name: home-assistant-code-server namespace: home-assistant port: 8443 weight: 100 matches: - path: type: PathPrefix value: / --- apiVersion: gateway.networking.k8s.io/v1alpha2 kind: HTTPRoute metadata: name: home-assistant-main labels: app.kubernetes.io/instance: home-assistant app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant helm.sh/chart: home-assistant-4.6.2 namespace: home-assistant spec: parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: traefik-gateway namespace: traefik hostnames: - "home-assistant.alexlebens.net" rules: - backendRefs: - group: "" kind: Service name: home-assistant-main namespace: home-assistant port: 80 weight: 100 matches: - path: type: PathPrefix value: / --- kind: PersistentVolumeClaim apiVersion: v1 metadata: name: home-assistant-config labels: app.kubernetes.io/instance: home-assistant app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant helm.sh/chart: home-assistant-4.6.2 namespace: home-assistant spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "5Gi" storageClassName: "ceph-block" --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource metadata: name: home-assistant-config-backup-source-external namespace: home-assistant labels: helm.sh/chart: volsync-target-config-0.8.0 app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant app.kubernetes.io/version: "0.8.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant-config-backup spec: sourcePVC: home-assistant-config trigger: schedule: 22 10 * * * restic: pruneIntervalDays: 7 repository: home-assistant-config-backup-secret-external retain: daily: 7 hourly: 0 monthly: 3 weekly: 4 yearly: 1 moverSecurityContext: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch runAsGroup: 1000 runAsUser: 1000 copyMethod: Snapshot storageClassName: ceph-block volumeSnapshotClassName: ceph-blockpool-snapshot cacheCapacity: 1Gi --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource metadata: name: home-assistant-config-backup-source-local namespace: home-assistant labels: helm.sh/chart: volsync-target-config-0.8.0 app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant app.kubernetes.io/version: "0.8.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant-config-backup spec: sourcePVC: home-assistant-config trigger: schedule: 22 8 * * * restic: pruneIntervalDays: 7 repository: home-assistant-config-backup-secret-local retain: daily: 7 hourly: 0 monthly: 3 weekly: 4 yearly: 1 moverSecurityContext: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch runAsGroup: 1000 runAsUser: 1000 copyMethod: Snapshot storageClassName: ceph-block volumeSnapshotClassName: ceph-blockpool-snapshot cacheCapacity: 1Gi --- apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource metadata: name: home-assistant-config-backup-source-remote namespace: home-assistant labels: helm.sh/chart: volsync-target-config-0.8.0 app.kubernetes.io/instance: home-assistant app.kubernetes.io/part-of: home-assistant app.kubernetes.io/version: "0.8.0" app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant-config-backup spec: sourcePVC: home-assistant-config trigger: schedule: 22 9 * * * restic: pruneIntervalDays: 7 repository: home-assistant-config-backup-secret-remote retain: daily: 7 hourly: 0 monthly: 3 weekly: 4 yearly: 1 moverSecurityContext: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch runAsGroup: 1000 runAsUser: 1000 copyMethod: Snapshot storageClassName: ceph-block volumeSnapshotClassName: ceph-blockpool-snapshot cacheCapacity: 1Gi --- apiVersion: v1 kind: Service metadata: name: home-assistant-code-server labels: app.kubernetes.io/instance: home-assistant app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant app.kubernetes.io/service: home-assistant-code-server helm.sh/chart: home-assistant-4.6.2 namespace: home-assistant spec: type: ClusterIP ports: - port: 8443 targetPort: 8443 protocol: TCP name: http selector: app.kubernetes.io/controller: main app.kubernetes.io/instance: home-assistant app.kubernetes.io/name: home-assistant --- apiVersion: v1 kind: Service metadata: name: home-assistant-main labels: app.kubernetes.io/instance: home-assistant app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant app.kubernetes.io/service: home-assistant-main helm.sh/chart: home-assistant-4.6.2 namespace: home-assistant spec: type: ClusterIP ports: - port: 80 targetPort: 8123 protocol: TCP name: http selector: app.kubernetes.io/controller: main app.kubernetes.io/instance: home-assistant app.kubernetes.io/name: home-assistant --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: home-assistant labels: app.kubernetes.io/instance: home-assistant app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: home-assistant helm.sh/chart: home-assistant-4.6.2 namespace: home-assistant spec: jobLabel: home-assistant namespaceSelector: matchNames: - home-assistant selector: matchLabels: app.kubernetes.io/instance: home-assistant app.kubernetes.io/name: home-assistant app.kubernetes.io/service: home-assistant-main endpoints: - bearerTokenSecret: key: bearer-token name: home-assistant-token-secret interval: 3m path: /api/prometheus port: http scrapeTimeout: 1m