├── .archive └── kube │ ├── authentik-renovate-cve-test.yaml │ ├── clusters │ ├── biohazard │ │ └── flux │ │ │ └── flux-install.yaml │ ├── hercules │ │ ├── README.md │ │ ├── config │ │ │ └── kustomization.yaml │ │ ├── kairos │ │ │ ├── cloud-config.yaml │ │ │ ├── install-from-workstation-over-ssh.sh │ │ │ └── kairos-takeover.sh │ │ └── talos │ │ │ └── install-from-rescue.sh │ ├── nuclear │ │ ├── config │ │ │ ├── kustomization.yaml │ │ │ └── versions.env │ │ ├── flux │ │ │ ├── flux-install.yaml │ │ │ ├── flux-repo.yaml │ │ │ └── kustomization.yaml │ │ └── talos │ │ │ └── talconfig.yaml │ └── sinon │ │ ├── README.md │ │ ├── config │ │ ├── externalsecret-secrets.yaml │ │ ├── externalsecret-vars.yaml │ │ └── kustomization.yaml │ │ ├── flux │ │ ├── externalsecret.yaml │ │ ├── flux-repo.yaml │ │ └── kustomization.yaml │ │ └── talos │ │ ├── talconfig.yaml │ │ └── talsecret.yaml │ └── deploy │ ├── apps │ ├── collabora │ │ ├── app │ │ │ ├── es.yaml │ │ │ ├── hr.yaml │ │ │ └── ns.yaml │ │ ├── ks.yaml │ │ └── kustomization.yaml │ ├── default │ │ ├── deps │ │ │ ├── fuck-off.yaml │ │ │ ├── namespace.yaml │ │ │ └── tls.yaml │ │ ├── ks.yaml │ │ └── kustomization.yaml │ ├── findmydeviceserver │ │ ├── app │ │ │ ├── hr.yaml │ │ │ └── secrets.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── grocy │ │ ├── app │ │ │ ├── authentik.yaml │ │ │ ├── hr.yaml │ │ │ └── volsync.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── headscale │ │ ├── app │ │ │ ├── external-dns.yaml │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ ├── secrets.yaml │ │ │ └── tls.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── joplin │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── hr.yaml │ │ │ ├── kyverno-pgo-add-sslmode.yaml │ │ │ └── secrets.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── livestream │ │ ├── deps │ │ │ ├── namespace.yaml │ │ │ └── tls.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── oven │ │ │ ├── engine │ │ │ ├── hr.yaml │ │ │ └── netpol.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── player │ │ │ ├── hr.yaml │ │ │ └── netpol.yaml │ ├── media-edit │ │ ├── app │ │ │ ├── es.yaml │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── neko │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ ├── ns.yaml │ │ └── xfce │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ ├── pvc.yaml │ │ │ ├── secrets.yaml │ │ │ └── volsync.yaml │ ├── nextcloud │ │ ├── app │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ ├── nfs.yaml │ │ │ ├── secrets.yaml │ │ │ └── volsync.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── ollama │ │ ├── app │ │ │ ├── es.yaml │ │ │ ├── hr.yaml │ │ │ └── pvc.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── psono │ │ ├── app │ │ │ ├── cm-client.yaml │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ └── secrets.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── readeck │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── renovate │ │ ├── app │ │ │ ├── hr.yaml │ │ │ └── secrets.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── syncthing │ │ ├── deps │ │ │ ├── kustomization.yaml │ │ │ └── namespace.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── user1 │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ └── volsync.yaml │ ├── tetragon │ │ ├── app │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ └── kustomization.yaml │ ├── yagpdb │ │ ├── app │ │ │ ├── hr.yaml │ │ │ └── secrets.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ └── zerotier │ │ ├── .sops.yaml │ │ ├── 1-namespace.yaml │ │ ├── 2-certs.yaml │ │ ├── 3-pvc.yaml │ │ ├── 4-controller.yaml │ │ ├── 5-ui.yaml │ │ ├── ks-unfinished.yaml │ │ └── kustomization.yaml │ └── core │ ├── _networking │ ├── cilium │ │ └── app │ │ │ └── bootstrap-install │ │ │ ├── install.sh │ │ │ └── kustomization.yaml │ ├── frr │ │ ├── app │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ └── tailscale │ │ ├── app │ │ ├── clusterrolebinding.yaml │ │ ├── hr.yaml │ │ ├── netpol.yaml │ │ └── secrets-oauth.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ ├── ns.yaml │ │ └── router │ │ ├── hr.yaml │ │ ├── netpol.yaml │ │ ├── rbac.yaml │ │ └── secrets.yaml │ ├── db │ └── pg │ │ ├── app │ │ └── grafana.yaml │ │ └── clusters │ │ ├── default │ │ ├── .sops.yaml │ │ ├── cluster.yaml │ │ ├── crunchy.yaml │ │ ├── dump-local.yaml │ │ ├── kustomization.yaml │ │ ├── netpol.yaml │ │ ├── nfs.yaml │ │ ├── s3.yaml │ │ ├── scheduledbackup.yaml │ │ ├── secrets-sync.kyverno.yaml │ │ └── superuser.sops.yaml │ │ └── enc │ │ ├── .sops.yaml │ │ ├── cluster.yaml │ │ ├── dump-local.yaml │ │ ├── kustomization.yaml │ │ ├── netpol.yaml │ │ ├── s3.yaml │ │ ├── scheduledbackup.yaml │ │ └── superuser.sops.yaml │ ├── ingress │ └── external │ │ └── install.yaml │ ├── kyverno │ ├── _deps │ │ ├── _crds-kyverno.yaml │ │ └── kustomization.yaml │ ├── app │ │ ├── hr.yaml │ │ └── netpol.yaml │ ├── ks.yaml │ ├── kustomization.yaml │ ├── ns.yaml │ └── policies │ │ ├── anti-delete-all-persistence.yaml │ │ ├── cnp-within-ns.yaml │ │ ├── flux-system.yaml │ │ ├── jellyfin-gpu-patch.yaml │ │ └── pod-reloader.yaml │ ├── monitoring │ ├── _deps │ │ └── kube-prometheus.yaml │ ├── fortigate-exporter │ │ ├── app │ │ │ ├── es.yaml │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ ├── kps │ │ └── app │ │ │ ├── alertmanager │ │ │ ├── config.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secrets.yaml │ │ │ ├── config │ │ │ └── node-exporter.yaml │ │ │ └── helm-values │ │ │ └── alertmanager.yaml │ ├── kube-state-metrics │ │ ├── app │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ └── kustomization.yaml │ ├── snmp-exporter │ │ ├── app │ │ │ ├── es.yaml │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ └── victoria │ │ ├── README.md │ │ ├── agent │ │ └── vmagent.yaml │ │ ├── cluster │ │ └── vmcluster.yaml │ │ ├── crds.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ ├── operator │ │ └── install.yaml │ │ └── repo.yaml │ ├── secrets │ └── external-secrets │ │ └── stores │ │ └── aws-ssm │ │ ├── clustersecretstore.yaml │ │ └── secrets.yaml │ ├── storage │ ├── csi-driver-nfs │ │ ├── app │ │ │ └── hr.yaml │ │ ├── ks.yaml │ │ └── kustomization.yaml │ ├── minio-nas │ │ ├── app │ │ │ ├── es.yaml │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ └── pvc.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── ns.yaml │ └── rook-ceph │ │ ├── cluster │ │ └── sinon │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ └── svc.yaml │ │ └── pve │ │ ├── app │ │ ├── .sops.yaml │ │ ├── ceph-cluster.sops.yaml │ │ ├── ceph-monitor.yaml │ │ ├── ceph-prometheus.yaml │ │ ├── create-secrets.sh │ │ ├── kustomization.yaml │ │ ├── object-radosgw-certs.yaml │ │ ├── object.yaml │ │ ├── pveceph-object.sh │ │ ├── secret.sops.yaml │ │ ├── storage-class.yaml │ │ └── volume-snapshot-class.yaml │ │ ├── ks.yaml │ │ └── kustomization.yaml │ └── system-upgrade-controller │ ├── app │ ├── hr.yaml │ ├── netpol.yaml │ └── rbac.yaml │ ├── ks.yaml │ ├── kustomization.yaml │ ├── ns.yaml │ └── plans │ └── talos │ ├── app │ ├── k8s.yaml │ ├── rbac.yaml │ └── talos.yaml │ ├── ks.yaml │ └── kustomization.yaml ├── .github ├── CODEOWNERS-disabled └── workflows │ ├── flux-localhost-build.yaml │ ├── kube-flux-diff.yaml │ ├── ostree-build.yaml │ ├── purge-readme-badge-cache.yaml │ ├── renovate-rebase.yaml │ ├── renovate-sort-prs.py │ └── renovate.yaml ├── .gitignore ├── .gitmodules ├── .mise.toml ├── .pre-commit-config.yaml ├── .renovate ├── clusters.json5 ├── commitMessage.json5 ├── grafanaDashboards.json5 ├── groups.json5 ├── labels.json5 ├── mise.json5 └── security.json5 ├── .renovaterc.json5 ├── .sops-stdin.yaml ├── .sops.yaml ├── .taskfiles ├── 1p │ └── Taskfile.dist.yaml ├── README.md ├── bootstrap │ └── Taskfile.dist.yaml ├── cluster │ ├── Taskfile.dist.yaml │ ├── cluster-init-sops-apply-configmap-kustomization.tmpl.yaml │ ├── cluster-init-sops-apply-secret-kustomization.tmpl.yaml │ └── kustomizeconfig.yaml ├── flux │ ├── Taskfile.dist.yaml │ └── cantWait.yaml ├── k8s │ ├── Taskfile.dist.yaml │ └── template │ │ ├── host-privileged │ │ └── priv-pod.yaml │ │ └── iperf2 │ │ ├── client.yaml │ │ └── server.yaml ├── pg │ └── Taskfile.dist.yaml ├── pulumi │ └── Taskfile.dist.yaml ├── rook │ ├── Taskfile.dist.yaml │ ├── wipe-rook-state-job.tmpl.yaml │ └── zap-disk-job.tmpl.yaml ├── talos │ ├── Taskfile.dist.yaml │ └── talhelper-secrets-1p.env ├── truenas │ └── Taskfile.dist.yaml └── volsync │ ├── Taskfile.dist.yaml │ └── template │ ├── ReplicationDestination.tmpl.yaml │ ├── rsrc.tmp.yaml │ └── wipe-pvc.tmpl.yaml ├── .venv ├── .gitignore └── .mise-py-pkg ├── .vscode ├── extensions.json └── settings.json ├── LICENSE ├── README.md ├── Taskfile.dist.yaml ├── _redirects ├── dots ├── k9s │ ├── .gitignore │ ├── aliases.yaml │ ├── clusters │ │ └── biohazard │ │ │ └── biohazard │ │ │ └── config.yaml │ ├── config.yaml │ └── skins ├── kanshi │ └── blackhawk ├── nvim │ ├── init.lua │ ├── lazy-lock.json │ └── setup.sh ├── starship.toml └── vimrc ├── kube ├── bootstrap │ ├── README.md │ └── flux │ │ ├── flux-install-localhost.yaml │ │ └── svc-metrics.yaml ├── clusters │ └── biohazard │ │ ├── config │ │ ├── externalsecret-secrets.yaml │ │ ├── externalsecret-vars.yaml │ │ ├── gvisor.yaml │ │ └── kustomization.yaml │ │ ├── flux │ │ ├── externalsecret.yaml │ │ ├── flux-repo.yaml │ │ └── kustomization.yaml │ │ └── talos │ │ ├── talconfig.yaml │ │ ├── talsecret.yaml │ │ └── watchdog.yaml ├── deploy │ ├── apps │ │ ├── README.md │ │ ├── actual │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── atuin │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── audiobookshelf │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ └── volsync.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── authentik │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── tls.yaml │ │ │ ├── forward-auth │ │ │ │ ├── ingress.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── blocky │ │ │ ├── app │ │ │ │ ├── config │ │ │ │ │ ├── config.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── pg.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── code-server │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ ├── rbac.yaml │ │ │ │ └── talos-serviceaccount.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── cryptpad │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── cyberchef │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── davis │ │ │ ├── app │ │ │ │ ├── authentik.yaml │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── dns │ │ │ ├── README.org │ │ │ └── dnsdist │ │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ ├── elk │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── secrets.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── excalidraw │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── deps │ │ │ │ └── namespace.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── fava │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── ns.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── firefly │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── ns.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── flatnotes │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── pvc.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── fortidynasync │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── go-discord-modtools │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── goatcounter │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── gokapi │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── netpol.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── gotosocial │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── s3.yaml │ │ │ │ └── tls.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── gts-robo │ │ │ ├── app │ │ │ │ ├── crunchy.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── s3.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── home-assistant │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── multus.yaml │ │ │ │ └── netpol.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── homebox │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── immich │ │ │ ├── app │ │ │ │ ├── dns.yaml │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── pvc.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── insurgency-sandstorm │ │ │ ├── app │ │ │ │ ├── config │ │ │ │ │ ├── Engine.ini │ │ │ │ │ ├── Game.ini │ │ │ │ │ ├── MapCycle.txt │ │ │ │ │ ├── Mods.txt │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── pvc.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── k8s-schemas │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── rbac.yaml │ │ │ │ ├── s3.yaml │ │ │ │ └── secrets.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── kah │ │ │ ├── deps │ │ │ │ └── tls.yaml │ │ │ ├── inspircd │ │ │ │ ├── dns-external.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── secrets.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── kanidm │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── kromgo │ │ │ ├── app │ │ │ │ ├── config │ │ │ │ │ ├── config.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── kustomization.yaml │ │ ├── languagetool │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── librespeed │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── linkding │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── pvc.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── maloja │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── pvc.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── media │ │ │ ├── _deps │ │ │ │ ├── app │ │ │ │ │ └── pvc.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── jellyfin │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── kavita │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── komga │ │ │ │ ├── app │ │ │ │ │ ├── es.yaml │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── navidrome │ │ │ │ ├── app │ │ │ │ │ ├── es.yaml │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── plex │ │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── pvc.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ ├── minecraft │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ └── volsync.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── ns.yaml │ │ │ └── repo.yaml │ │ ├── minecraft2 │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ └── volsync.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── miniflux │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── ns.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── mlc-llm │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── pvc.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── morphos │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── nfs-web │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── ns.yaml │ │ ├── ntfy │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── secrets.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── ocis │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── open-webui │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── paperless-ngx │ │ │ ├── app │ │ │ │ ├── authentik.yaml │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── netpol.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── phanpy │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── piped │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── radicale │ │ │ ├── app │ │ │ │ ├── authentik.yaml │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── rclone-retro │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── ns.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── reactive-resume │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── s3.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── redbot │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ └── secrets.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── redlib │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── restic-rest-nfs │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── rimgo │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── ns.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── satisfactory │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── pvc.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── searxng │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── sillytavern │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── silverbullet │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── ns.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── soft-serve │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── stirling-pdf │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── talosctl-image-pull-agent │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── talos-serviceaccount.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── thelounge │ │ │ ├── app │ │ │ │ ├── config.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── netpol.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── velociraptor │ │ │ ├── app │ │ │ │ ├── .sops.yaml │ │ │ │ ├── config.sops.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── netpol.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── vikunja │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── whoogle │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── zigbee2mqtt │ │ │ ├── app │ │ │ │ ├── es.yaml │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ └── zipline │ │ │ ├── app │ │ │ ├── hr.yaml │ │ │ ├── s3.yaml │ │ │ └── secret.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ ├── core │ │ ├── README.md │ │ ├── _networking │ │ │ ├── bird │ │ │ │ ├── app │ │ │ │ │ ├── config │ │ │ │ │ │ └── bird.conf │ │ │ │ │ ├── hr.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── cilium │ │ │ │ ├── README.md │ │ │ │ ├── app │ │ │ │ │ ├── config │ │ │ │ │ │ ├── README.org │ │ │ │ │ │ ├── biohazard │ │ │ │ │ │ │ ├── helm-values.yaml │ │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ │ ├── hercules │ │ │ │ │ │ │ ├── helm-values.yaml │ │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ │ │ ├── nuclear │ │ │ │ │ │ │ ├── helm-values.yaml │ │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ │ └── sinon │ │ │ │ │ │ │ ├── helm-values.yaml │ │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── prometheusrule-alerts.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── loadbalancer │ │ │ │ │ ├── BGP.yaml │ │ │ │ │ ├── L2.yaml │ │ │ │ │ ├── LB-IPs.yaml │ │ │ │ │ └── es.yaml │ │ │ │ └── netpols │ │ │ │ │ ├── cluster-default-kube-dns.yaml │ │ │ │ │ ├── flux.yaml │ │ │ │ │ ├── kube-system-allow-all.yaml │ │ │ │ │ ├── kubevirt.yaml │ │ │ │ │ ├── labelled-allow-egress.yaml │ │ │ │ │ └── labelled-allow-ingress.yaml │ │ │ ├── e1000e-fix │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ └── multus │ │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ ├── db │ │ │ ├── emqx │ │ │ │ ├── app │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── netpol.yaml │ │ │ │ ├── cluster │ │ │ │ │ ├── emqx.yaml │ │ │ │ │ ├── es.yaml │ │ │ │ │ └── netpol.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── litestream │ │ │ │ └── template │ │ │ │ │ ├── externalsecret.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ ├── pg │ │ │ │ ├── app │ │ │ │ │ ├── hr.yaml │ │ │ │ │ ├── netpol.yaml │ │ │ │ │ ├── prometheusrule-alerts.yaml │ │ │ │ │ ├── rbac-pushsecret.yaml │ │ │ │ │ └── sc-nfs-wal.yaml │ │ │ │ ├── clusters │ │ │ │ │ ├── default │ │ │ │ │ │ ├── ks.yaml │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ ├── home │ │ │ │ │ │ ├── ks.yaml │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ └── template │ │ │ │ │ │ ├── crunchy.yaml │ │ │ │ │ │ ├── dump-local.yaml │ │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ │ ├── netpol.yaml │ │ │ │ │ │ ├── nfs.yaml │ │ │ │ │ │ ├── pguser │ │ │ │ │ │ ├── externalsecrets.yaml │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ │ ├── podmonitor.yaml │ │ │ │ │ │ └── s3.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ └── redis │ │ │ │ └── template │ │ │ │ └── standalone-mem │ │ │ │ ├── hr.yaml │ │ │ │ └── secret-redis.yaml │ │ ├── dns │ │ │ ├── external-dns │ │ │ │ ├── app │ │ │ │ │ ├── es.yaml │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── ns.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── internal │ │ │ │ ├── _deps │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ │ └── k8s-gateway │ │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── netpol.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ ├── flux-system │ │ │ ├── alerts │ │ │ │ ├── github │ │ │ │ │ ├── alert.yaml │ │ │ │ │ ├── es.yaml │ │ │ │ │ └── provider.yaml │ │ │ │ └── template │ │ │ │ │ ├── alert.yaml │ │ │ │ │ ├── es.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── provider.yaml │ │ │ ├── blank │ │ │ │ └── kustomization.yaml │ │ │ ├── healthcheck │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── misc │ │ │ │ ├── grafana.yaml │ │ │ │ └── servicemonitor.yaml │ │ │ └── webhook │ │ │ │ ├── ingress.yaml │ │ │ │ ├── receiver.yaml │ │ │ │ └── secret-token.yaml │ │ ├── hardware │ │ │ ├── README.md │ │ │ ├── intel-device-plugins │ │ │ │ ├── app │ │ │ │ │ ├── _operator.yaml │ │ │ │ │ ├── gpu.yaml │ │ │ │ │ └── talos-intel-gpu-nfd-rule.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── node-feature-discovery │ │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ ├── ingress │ │ │ ├── _deps │ │ │ │ ├── app │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── cloudflare │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── tunnel │ │ │ │ │ ├── hr.yaml │ │ │ │ │ ├── netpol.yaml │ │ │ │ │ └── secret.yaml │ │ │ ├── external-proxy-x │ │ │ │ ├── README.md │ │ │ │ ├── app │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── netpol.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ingress-nginx │ │ │ │ ├── app │ │ │ │ │ ├── common-values.yaml │ │ │ │ │ ├── default-backend.yaml │ │ │ │ │ ├── hr-external.yaml │ │ │ │ │ ├── hr-internal.yaml │ │ │ │ │ ├── hr-public.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ │ └── netpol.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── secrets-sync │ │ │ │ ├── app │ │ │ │ ├── clustersecretstore.yaml │ │ │ │ └── rbac.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ ├── monitoring │ │ │ ├── _deps │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── alertmanager │ │ │ │ ├── app │ │ │ │ │ ├── config │ │ │ │ │ │ ├── alertmanager.yaml │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ ├── es.yaml │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── fluentbit │ │ │ │ ├── app │ │ │ │ │ ├── config │ │ │ │ │ │ ├── fluent-bit.yaml │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ ├── hr.yaml │ │ │ │ │ ├── netpol.yaml │ │ │ │ │ └── rbac.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── grafana │ │ │ │ ├── app │ │ │ │ │ ├── hr.yaml │ │ │ │ │ ├── ingress.yaml │ │ │ │ │ └── secrets.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── intel-gpu-exporter │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── karma │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── kps │ │ │ │ ├── app │ │ │ │ │ ├── helm-values │ │ │ │ │ │ ├── kube-state-metrics.yaml │ │ │ │ │ │ ├── kube.yaml │ │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ │ │ └── prom.yaml │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── netpol.yaml │ │ │ │ ├── external │ │ │ │ │ ├── alerts.yaml │ │ │ │ │ ├── nighthawk.yaml │ │ │ │ │ ├── node-exporter.yaml │ │ │ │ │ └── smartctl-exporter.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── metrics-server │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── node-exporter │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── smartctl-exporter │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ └── victoria │ │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ │ ├── cluster │ │ │ │ ├── ingress.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ ├── vmagent.yaml │ │ │ │ ├── vmalert.yaml │ │ │ │ └── vmsingle.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── logs │ │ │ │ ├── hr.yaml │ │ │ │ └── netpol.yaml │ │ ├── reloader │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── secrets.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ │ ├── secrets │ │ │ ├── external-secrets │ │ │ │ ├── app │ │ │ │ │ ├── dashboards │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ ├── externalsecret-1password-credentials.yaml │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── netpol.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── stores │ │ │ │ │ ├── 1password │ │ │ │ │ ├── clustersecretstore.yaml │ │ │ │ │ └── externalsecret-token.yaml │ │ │ │ │ └── k8s │ │ │ │ │ ├── clustersecretstore.yaml │ │ │ │ │ └── rbac.yaml │ │ │ ├── onepassword-connect │ │ │ │ ├── app │ │ │ │ │ ├── externalsecret-1password-credentials.yaml │ │ │ │ │ ├── hr.yaml │ │ │ │ │ ├── netpol.yaml │ │ │ │ │ └── tls.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ └── reflector │ │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ ├── spegel │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ ├── ks.yaml │ │ │ └── kustomization.yaml │ │ ├── storage │ │ │ ├── _csi-addons │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── repo.yaml │ │ │ ├── _external-snapshotter │ │ │ │ ├── ks.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── democratic-csi │ │ │ │ ├── _deps │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── ns.yaml │ │ │ │ ├── local-hostpath │ │ │ │ │ ├── app │ │ │ │ │ │ └── hr.yaml │ │ │ │ │ ├── ks.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── manual │ │ │ │ │ ├── app │ │ │ │ │ │ └── hr.yaml │ │ │ │ │ ├── ks.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ └── nas-zfs-local │ │ │ │ │ ├── app │ │ │ │ │ ├── dataset.yaml │ │ │ │ │ └── zvol.yaml │ │ │ │ │ ├── ks.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ ├── fstrim │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── rook-ceph │ │ │ │ ├── app │ │ │ │ │ ├── csi-addons-netpol.yaml │ │ │ │ │ ├── dashboards │ │ │ │ │ │ └── kustomization.yaml │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── netpol.yaml │ │ │ │ ├── cluster │ │ │ │ │ ├── biohazard │ │ │ │ │ │ ├── caddy.yaml │ │ │ │ │ │ ├── hr.yaml │ │ │ │ │ │ ├── ingress.yaml │ │ │ │ │ │ ├── netpol.yaml │ │ │ │ │ │ ├── rgw-admin.yaml │ │ │ │ │ │ └── storageclass.yaml │ │ │ │ │ ├── ks.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ ├── snapscheduler │ │ │ │ ├── app │ │ │ │ │ └── hr.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ns.yaml │ │ │ └── volsync │ │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── netpol.yaml │ │ │ │ ├── prometheusrule.yaml │ │ │ │ └── rgw.yaml │ │ │ │ ├── component │ │ │ │ └── kustomization.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── ns.yaml │ │ │ │ └── template │ │ │ │ ├── externalsecret-r2.yaml │ │ │ │ ├── externalsecret-rgw.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ ├── rdst.yaml │ │ │ │ ├── rsrc-r2.yaml │ │ │ │ ├── rsrc-rgw.yaml │ │ │ │ └── secrets-restic.yaml │ │ └── tls │ │ │ ├── .sops.yaml │ │ │ └── cert-manager │ │ │ ├── app │ │ │ ├── hr.yaml │ │ │ ├── netpol.yaml │ │ │ └── ns.yaml │ │ │ ├── certs │ │ │ └── cert.yaml │ │ │ ├── issuer │ │ │ ├── es.yaml │ │ │ └── issuer.yaml │ │ │ ├── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ └── sync │ │ │ ├── clusterexternalsecret.yaml │ │ │ ├── pull.yaml │ │ │ └── push.yaml │ └── vm │ │ ├── _kubevirt │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ ├── ns.yaml │ │ └── repo.yaml │ │ ├── ad │ │ ├── _deps │ │ │ ├── multus.yaml │ │ │ ├── netpol.yaml │ │ │ ├── ns.yaml │ │ │ ├── preference.yaml │ │ │ ├── svc.yaml │ │ │ └── type.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── template-dc │ │ │ ├── svc.yaml │ │ │ └── vm.yaml │ │ └── jj │ │ ├── _deps │ │ ├── netpol.yaml │ │ ├── ns.yaml │ │ ├── preference.yaml │ │ ├── svc.yaml │ │ └── type.yaml │ │ ├── ks.yaml │ │ ├── kustomization.yaml │ │ └── template │ │ ├── svc.yaml │ │ └── vm.yaml ├── repos │ └── flux │ │ ├── helm │ │ ├── bjw-s.yaml │ │ ├── cert-manager.yaml │ │ ├── cilium.yaml │ │ ├── crunchydata.yaml │ │ ├── csi-driver-nfs.yaml │ │ ├── democratic-csi.yaml │ │ ├── emberstack.yaml │ │ ├── emqx.yaml │ │ ├── external-dns.yaml │ │ ├── external-secrets.yaml │ │ ├── grafana.yaml │ │ ├── haproxy.yaml │ │ ├── ingress-nginx.yaml │ │ ├── intel.yaml │ │ ├── k8s-gateway.yaml │ │ ├── keda.yaml │ │ ├── kyverno.yaml │ │ ├── metrics-server.yaml │ │ ├── multus.yaml │ │ ├── node-feature-discovery.yaml │ │ ├── prometheus-community.yaml │ │ ├── rook-ceph.yaml │ │ ├── spegel.yaml │ │ ├── stakater.yaml │ │ ├── tailscale.yaml │ │ ├── victoria.yaml │ │ └── volsync.yaml │ │ ├── ks.yaml │ │ └── kustomization.yaml └── templates │ └── test │ ├── app │ ├── es.yaml │ ├── hr.yaml │ └── ns.yaml │ ├── ks.yaml │ └── kustomization.yaml └── ostree ├── build.sh ├── repos.repo ├── repos.sh └── router.yaml /.archive/kube/clusters/hercules/README.md: -------------------------------------------------------------------------------- 1 | # Hercules cluster 2 | Single-node k3s cluster on OVH, used for L4 ingress to home prod cluster Biohazard, STUN, home VPN "control-plane-based" solutions like Headscale/Netmaker, and other "chicken-and-egg" apps. 3 | 4 | ## Hardware 5 | + OVH Starter VPS 6 | + 1 vCPU 7 | + 2GB RAM 8 | + 20GB VM disk 9 | + 1TB 100Mbps network, throttles to 10Mbps after 10 | 11 | ## Software 12 | + OS: Kairos Linux 13 | + Kubernetes: k3s 14 | -------------------------------------------------------------------------------- /.archive/kube/clusters/hercules/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | secretGenerator: 5 | - name: biohazard-secrets 6 | namespace: flux-system 7 | envs: 8 | - ./secrets.sops.env 9 | - name: biohazard-vars 10 | namespace: flux-system 11 | envs: 12 | - ./vars.sops.env 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /.archive/kube/clusters/hercules/kairos/install-from-workstation-over-ssh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | cd "$(dirname "${BASH_SOURCE[0]}")" 4 | ssh-keygen -R $1 5 | ssh root@$1 curl -o /root/.ssh/authorized_keys "https://github.com/JJGadgets.keys" 6 | scp -rO ./kairos-takeover.sh root@$1:/tmp/kairos-takeover.sh 7 | # scp -rO ./cloud-config.yaml root@$1:/root/config.yaml 8 | sops exec-env ../config/secrets.sops.env "envsubst < ./cloud-config.yaml" | ssh root@$1 "cat >/root/config.yaml" 9 | ssh root@$1 chmod +x /tmp/kairos-takeover.sh 10 | ssh root@$1 /tmp/kairos-takeover.sh 11 | -------------------------------------------------------------------------------- /.archive/kube/clusters/hercules/talos/install-from-rescue.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | SSH_KNOWN_HOSTS=/dev/null ssh root@${IP} /bin/bash -c "\ 3 | curl -vLO 'https://github.com/siderolabs/talos/releases/download/v${TALOS_VERSION:=1.6.7}/metal-amd64.raw.xz'; 4 | fdisk -l ${DISK:=/dev/sdb}; 5 | sgdisk --zap-all ${DISK}; 6 | sgdisk --zap-all ${DISK}; 7 | wipefs --all --backup ${DISK}; 8 | wipefs --all --backup ${DISK}; 9 | fdisk -l ${DISK:=/dev/sdb}; 10 | 11 | xz -vv -d -c ./metal-amd64.raw.xz | dd of=${DISK} status=progress; 12 | sync; 13 | echo 3 > /proc/sys/vm/drop_caches; 14 | " 15 | -------------------------------------------------------------------------------- /.archive/kube/clusters/nuclear/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | #secretGenerator: 5 | # - name: nuclear-secrets 6 | # namespace: flux-system 7 | # envs: 8 | # - ./secrets.sops.env 9 | # - name: nuclear-vars 10 | # namespace: flux-system 11 | # envs: 12 | # - ./vars.sops.env 13 | configMapGenerator: 14 | - name: nuclear-versions 15 | namespace: flux-system 16 | envs: 17 | - ./versions.env 18 | generatorOptions: 19 | disableNameSuffixHash: true 20 | -------------------------------------------------------------------------------- /.archive/kube/clusters/nuclear/config/versions.env: -------------------------------------------------------------------------------- 1 | VERSION_ROOK=v1.11.9 2 | VERSION_CILIUM=1.14.0-rc.0 3 | -------------------------------------------------------------------------------- /.archive/kube/clusters/sinon/README.md: -------------------------------------------------------------------------------- 1 | # Sinon NAS 2 | Single-node NAS, powered by Talos. 3 | 4 | ## Hardware 5 | + i7-6700k 6 | + 32GB RAM 7 | + Mellanox ConnectX 2 10GbE 8 | + ASUS ROG MAXIMUS VIII HERO 9 | + 480GB Intel DC S3500 SATA SSD 10 | + 2x WD Red Plus 12TB 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/collabora/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name collabora-secrets 7 | namespace: collabora 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "collabora - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/collabora/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: collabora 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/collabora/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: collabora-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "collabora" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/collabora/app 13 | targetNamespace: "collabora" 14 | dependsOn: [] 15 | components: 16 | - ../../../core/flux-system/alerts/template/ 17 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/collabora/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/default/deps/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: default 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/default/deps/tls.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: long-domain 7 | namespace: default 8 | spec: 9 | secretName: long-domain-tls 10 | issuerRef: 11 | name: letsencrypt-production 12 | kind: ClusterIssuer 13 | privateKey: 14 | algorithm: ECDSA 15 | size: 384 16 | commonName: ${DNS_MAIN} 17 | dnsNames: 18 | - ${DNS_MAIN} 19 | - "*.${DNS_MAIN}" 20 | - "*.default.${DNS_MAIN}" 21 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/default/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: default-deps 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/default/deps 9 | dependsOn: 10 | - name: 1-core-tls-cert-manager-config 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/findmydeviceserver/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "findmydeviceserver-secrets" 6 | namespace: "findmydeviceserver" 7 | type: Opaque 8 | stringData: 9 | config.yaml: | 10 | RegistrationToken: "${SECRET_FINDMYDEVICESERVER_TOKEN}" 11 | UserIdLength: 12 12 | PortInsecure: 8080 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/findmydeviceserver/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/findmydeviceserver/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: findmydeviceserver 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/grocy/app/authentik.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: grocy-authentik 6 | namespace: authentik 7 | spec: 8 | ingressClassName: "nginx-internal" 9 | rules: 10 | - host: &host "${APP_DNS_GROCY}" 11 | http: 12 | paths: 13 | - pathType: Prefix 14 | path: "/outpost.goauthentik.io" 15 | backend: 16 | service: 17 | name: authentik 18 | port: 19 | name: http 20 | tls: 21 | - hosts: 22 | - *host 23 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/grocy/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grocy-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/grocy/app 9 | dependsOn: 10 | - name: 1-core-storage-rook-ceph-cluster 11 | - name: 1-core-ingress-nginx-app 12 | - name: 1-core-storage-volsync-app 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/grocy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/grocy/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: grocy 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/headscale/app/external-dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: &app headscale 6 | namespace: *app 7 | spec: 8 | endpoints: 9 | - dnsName: "${APP_DNS_HEADSCALE}" 10 | recordType: A 11 | targets: ["${IP_EC2_INGRESS}"] 12 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/headscale/app/tls.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: &app headscale 7 | namespace: *app 8 | spec: 9 | secretName: "headscale-tls" 10 | issuerRef: 11 | name: letsencrypt-production 12 | kind: ClusterIssuer 13 | privateKey: 14 | algorithm: ECDSA 15 | size: 384 16 | rotationPolicy: Always 17 | commonName: "${DNS_VPN}" 18 | dnsNames: 19 | - "${DNS_VPN}" 20 | - "*.${DNS_VPN}" 21 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/headscale/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: headscale-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/headscale/app 9 | dependsOn: 10 | - name: 1-core-ingress-nginx-app 11 | - name: 1-core-db-pg-clusters-default 12 | healthChecks: 13 | - name: headscale 14 | namespace: headscale 15 | kind: HelmRelease 16 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 17 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/headscale/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/headscale/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: headscale 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/joplin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/joplin/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: joplin 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/livestream/deps/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: livestream 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/livestream/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: livestream-deps 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/livestream/deps 9 | dependsOn: 10 | - name: 1-core-tls-cert-manager-config 11 | 12 | 13 | # TODO: switch to Owncast + Screego or something like that 14 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/livestream/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/livestream/oven/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/media-edit/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/media-edit/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: media-edit 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps privileged 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/neko/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: neko-xfce 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/neko/xfce 9 | dependsOn: [] -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/neko/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/neko/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: neko 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/neko/xfce/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: neko-xfce-home 6 | namespace: &app neko 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | snapshot.home.arpa/enabled: "true" 11 | spec: 12 | storageClassName: file 13 | accessModes: 14 | - ReadWriteMany 15 | resources: 16 | requests: 17 | storage: 50Gi -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/neko/xfce/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: neko-xfce-secrets 6 | namespace: neko 7 | type: Opaque 8 | stringData: 9 | userPassword: "${SECRET_NEKO_XFCE_USER_PASSWORD}" 10 | adminPassword: "${SECRET_NEKO_XFCE_ADMIN_PASSWORD}" 11 | ice: |- 12 | [{"urls": ["stun:stun.l.google.com:19302"]}] 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/nextcloud/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/nextcloud/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: nextcloud 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/ollama/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name ollama-secrets 7 | namespace: ollama 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "ollama - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/ollama/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "ollama-models" 6 | labels: 7 | snapshot.home.arpa/enabled: "true" 8 | kustomize.toolkit.fluxcd.io/prune: "Disabled" 9 | spec: 10 | storageClassName: "file" 11 | accessModes: ["ReadWriteMany"] 12 | resources: 13 | requests: 14 | storage: "100Gi" 15 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/ollama/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/ollama/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ollama 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/psono/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: psono-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/psono/app 9 | dependsOn: 10 | - name: 1-core-ingress-nginx-app 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/psono/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/psono/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: psono 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/readeck/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/readeck/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: readeck 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/renovate/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "renovate-secrets" 6 | namespace: "renovate" 7 | type: Opaque 8 | stringData: 9 | # repo read-only PAT for accessing GitHub.com repos without rate limits 10 | GITHUB_COM_TOKEN: "${SECRET_RENOVATE_GITHUB_COM_TOKEN}" 11 | data: 12 | github-app-privkey: "${SECRET_RENOVATE_GITHUB_APP_PRIVKEY_BASE64}" -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/renovate/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: renovate-app 6 | namespace: flux-system 7 | labels: 8 | prune.flux.home.arpa/disabled: "false" 9 | spec: 10 | path: ./kube/deploy/apps/renovate/app 11 | dependsOn: [] 12 | prune: true -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/renovate/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/renovate/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: renovate 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/syncthing/deps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/syncthing/deps/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: syncthing-${USERS_1_ID} 6 | --- 7 | apiVersion: v1 8 | kind: Namespace 9 | metadata: 10 | name: syncthing-${USERS_2_ID} 11 | --- 12 | apiVersion: v1 13 | kind: Namespace 14 | metadata: 15 | name: syncthing-${USERS_3_ID} 16 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/syncthing/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/tetragon/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tetragon-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/tetragon/app 9 | dependsOn: 10 | - name: 1-core-1-networking-cilium-app -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/tetragon/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/yagpdb/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "yagpdb-secrets" 6 | namespace: "yagpdb" 7 | type: Opaque 8 | stringData: 9 | YAGPDB_OWNER: "${SECRET_YAGPDB_OWNER}" 10 | YAGPDB_CLIENTID: "${SECRET_YAGPDB_ID}" 11 | YAGPDB_CLIENTSECRET: "${SECRET_YAGPDB_SECRET}" 12 | YAGPDB_BOTTOKEN: "Bot ${SECRET_YAGPDB_TOKEN}" 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/yagpdb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/yagpdb/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: yagpdb 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/zerotier/.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - path_regex: .*.yaml 3 | encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ 4 | age: >- 5 | age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj 6 | pgp: >- 7 | 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 8 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/zerotier/1-namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: zerotier 6 | labels: 7 | pod-security.kubernetes.io/enforce: privileged 8 | pod-security.kubernetes.io/enforce-version: v1.26 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/audit-version: v1.26 11 | pod-security.kubernetes.io/warn: privileged 12 | pod-security.kubernetes.io/warn-version: v1.26 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/zerotier/3-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: zerotier-one 6 | namespace: zerotier 7 | spec: 8 | accessModes: ["ReadWriteOnce"] 9 | storageClassName: block 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/zerotier/ks-unfinished.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: biohazard-2-apps-zerotier 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/3-deploy/2-apps/zerotier 9 | dependsOn: 10 | - name: biohazard-1-core-05-ingress-nginx -------------------------------------------------------------------------------- /.archive/kube/deploy/apps/zerotier/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - 1-namespace.yaml 6 | - 2-certs.yaml 7 | - 3-pvc.yaml 8 | - 4-controller.yaml 9 | - 5-ui.yaml 10 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/cilium/app/bootstrap-install/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## one of these days, I'll learn and switch to Taskfiles 3 | set -euo pipefail 4 | GITROOT=$(git rev-parse --show-toplevel) 5 | source <(sops -d $1 | yq .data | sed -re 's/^/export /g' | sed -e 's/: /="/g' | sed -re 's/$/"/g') 6 | kustomize build $2 --enable-helm | envsubst 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/frr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-1-networking-frr-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/_networking/frr/app 9 | dependsOn: [] 10 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/frr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/frr/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: frr 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/enforce-version: latest 10 | 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/tailscale/app/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: "${TAILSCALE_APISERVER_ADMIN_1}" 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - apiGroup: rbac.authorization.k8s.io 12 | kind: User 13 | name: "${TAILSCALE_APISERVER_ADMIN_1}" -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/tailscale/app/secrets-oauth.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: operator-oauth 6 | namespace: tailscale 7 | type: Opaque 8 | stringData: 9 | client_id: "${SECRET_TAILSCALE_OAUTH_CLIENT_ID}" 10 | client_secret: "${SECRET_TAILSCALE_OAUTH_CLIENT_SECRET}" -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/tailscale/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-1-networking-tailscale-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/_networking/tailscale/app 9 | dependsOn: [] 10 | #--- 11 | #apiVersion: kustomize.toolkit.fluxcd.io/v1 12 | #kind: Kustomization 13 | #metadata: 14 | # name: 1-core-1-networking-tailscale-router 15 | # namespace: flux-system 16 | #spec: 17 | # path: ./kube/deploy/core/_networking/tailscale/router 18 | # dependsOn: [] 19 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/tailscale/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/tailscale/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: tailscale 6 | labels: 7 | pod-security.kubernetes.io/enforce: "privileged" 8 | pod-security.kubernetes.io/enforce-version: "latest" -------------------------------------------------------------------------------- /.archive/kube/deploy/core/_networking/tailscale/router/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: tailscale-router-secrets 6 | namespace: tailscale 7 | type: Opaque 8 | stringData: 9 | # authkey: "${SECRET_TAILSCALE_ROUTER_OAUTH_SECRET}?preauthorized=true" 10 | authkey: "${SECRET_TAILSCALE_ROUTER_AUTHKEY:=authkey}" 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/default/.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - path_regex: .*.sops.yaml 3 | encrypted_regex: ^(password)$ 4 | age: >- 5 | age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj 6 | pgp: >- 7 | 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 8 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - s3.yaml 5 | - superuser.sops.yaml 6 | - netpol.yaml 7 | - cluster.yaml 8 | - scheduledbackup.yaml 9 | - dump-local.yaml 10 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/default/nfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: "pg-default-wal-nfs" 6 | spec: 7 | storageClassName: "pg-default-wal-nfs" 8 | capacity: 9 | storage: 1Mi 10 | accessModes: [ReadWriteMany] 11 | persistentVolumeReclaimPolicy: Retain 12 | nfs: 13 | server: "${IP_TRUENAS}" 14 | path: "${PATH_NAS_BACKUPS_PGBACKREST}/default" 15 | mountOptions: ["nfsvers=4.0", "tcp", "hard", "noatime", "nodiratime", "nocto"] -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/default/s3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: pg-default-s3 6 | namespace: pg 7 | spec: 8 | bucketName: "pg-default" 9 | storageClassName: "rgw-${CLUSTER_NAME}" 10 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/default/scheduledbackup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: postgresql.cnpg.io/v1 3 | kind: ScheduledBackup 4 | metadata: 5 | name: &pg pg-default 6 | namespace: pg 7 | spec: 8 | schedule: "0 0 6 * * *" 9 | immediate: true 10 | backupOwnerReference: self 11 | cluster: 12 | name: *pg 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/default/superuser.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: pg-default-superuser 5 | namespace: pg 6 | type: Opaque 7 | stringData: 8 | # username MUST BE 'postgres'! 9 | username: "postgres" 10 | password: "${SECRET_PG_DEFAULT_SUPER_PASS}" 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/enc/.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - path_regex: .*.sops.yaml 3 | encrypted_regex: ^(password)$ 4 | age: >- 5 | age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj 6 | pgp: >- 7 | 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 8 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/enc/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - s3.yaml 5 | - superuser.sops.yaml 6 | - netpol.yaml 7 | - cluster.yaml 8 | - scheduledbackup.yaml 9 | - dump-local.yaml 10 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/enc/s3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: pg-enc-s3 6 | namespace: pg 7 | spec: 8 | bucketName: "pg-enc" 9 | storageClassName: "rgw-${CLUSTER_NAME}" 10 | --- 11 | apiVersion: v1 12 | kind: Secret 13 | metadata: 14 | name: pg-enc-r2 15 | namespace: pg 16 | type: Opaque 17 | stringData: 18 | # username MUST BE 'postgres'! 19 | id: "${SECRET_PG_ENC_WAL_R2_ID}" 20 | key: "${SECRET_PG_ENC_WAL_R2_KEY}" 21 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/enc/scheduledbackup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: postgresql.cnpg.io/v1 3 | kind: ScheduledBackup 4 | metadata: 5 | name: &pg pg-enc 6 | namespace: pg 7 | spec: 8 | schedule: "0 0 6 * * *" 9 | immediate: true 10 | backupOwnerReference: self 11 | cluster: 12 | name: *pg 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/db/pg/clusters/enc/superuser.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: pg-enc-superuser 5 | namespace: pg 6 | type: Opaque 7 | stringData: 8 | # username MUST BE 'postgres'! 9 | username: "postgres" 10 | password: "${SECRET_PG_ENC_SUPER_PASS}" 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/kyverno/_deps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - _crds-kyverno.yaml -------------------------------------------------------------------------------- /.archive/kube/deploy/core/kyverno/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-kyverno-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/kyverno/app 9 | dependsOn: [] 10 | --- 11 | apiVersion: kustomize.toolkit.fluxcd.io/v1 12 | kind: Kustomization 13 | metadata: 14 | name: 1-core-kyverno-policies 15 | namespace: flux-system 16 | spec: 17 | path: ./kube/deploy/core/kyverno/policies 18 | dependsOn: 19 | - name: 1-core-kyverno-app -------------------------------------------------------------------------------- /.archive/kube/deploy/core/kyverno/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/kyverno/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kyverno 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/fortigate-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-fortigate-exporter-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "fortigate-exporter" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/monitoring/fortigate-exporter/app 13 | targetNamespace: "fortigate-exporter" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/fortigate-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/fortigate-exporter/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: fortigate-exporter 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/kps/app/alertmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secrets.yaml 6 | #secretGenerator: 7 | # - name: alertmanager-config 8 | # namespace: monitoring 9 | # files: 10 | # - alertmanager.yaml=config.yaml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/kube-state-metrics/app/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta2 3 | kind: HelmRelease 4 | metadata: 5 | name: kube-state-metrics 6 | namespace: monitoring 7 | spec: 8 | chart: 9 | spec: 10 | chart: kube-state-metrics 11 | version: 5.32.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: prometheus-community 15 | namespace: flux-system 16 | values: 17 | prometheus: 18 | monitor: 19 | enabled: true 20 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/kube-state-metrics/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-kube-state-metrics-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/monitoring/kube-state-metrics/app 9 | dependsOn: 10 | - name: 1-core-monitoring-deps -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/kube-state-metrics/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/snmp-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-snmp-exporter-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "snmp-exporter" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/monitoring/snmp-exporter/app 13 | targetNamespace: "snmp-exporter" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/snmp-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/snmp-exporter/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: snmp-exporter 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/victoria/README.md: -------------------------------------------------------------------------------- 1 | # Dependency order 2 | 1. CRDs 3 | 2. Operator 4 | 3. Cluster 5 | 4. Agent -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/victoria/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | - repo.yaml 7 | - ks.yaml 8 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/monitoring/victoria/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: victoria 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | timeout: 3m0s 10 | url: https://victoriametrics.github.io/helm-charts/ -------------------------------------------------------------------------------- /.archive/kube/deploy/core/secrets/external-secrets/stores/aws-ssm/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: aws-ssm-auth 6 | namespace: external-secrets 7 | type: Opaque 8 | stringData: 9 | access-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_ACCESS_KEY}" 10 | secret-key: "${SECRET_EXTERNAL_SECRETS_AWS_SSM_SECRET_KEY}" 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/csi-driver-nfs/app/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta2 3 | kind: HelmRelease 4 | metadata: 5 | name: csi-driver-nfs 6 | namespace: kube-system 7 | spec: 8 | chart: 9 | spec: 10 | chart: csi-driver-nfs 11 | version: v4.6.0 12 | sourceRef: 13 | name: csi-driver-nfs 14 | kind: HelmRepository 15 | namespace: flux-system 16 | values: 17 | externalSnapshotter: 18 | enabled: false 19 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/csi-driver-nfs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-csi-driver-nfs-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/storage/csi-driver-nfs/app 9 | dependsOn: [] 10 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/csi-driver-nfs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/minio-nas/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-minio-nas-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "minio-nas" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/storage/minio-nas/app 13 | targetNamespace: "minio-nas" 14 | dependsOn: [] -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/minio-nas/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/minio-nas/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: minio-nas 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/rook-ceph/pve/app/.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - path_regex: .*.sops.yaml 3 | encrypted_regex: ^(data|stringData|ip)$ 4 | pgp: >- 5 | 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 6 | age: >- 7 | age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj 8 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/rook-ceph/pve/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret.sops.yaml 6 | - ceph-cluster.sops.yaml 7 | - storage-class.yaml 8 | - ceph-monitor.yaml 9 | - ceph-prometheus.yaml 10 | - object.yaml 11 | - object-radosgw-certs.yaml 12 | - volume-snapshot-class.yaml 13 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/rook-ceph/pve/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-rook-ceph-pve-cluster 6 | namespace: flux-system 7 | labels: 8 | rook.flux.home.arpa/pve: "patch" 9 | spec: 10 | path: ./kube/deploy/core/storage/rook-ceph/pve/app 11 | dependsOn: 12 | - name: 0-${CLUSTER_NAME}-config 13 | - name: 1-core-storage-rook-ceph-app -------------------------------------------------------------------------------- /.archive/kube/deploy/core/storage/rook-ceph/pve/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml -------------------------------------------------------------------------------- /.archive/kube/deploy/core/system-upgrade-controller/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: system-upgrade 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: system-upgrade 13 | namespace: system-upgrade-controller 14 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/system-upgrade-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-system-upgrade-controller-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: &app system-upgrade-controller 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | targetNamespace: *app 13 | path: ./kube/deploy/core/system-upgrade-controller/app 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/system-upgrade-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/system-upgrade-controller/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: system-upgrade-controller 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted # prevent pods from running for now 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/system-upgrade-controller/plans/talos/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: talos.dev/v1alpha1 3 | kind: ServiceAccount 4 | metadata: 5 | name: talos 6 | spec: 7 | roles: 8 | - os:admin 9 | -------------------------------------------------------------------------------- /.archive/kube/deploy/core/system-upgrade-controller/plans/talos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /.github/CODEOWNERS-disabled: -------------------------------------------------------------------------------- 1 | * @JJGadgets -------------------------------------------------------------------------------- /.github/workflows/purge-readme-badge-cache.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Purge README Image Cache 3 | on: 4 | workflow_dispatch: 5 | schedule: 6 | - cron: 0 * * * * # hourly 7 | push: 8 | branches: ["main"] 9 | paths: 10 | - "README.md" 11 | 12 | jobs: 13 | build: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Purge 17 | uses: kevincobain2000/action-camo-purge@5169e719d6daf0fdbf8d2174f9438f919627aa87 # v1 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ignore/ 2 | not-done/ 3 | .local/ 4 | .local/* 5 | kubeconfig 6 | talosconfig 7 | clusterconfig/ 8 | **/clusterconfig 9 | **/clusterconfig/* 10 | **/clusterconfig* 11 | **/clusterconfig*/* 12 | **/charts/cilium/* 13 | **/cilium*/app/bootstrap-install/charts/* 14 | **/cilium*/app/bootstrap-install/base-values.yaml 15 | .pem 16 | .key 17 | .pub 18 | .agekey 19 | Admins.txt 20 | GameUserSettings.ini 21 | !ostree/*-jj.repo 22 | ostree/*.repo 23 | *.sops.*.tmp 24 | *.code-workspace 25 | #*venv*/** 26 | .decrypted~* 27 | .ignore~* 28 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "dots/k9s/.source"] 2 | path = dots/k9s/.source 3 | url = https://github.com/derailed/k9s 4 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # - repo: https://github.com/onedr0p/sops-pre-commit 2 | # rev: v2.1.0 3 | # hooks: 4 | # - id: forbid-secrets 5 | -------------------------------------------------------------------------------- /.renovate/security.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "vulnerabilityAlerts": { 4 | "addLabels": ["security"], 5 | "automerge": true, 6 | "automergeType": "branch", 7 | "schedule": ["at any time"], 8 | "assigneesFromCodeOwners": true 9 | }, 10 | // "osvVulnerabilityAlerts": true, 11 | // "dependencyDashboardOSVVulnerabilitySummary": "all" 12 | } 13 | -------------------------------------------------------------------------------- /.sops-stdin.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - path_regex: \/dev\/stdin 3 | pgp: >- 4 | 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 5 | -------------------------------------------------------------------------------- /.taskfiles/1p/Taskfile.dist.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/JJGadgets/Biohazard/ec7197799531c4cd986b6c8690490b8aaf954548/.taskfiles/1p/Taskfile.dist.yaml -------------------------------------------------------------------------------- /.taskfiles/README.md: -------------------------------------------------------------------------------- 1 | # Taskfiles 2 | 3 | Similar to shell scripts and functions, but potentially lesser OS dependencies (has an embedded sh interpreter in the single Go binary `task`) and easy to have directory/project-specific tasks/aliases/functions. 4 | 5 | {{.var}} replaces `sh`/`bash` ${var} for Task-managed variables (within cmds, ${var} can sometimes still be used for shell-managed variables depending on how it's done) 6 | 7 | Pairs well with: `yq`, `envsubst`, and other CLI tools. 8 | -------------------------------------------------------------------------------- /.taskfiles/cluster/cluster-init-sops-apply-configmap-kustomization.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | secretGenerator: 5 | - name: "${C}-${NAME}" 6 | namespace: flux-system 7 | envs: 8 | - ./${FILE} 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | -------------------------------------------------------------------------------- /.taskfiles/cluster/cluster-init-sops-apply-secret-kustomization.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | secretGenerator: 5 | - name: "${C}-${NAME}" 6 | namespace: flux-system 7 | envs: 8 | - ./${FILE} 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | -------------------------------------------------------------------------------- /.taskfiles/cluster/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/postBuild/substituteFrom/name 7 | kind: Kustomization 8 | - kind: Secret 9 | version: v1 10 | fieldSpecs: 11 | - path: spec/postBuild/substituteFrom/name 12 | kind: Kustomization 13 | -------------------------------------------------------------------------------- /.taskfiles/flux/cantWait.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | # kind: Kustomization 4 | # # metadata: 5 | # # name: not-used 6 | spec: 7 | dependsOn: [] -------------------------------------------------------------------------------- /.taskfiles/pulumi/Taskfile.dist.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | -------------------------------------------------------------------------------- /.taskfiles/volsync/template/ReplicationDestination.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: "${PVC}-${TIMENOW}" 6 | namespace: "${NS}" 7 | spec: 8 | trigger: 9 | manual: "restore-once-${TIMENOW}" 10 | restic: 11 | repository: "${REPO}" 12 | destinationPVC: "${PVC}" 13 | copyMethod: Direct 14 | storageClassName: "${SC}" 15 | moverSecurityContext: 16 | runAsUser: ${RUID} 17 | runAsGroup: ${RGID} 18 | fsGroup: ${RFSG} 19 | -------------------------------------------------------------------------------- /.venv/.gitignore: -------------------------------------------------------------------------------- 1 | # this gitignore is to have the directory present so Mise can create the venv with 0 user interaction 2 | * 3 | !.gitignore 4 | !.mise-py-pkg 5 | -------------------------------------------------------------------------------- /.venv/.mise-py-pkg: -------------------------------------------------------------------------------- 1 | flux-local 2 | -------------------------------------------------------------------------------- /_redirects: -------------------------------------------------------------------------------- 1 | / https://github.com/JJGadgets/Biohazard 301 -------------------------------------------------------------------------------- /dots/k9s/.gitignore: -------------------------------------------------------------------------------- 1 | clusters/**/benchmarks.yaml 2 | benchmarks/** 3 | screen-dumps/** 4 | **/k9s.log 5 | 6 | -------------------------------------------------------------------------------- /dots/k9s/aliases.yaml: -------------------------------------------------------------------------------- 1 | aliases: 2 | # k9s defaults 3 | sec: v1/secrets 4 | jo: jobs 5 | cr: clusterroles 6 | crb: clusterrolebindings 7 | ro: roles 8 | rb: rolebindings 9 | np: networkpolicies 10 | # mine 11 | dp: deployments 12 | rsrc: ReplicationSource 13 | rdst: ReplicationDestination 14 | cron: cronjob 15 | -------------------------------------------------------------------------------- /dots/k9s/clusters/biohazard/biohazard/config.yaml: -------------------------------------------------------------------------------- 1 | k9s: 2 | cluster: biohazard 3 | skin: transparent 4 | namespace: 5 | active: all 6 | lockFavorites: true 7 | favorites: 8 | - all 9 | - kube-system 10 | - rook-ceph 11 | - monitoring 12 | - dns 13 | - flux-system 14 | - ingress 15 | - pg 16 | - minio-nas 17 | - authentik 18 | - media 19 | - apps 20 | - vm-ad 21 | - system-upgrade-controller 22 | view: 23 | active: pods 24 | featureGates: 25 | nodeShell: true 26 | portForwardAddress: '[::]' 27 | -------------------------------------------------------------------------------- /dots/k9s/skins: -------------------------------------------------------------------------------- 1 | ./.source/skins -------------------------------------------------------------------------------- /dots/nvim/setup.sh: -------------------------------------------------------------------------------- 1 | ln -s $(git rev-parse --show-toplevel)/dots/vimrc ~/.vimrc 2 | ln -s $(git rev-parse --show-toplevel)/dots/nvim ~/.config/nvim 3 | -------------------------------------------------------------------------------- /kube/bootstrap/README.md: -------------------------------------------------------------------------------- 1 | # Bootstrap Kubernetes cluster 2 | 3 | 1. Install Flux in hostNetwork mode binded to localhost 4 | 2. Load `${CLUSTER_NAME}-vars` (including 1Password and Hubble Vars) and 1Password Connect secrets (Connect credentials and ESO client token) from 1Password 5 | 3. Load root ks (flux-repo.yaml) which installs Cilium -------------------------------------------------------------------------------- /kube/clusters/biohazard/config/gvisor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: node.k8s.io/v1 3 | kind: RuntimeClass 4 | metadata: 5 | name: gvisor 6 | handler: runsc-kvm 7 | scheduling: 8 | nodeSelector: 9 | feature.node.kubernetes.io/baremetal: "true" 10 | --- 11 | apiVersion: node.k8s.io/v1 12 | kind: RuntimeClass 13 | metadata: 14 | name: gvisor-non-vm 15 | handler: runsc 16 | -------------------------------------------------------------------------------- /kube/clusters/biohazard/talos/watchdog.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # watchdog.yaml 3 | apiVersion: v1alpha1 4 | kind: WatchdogTimerConfig 5 | device: /dev/watchdog0 6 | timeout: 5m 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/README.md: -------------------------------------------------------------------------------- 1 | # Apps 2 | These are the actual applications or services that the cluster will host. 3 | -------------------------------------------------------------------------------- /kube/deploy/apps/actual/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/actual/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: actual 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/atuin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/atuin/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: atuin 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/audiobookshelf/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: audiobookshelf-app 6 | namespace: flux-system 7 | labels: 8 | prune.flux.home.arpa/enabled: "true" 9 | wait.flux.home.arpa/disabled: "true" 10 | spec: 11 | path: ./kube/deploy/apps/audiobookshelf/app 12 | dependsOn: 13 | - name: 1-core-storage-rook-ceph-cluster 14 | - name: 1-core-storage-volsync-app -------------------------------------------------------------------------------- /kube/deploy/apps/audiobookshelf/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/audiobookshelf/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: audiobookshelf 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/authentik/app/tls.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: &app authentik 7 | namespace: *app 8 | spec: 9 | secretName: authentik-tls 10 | issuerRef: 11 | name: letsencrypt-production 12 | kind: ClusterIssuer 13 | privateKey: 14 | algorithm: ECDSA 15 | size: 384 16 | commonName: ${DNS_MAIN} 17 | dnsNames: 18 | - ${DNS_MAIN} 19 | - "*.${DNS_MAIN}" 20 | - "*.tinfoil.${DNS_MAIN}" 21 | -------------------------------------------------------------------------------- /kube/deploy/apps/authentik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/authentik/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: authentik 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline # Crunchy-PGO can't set seccompProfile on the instance containers 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/blocky/app/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | configMapGenerator: 5 | - name: blocky-config 6 | namespace: blocky 7 | files: 8 | - config.yml=config.yaml 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/blocky/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/blocky/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: blocky 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/code-server/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "code-server-misc" 6 | namespace: &app "code-server" 7 | annotations: 8 | description: "PVC for misc files that don't need to be backed up, like Homebrew or Nix Store." 9 | labels: 10 | app.kubernetes.io/name: *app 11 | snapshot.home.arpa/enabled: "true" 12 | kustomize.toolkit.fluxcd.io/prune: "Disabled" 13 | spec: 14 | storageClassName: "block" 15 | accessModes: ["ReadWriteOnce"] 16 | resources: 17 | requests: 18 | storage: "100Gi" 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/code-server/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: &app code-server 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: *app 13 | namespace: *app 14 | --- 15 | apiVersion: talos.dev/v1alpha1 16 | kind: ServiceAccount 17 | metadata: 18 | name: talos 19 | spec: 20 | roles: 21 | - os:admin 22 | -------------------------------------------------------------------------------- /kube/deploy/apps/code-server/app/talos-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: talos 5 | namespace: code-server 6 | annotations: 7 | kustomize.toolkit.fluxcd.io/ssa: Merge 8 | reloader.stakater.com/match: "false" 9 | -------------------------------------------------------------------------------- /kube/deploy/apps/code-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/code-server/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: code-server 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/cryptpad/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/cryptpad/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cryptpad 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/cyberchef/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cyberchef-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/cyberchef/app 9 | dependsOn: 10 | - name: 1-core-ingress-nginx-app -------------------------------------------------------------------------------- /kube/deploy/apps/cyberchef/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/cyberchef/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cyberchef 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/davis/app/authentik.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: davis-authentik 6 | namespace: authentik 7 | spec: 8 | ingressClassName: "nginx-internal" 9 | rules: 10 | - host: &host "${APP_DNS_DAVIS}" 11 | http: 12 | paths: 13 | - pathType: Prefix 14 | path: "/outpost.goauthentik.io" 15 | backend: 16 | service: 17 | name: authentik 18 | port: 19 | name: http 20 | tls: 21 | - hosts: 22 | - *host 23 | -------------------------------------------------------------------------------- /kube/deploy/apps/davis/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/davis/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: davis 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/dns/dnsdist/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: dns-dnsdist-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/dns/dnsdist/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/apps/dns/dnsdist/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/elk/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "elk-secrets" 6 | namespace: "apps" 7 | type: Opaque 8 | stringData: 9 | NUXT_STORAGE_DRIVER: "cloudflare" 10 | NUXT_CLOUDFLARE_ACCOUNT_ID: "${SECRET_ELK_CF_ID}" 11 | NUXT_CLOUDFLARE_API_TOKEN: "${SECRET_ELK_CF_TOKEN}" 12 | NUXT_CLOUDFLARE_NAMESPACE_ID: "${SECRET_ELK_CF_KV_NS}" 13 | -------------------------------------------------------------------------------- /kube/deploy/apps/elk/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: elk-app 6 | namespace: flux-system 7 | labels: 8 | wait.flux.home.arpa/disabled: "true" 9 | spec: 10 | path: ./kube/deploy/apps/elk/app 11 | dependsOn: 12 | - name: 1-core-storage-rook-ceph-cluster 13 | - name: 1-core-ingress-nginx-app 14 | - name: 1-core-storage-volsync-app 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/elk/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/excalidraw/deps/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: excalidraw 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/excalidraw/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/fava/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: fava 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/fava/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/firefly/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: firefly 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/firefly/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/flatnotes/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: flatnotes 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/flatnotes/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "flatnotes-misc" 6 | namespace: &app "flatnotes" 7 | annotations: 8 | description: "PVC for Flatnotes search index." 9 | labels: 10 | app.kubernetes.io/name: *app 11 | spec: 12 | storageClassName: "file-ec-2-1" 13 | accessModes: ["ReadWriteMany"] 14 | resources: 15 | requests: 16 | storage: "10Gi" 17 | -------------------------------------------------------------------------------- /kube/deploy/apps/flatnotes/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/fortidynasync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: fortidynasync-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "fortidynasync" 9 | spec: 10 | targetNamespace: "fortidynasync" 11 | commonMetadata: 12 | labels: *l 13 | path: ./kube/deploy/apps/fortidynasync/app 14 | dependsOn: [] 15 | components: 16 | - ../../../core/flux-system/alerts/template/ 17 | -------------------------------------------------------------------------------- /kube/deploy/apps/fortidynasync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/fortidynasync/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: fortidynasync 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/go-discord-modtools/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/go-discord-modtools/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: go-discord-modtools 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/goatcounter/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name goatcounter-secrets 7 | namespace: goatcounter 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "goatcounter - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /kube/deploy/apps/goatcounter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/goatcounter/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: goatcounter 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/gokapi/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: gokapi-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/gokapi/app 9 | dependsOn: 10 | - name: 1-core-ingress-nginx-app 11 | - name: 1-core-storage-rook-ceph-cluster -------------------------------------------------------------------------------- /kube/deploy/apps/gokapi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/gokapi/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: gokapi 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/gotosocial/app/s3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: gotosocial-media-s3 6 | namespace: gotosocial 7 | spec: 8 | bucketName: "gotosocial-media" 9 | storageClassName: "rgw-${CLUSTER_NAME}" 10 | -------------------------------------------------------------------------------- /kube/deploy/apps/gotosocial/app/tls.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: &app gotosocial 7 | namespace: *app 8 | spec: 9 | secretName: gotosocial-tls 10 | issuerRef: 11 | name: letsencrypt-production 12 | kind: ClusterIssuer 13 | privateKey: 14 | algorithm: ECDSA 15 | size: 384 16 | commonName: social.jjgadgets.tech 17 | dnsNames: 18 | - social.jjgadgets.tech 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/gotosocial/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/gotosocial/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: gotosocial 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps privileged 9 | #pod-security.kubernetes.io/enforce: &ps restricted 10 | pod-security.kubernetes.io/audit: *ps 11 | pod-security.kubernetes.io/warn: *ps 12 | -------------------------------------------------------------------------------- /kube/deploy/apps/gts-robo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: gts-robo-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "gts-robo" 9 | spec: 10 | targetNamespace: "gts-robo" 11 | commonMetadata: 12 | labels: *l 13 | path: ./kube/deploy/apps/gts-robo/app 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/gts-robo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/gts-robo/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: gts-robo 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/home-assistant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/home-assistant/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: home-assistant 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/homebox/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/homebox/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: homebox 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/immich/app/dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: &app immich 6 | namespace: *app 7 | spec: 8 | endpoints: 9 | - dnsName: "${APP_DNS_IMMICH}" 10 | recordType: A 11 | targets: ["${IP_EC2_NON_K8S}"] 12 | -------------------------------------------------------------------------------- /kube/deploy/apps/immich/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "immich-misc" 6 | namespace: &app "immich" 7 | annotations: 8 | description: "PVC for misc files that don't need to be backed up, like thumbnails and encoded videos." 9 | labels: 10 | app.kubernetes.io/name: *app 11 | kustomize.toolkit.fluxcd.io/prune: "Disabled" 12 | spec: 13 | storageClassName: "file-ec-2-1" 14 | accessModes: ["ReadWriteMany"] 15 | resources: 16 | requests: 17 | storage: "100Gi" 18 | -------------------------------------------------------------------------------- /kube/deploy/apps/immich/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/immich/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: immich 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/insurgency-sandstorm/app/config/Mods.txt: -------------------------------------------------------------------------------- 1 | 135290; scale bot 2 | 93636; improved ai 3 | 98145; No Restricted Area 4 | 100175; Advanced Supply Points 5 | 760053; GreenZone 6 | 132183; WelcomeMessage 7 | 101966; Join Leave Message 8 | 98145; No Restricted Area 9 | 98373; More Ammo Mutator 10 | 98685; Jump Shoot 11 | 1161703; No Smoke 12 | 164061; COOP-Mayhem 13 | 156146; Round Progress 14 | 125754;they go loud bang 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/insurgency-sandstorm/app/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | configMapGenerator: 5 | - name: insurgency-sandstorm-config 6 | files: 7 | - ./Game.ini 8 | - ./Engine.ini 9 | - ./MapCycle.txt 10 | - ./Mods.txt 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /kube/deploy/apps/insurgency-sandstorm/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | name: &app insurgency-sandstorm 7 | namespace: *app 8 | spec: 9 | endpointSelector: {} 10 | egress: 11 | - toFQDNs: 12 | - matchPattern: "*.mod.io" 13 | - matchPattern: "*.modapi.io" 14 | - matchPattern: "*.modcdn.io" 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/insurgency-sandstorm/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "insurgency-sandstorm-misc" 6 | namespace: &app "insurgency-sandstorm" 7 | annotations: 8 | description: "PVC for game server files that can be redownloaded." 9 | labels: 10 | app.kubernetes.io/name: *app 11 | spec: 12 | storageClassName: "file-ec-2-1" 13 | accessModes: ["ReadWriteMany"] 14 | resources: 15 | requests: 16 | storage: "20Gi" 17 | -------------------------------------------------------------------------------- /kube/deploy/apps/insurgency-sandstorm/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: insurgency-sandstorm-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "insurgency-sandstorm" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/insurgency-sandstorm/app 13 | targetNamespace: "insurgency-sandstorm" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/insurgency-sandstorm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/insurgency-sandstorm/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: insurgency-sandstorm 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/k8s-schemas/app/s3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: &name "k8s-schemas-rgw" 6 | spec: 7 | storageClassName: "rgw-${CLUSTER_NAME}" 8 | bucketName: *name 9 | -------------------------------------------------------------------------------- /kube/deploy/apps/k8s-schemas/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "k8s-schemas-rclone" 6 | type: Opaque 7 | stringData: 8 | rclone.conf: | 9 | [r2] 10 | type = s3 11 | provider = Cloudflare 12 | endpoint = ${SECRET_R2_ENDPOINT} 13 | env_auth = false 14 | access_key_id = ${SECRET_K8S_SCHEMAS_R2_ID} 15 | secret_access_key = ${SECRET_K8S_SCHEMAS_R2_KEY} 16 | 17 | [rgw] 18 | type = s3 19 | provider = Ceph 20 | env_auth = true 21 | endpoint = http://rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc:6953 22 | -------------------------------------------------------------------------------- /kube/deploy/apps/k8s-schemas/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: k8s-schemas-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: &app k8s-schemas 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | targetNamespace: *app 13 | path: ./kube/deploy/apps/k8s-schemas/app 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/k8s-schemas/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/k8s-schemas/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: k8s-schemas 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/kah/deps/tls.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: kah 7 | namespace: kah 8 | spec: 9 | secretName: kah-tls 10 | privateKey: 11 | algorithm: ECDSA 12 | size: 384 13 | rotationPolicy: Always 14 | issuerRef: 15 | name: letsencrypt-production 16 | kind: ClusterIssuer 17 | dnsNames: 18 | - "*.${DNS_KAH}" 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/kah/inspircd/dns-external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: inspircd 6 | namespace: kah 7 | spec: 8 | endpoints: 9 | - dnsName: "${APP_DNS_KAHIRC}" 10 | recordType: A 11 | targets: ["${APP_IP_EXT_KAHIRC}"] 12 | -------------------------------------------------------------------------------- /kube/deploy/apps/kah/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/kah/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kah 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/kanidm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/kanidm/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kanidm 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/kromgo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kromgo-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "kromgo" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/kromgo/app 13 | targetNamespace: "kromgo" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/kromgo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/kromgo/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kromgo 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/languagetool/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: languagetool-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "languagetool" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/languagetool/app 13 | targetNamespace: "languagetool" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/languagetool/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/languagetool/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: languagetool 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/librespeed/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: librespeed-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "librespeed" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/librespeed/app 13 | targetNamespace: "librespeed" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/librespeed/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/librespeed/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: librespeed 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/linkding/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name linkding-secrets 7 | namespace: linkding 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "linkding - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /kube/deploy/apps/linkding/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "linkding-snapshots" 6 | namespace: &app "linkding" 7 | annotations: 8 | description: "PVC for saving Linkding page snapshots (similar to Wayback)" 9 | labels: 10 | app.kubernetes.io/name: *app 11 | snapshot.home.arpa/enabled: "true" 12 | kustomize.toolkit.fluxcd.io/prune: "Disabled" 13 | spec: 14 | storageClassName: "file" 15 | accessModes: ["ReadWriteMany"] 16 | resources: 17 | requests: 18 | storage: "100Gi" 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/linkding/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/linkding/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: linkding 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/maloja/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: maloja 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/maloja/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "maloja-misc" 6 | namespace: &app "maloja" 7 | annotations: 8 | description: "PVC for Maloja cache and others" 9 | labels: 10 | app.kubernetes.io/name: *app 11 | spec: 12 | storageClassName: "file-ec-2-1" 13 | accessModes: ["ReadWriteMany"] 14 | resources: 15 | requests: 16 | storage: "10Gi" 17 | -------------------------------------------------------------------------------- /kube/deploy/apps/maloja/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/_deps/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "media-bulk" 6 | namespace: &app "media" 7 | annotations: 8 | description: "PVC for bulk media storage." 9 | labels: 10 | app.kubernetes.io/part-of: *app 11 | snapshot.home.arpa/enabled: "true" 12 | kustomize.toolkit.fluxcd.io/prune: "Disabled" 13 | spec: 14 | storageClassName: "file-ec-2-1" 15 | accessModes: ["ReadWriteMany"] 16 | resources: 17 | requests: 18 | storage: "200Gi" 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/_deps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: media 5 | resources: 6 | - ns.yaml 7 | - ks.yaml 8 | components: 9 | - ../../../core/flux-system/alerts/template/ 10 | transformers: 11 | - |- 12 | apiVersion: builtin 13 | kind: NamespaceTransformer 14 | unsetOnly: true 15 | metadata: 16 | name: not-used 17 | namespace: authentik 18 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/_deps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: media 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline # NFS pod-level volumeMount 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/jellyfin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/kavita/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/komga/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/navidrome/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/plex/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "plex-misc" 6 | namespace: "media" 7 | annotations: 8 | description: "PVC for Plex cache and others" 9 | labels: 10 | app.kubernetes.io/name: "plex" 11 | spec: 12 | storageClassName: "file-ec-2-1" 13 | accessModes: ["ReadWriteMany"] 14 | resources: 15 | requests: 16 | storage: "100Gi" 17 | -------------------------------------------------------------------------------- /kube/deploy/apps/media/plex/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/minecraft/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: minecraft-app 6 | namespace: flux-system 7 | labels: 8 | wait.flux.home.arpa/disabled: "true" 9 | spec: 10 | path: ./kube/deploy/apps/minecraft/app 11 | wait: false 12 | dependsOn: 13 | - name: 1-core-storage-rook-ceph-cluster 14 | - name: 1-core-storage-volsync-app 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/minecraft/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - repo.yaml 7 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/apps/minecraft/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: minecraft 6 | labels: 7 | pod-security.kubernetes.io/enforce: "privileged" 8 | pod-security.kubernetes.io/enforce-version: "latest" -------------------------------------------------------------------------------- /kube/deploy/apps/minecraft/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: minecraft 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://itzg.github.io/minecraft-server-charts/ 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/minecraft2/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: minecraft2-app 6 | namespace: flux-system 7 | labels: 8 | wait.flux.home.arpa/disabled: "true" 9 | spec: 10 | path: ./kube/deploy/apps/minecraft2/app 11 | wait: false 12 | dependsOn: 13 | - name: 1-core-storage-rook-ceph-cluster 14 | - name: 1-core-storage-volsync-app -------------------------------------------------------------------------------- /kube/deploy/apps/minecraft2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/apps/minecraft2/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: minecraft2 6 | labels: 7 | pod-security.kubernetes.io/enforce: "privileged" 8 | pod-security.kubernetes.io/enforce-version: "latest" -------------------------------------------------------------------------------- /kube/deploy/apps/miniflux/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: miniflux 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/miniflux/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/mlc-llm/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "mlc-llm-misc" 6 | namespace: &app "mlc-llm" 7 | annotations: 8 | description: "PVC for misc files that don't need to be backed up, like models." 9 | labels: 10 | app.kubernetes.io/name: *app 11 | kustomize.toolkit.fluxcd.io/prune: "Disabled" 12 | spec: 13 | storageClassName: "file" 14 | accessModes: ["ReadWriteMany"] 15 | resources: 16 | requests: 17 | storage: "100Gi" 18 | -------------------------------------------------------------------------------- /kube/deploy/apps/mlc-llm/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: mlc-llm-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "mlc-llm" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/mlc-llm/app 13 | targetNamespace: "mlc-llm" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/mlc-llm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/mlc-llm/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: mlc-llm 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps privileged # seccomp for Vulkan with Intel iGPU 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/morphos/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: morphos-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "morphos" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/morphos/app 13 | targetNamespace: "morphos" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/morphos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/morphos/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: morphos 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/nfs-web/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: nfs-web-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/nfs-web/app 9 | dependsOn: [] 10 | -------------------------------------------------------------------------------- /kube/deploy/apps/nfs-web/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/nfs-web/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: nfs-web 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: apps 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/ntfy/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "ntfy-litestream" 6 | namespace: "ntfy" 7 | type: Opaque 8 | stringData: 9 | LITESTREAM_ACCESS_KEY_ID: "${SECRET_LITESTREAM_R2_ID}" 10 | LITESTREAM_SECRET_ACCESS_KEY: "${SECRET_LITESTREAM_R2_KEY}" 11 | R2_ENDPOINT: "${SECRET_R2_ENDPOINT}/" 12 | R2_BUCKET: "${SECRET_LITESTREAM_R2_BUCKET}" 13 | AGE_SECRET: "${SECRET_LITESTREAM_R2_AGE_SECRET}" 14 | AGE_PUBKEY: "${SECRET_LITESTREAM_R2_AGE_PUBKEY}" 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/ntfy/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: ntfy-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/ntfy/app 9 | dependsOn: 10 | - name: 1-core-storage-rook-ceph-cluster 11 | - name: 1-core-ingress-nginx-app 12 | #- name: 1-core-storage-volsync-app 13 | healthChecks: 14 | - name: ntfy 15 | namespace: ntfy 16 | kind: HelmRelease 17 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 18 | -------------------------------------------------------------------------------- /kube/deploy/apps/ntfy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/ntfy/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ntfy 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/ocis/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name ocis-secrets 7 | namespace: ocis 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "ownCloud Infinite Scale - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /kube/deploy/apps/ocis/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/ocis/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ocis 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/open-webui/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/open-webui/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: open-webui 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/paperless-ngx/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name paperless-ngx-secrets 7 | namespace: paperless-ngx 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "paperless-ngx - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /kube/deploy/apps/paperless-ngx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/paperless-ngx/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: paperless-ngx 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/phanpy/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: phanpy-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/phanpy/app 9 | dependsOn: [] 10 | -------------------------------------------------------------------------------- /kube/deploy/apps/phanpy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/piped/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/piped/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: piped 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/radicale/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/radicale/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: radicale 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/rclone-retro/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rclone-retro 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/rclone-retro/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/reactive-resume/app/s3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: "reactive-resume-media-s3" 6 | namespace: "reactive-resume" 7 | spec: 8 | storageClassName: "rgw-${CLUSTER_NAME}" 9 | bucketName: "reactive-resume-media" 10 | -------------------------------------------------------------------------------- /kube/deploy/apps/reactive-resume/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/reactive-resume/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: reactive-resume 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline # 3.6.0 client/frontend is... weird lol, needs root and RW rootfs for /app/client/public/__ENV.js and tmpfs won't work because it will replace existing files 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/redbot/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "redbot-secrets" 6 | namespace: "redbot" 7 | type: Opaque 8 | stringData: 9 | TOKEN: "${SECRET_REDBOT_TOKEN}" 10 | OWNER: "${SECRET_REDBOT_OWNER}" 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/redbot/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/redbot/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: redbot 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/redlib/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: redlib-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "redlib" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/redlib/app 13 | targetNamespace: "redlib" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/redlib/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/redlib/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: redlib 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/restic-rest-nfs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: restic-rest-nfs-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/restic-rest-nfs/app 9 | dependsOn: [] 10 | 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/restic-rest-nfs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/restic-rest-nfs/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: restic-rest-nfs 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline # restricted doesn't allow NFS pod-lifetime volumes 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/rimgo/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rimgo 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/rimgo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: rimgo-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "rimgo" 9 | spec: 10 | targetNamespace: "rimgo" 11 | commonMetadata: 12 | labels: *l 13 | path: ./kube/deploy/apps/rimgo/app 14 | components: 15 | - ../../../core/flux-system/alerts/template/ 16 | dependsOn: 17 | - name: crds 18 | namespace: flux-system 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/rimgo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/satisfactory/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "satisfactory-game" 6 | namespace: &app "satisfactory" 7 | annotations: 8 | description: "PVC for game runtime files." 9 | labels: 10 | app.kubernetes.io/name: *app 11 | snapshot.home.arpa/enabled: "true" 12 | kustomize.toolkit.fluxcd.io/prune: "Disabled" 13 | spec: 14 | storageClassName: "file" 15 | accessModes: ["ReadWriteMany"] 16 | resources: 17 | requests: 18 | storage: "50Gi" 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/satisfactory/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/satisfactory/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: satisfactory 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/searxng/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name searxng-secrets 7 | namespace: searxng 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "SearXNG - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /kube/deploy/apps/searxng/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: searxng-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "searxng" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/apps/searxng/app 13 | targetNamespace: "searxng" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/apps/searxng/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/searxng/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: searxng 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/sillytavern/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/sillytavern/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: sillytavern 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/silverbullet/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: silverbullet 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/silverbullet/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/soft-serve/app/es.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name soft-serve-secrets 7 | namespace: soft-serve 8 | spec: 9 | refreshInterval: 1m 10 | secretStoreRef: 11 | kind: ClusterSecretStore 12 | name: 1p 13 | dataFrom: 14 | - extract: 15 | key: "soft-serve - ${CLUSTER_NAME}" 16 | target: 17 | creationPolicy: Owner 18 | deletionPolicy: Retain 19 | name: *name 20 | -------------------------------------------------------------------------------- /kube/deploy/apps/soft-serve/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/soft-serve/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: soft-serve 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/stirling-pdf/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/stirling-pdf/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: stirling-pdf 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/talosctl-image-pull-agent/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: talosctl-image-pull-agent 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/talosctl-image-pull-agent/app/talos-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: talos.dev/v1alpha1 3 | kind: ServiceAccount 4 | metadata: 5 | name: talos 6 | namespace: talosctl-image-pull-agent 7 | spec: 8 | roles: 9 | - os:operator 10 | --- 11 | apiVersion: v1 12 | kind: Secret 13 | metadata: 14 | name: talos 15 | namespace: talosctl-image-pull-agent 16 | annotations: 17 | kustomize.toolkit.fluxcd.io/ssa: Merge 18 | reloader.stakater.com/match: "false" 19 | -------------------------------------------------------------------------------- /kube/deploy/apps/talosctl-image-pull-agent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/thelounge/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/thelounge/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: thelounge 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/velociraptor/app/.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - path_regex: .*.sops.yaml 3 | encrypted_regex: ^(data|stringData)$ 4 | age: >- 5 | age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj 6 | pgp: >- 7 | 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 8 | -------------------------------------------------------------------------------- /kube/deploy/apps/velociraptor/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | - netpol.yaml 7 | - config.sops.yaml 8 | -------------------------------------------------------------------------------- /kube/deploy/apps/velociraptor/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: velociraptor-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/velociraptor/app 9 | dependsOn: 10 | - name: 1-core-storage-rook-ceph-cluster 11 | - name: 1-core-ingress-nginx-app 12 | #- name: 1-core-storage-volsync-app 13 | healthChecks: 14 | - name: velociraptor 15 | namespace: velociraptor 16 | kind: HelmRelease 17 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 18 | -------------------------------------------------------------------------------- /kube/deploy/apps/velociraptor/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/velociraptor/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: velociraptor 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/vikunja/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/vikunja/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: vikunja 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/whoogle/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: whoogle-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/apps/whoogle/app 9 | dependsOn: 10 | - name: 1-core-ingress-nginx-app -------------------------------------------------------------------------------- /kube/deploy/apps/whoogle/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/apps/whoogle/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: whoogle 6 | -------------------------------------------------------------------------------- /kube/deploy/apps/zigbee2mqtt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/zigbee2mqtt/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: zigbee2mqtt 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/apps/zipline/app/s3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: zipline-data-s3 6 | namespace: zipline 7 | spec: 8 | bucketName: "zipline-data" 9 | storageClassName: "rgw-${CLUSTER_NAME}" 10 | -------------------------------------------------------------------------------- /kube/deploy/apps/zipline/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "zipline-secrets" 6 | namespace: "zipline" 7 | type: Opaque 8 | stringData: 9 | CORE_SECRET: "${SECRET_ZIPLINE_CORE_SECRET}" 10 | -------------------------------------------------------------------------------- /kube/deploy/apps/zipline/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/apps/zipline/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: zipline 6 | -------------------------------------------------------------------------------- /kube/deploy/core/README.md: -------------------------------------------------------------------------------- 1 | # Core 2 | 3 | These are components that are essential for the applications or services to be hosted in a cluster to deploy and function as intended. 4 | 5 | For example, **Layer 3 Networking** (CNIs) is needed for pods to communicate with each other. A **Storage solution** (CSIs) is needed for persistent state data to be stored. 6 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/bird/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | configMapGenerator: 7 | - name: "bird-config" 8 | files: 9 | - bird.conf=config/bird.conf 10 | configurations: 11 | - kustomizeconfig.yaml 12 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/bird/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/values/persistence/config/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/bird/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-1-networking-bird-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/_networking/bird/app 9 | dependsOn: [] 10 | targetNamespace: &app bird 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/bird/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/bird/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: bird 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/enforce-version: latest 10 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/cilium/app/config/README.org: -------------------------------------------------------------------------------- 1 | Generate Cilium install YAML that is Flux HelmRelease compatible: 2 | `kustomize build ./${CLUSTER_NAME} --enable-helm > ./cilium.yaml` 3 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/cilium/app/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # this Kustomization is the actual one used by Flux 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | configMapGenerator: 6 | - name: "cilium-helm-values" 7 | namespace: kube-system 8 | files: 9 | - biohazard.yaml=biohazard/helm-values.yaml 10 | - hercules.yaml=hercules/helm-values.yaml 11 | - sinon.yaml=sinon/helm-values.yaml 12 | - nuclear.yaml=nuclear/helm-values.yaml 13 | configurations: 14 | - kustomizeconfig.yaml 15 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/cilium/app/config/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: ConfigMap 3 | version: v1 4 | fieldSpecs: 5 | - path: spec/valuesFrom/name 6 | kind: HelmRelease 7 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/cilium/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/e1000e-fix/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: e1000e-fix-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "e1000e-fix" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/_networking/e1000e-fix/app 13 | targetNamespace: "e1000e-fix" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/e1000e-fix/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/e1000e-fix/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: e1000e-fix 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps privileged 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/_networking/multus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-1-networking-multus-app 6 | namespace: flux-system 7 | labels: 8 | prune.home.arpa/disabled: "false" 9 | spec: 10 | path: ./kube/deploy/core/_networking/multus/app 11 | dependsOn: [] 12 | prune: true -------------------------------------------------------------------------------- /kube/deploy/core/_networking/multus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/db/emqx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/db/emqx/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: emqx 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline # operator securityContext is meh 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/db/litestream/template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./externalsecret.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/db/pg/clusters/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/core/db/pg/clusters/home/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/core/db/pg/clusters/template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - s3.yaml 5 | - nfs.yaml 6 | - netpol.yaml 7 | - crunchy.yaml 8 | - dump-local.yaml 9 | - podmonitor.yaml 10 | -------------------------------------------------------------------------------- /kube/deploy/core/db/pg/clusters/template/nfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: "pg-${PG_APP_NAME}-wal-nfs" 6 | labels: 7 | kustomize.toolkit.fluxcd.io/force: "Enabled" 8 | spec: 9 | storageClassName: "pg-${PG_APP_NAME}-wal-nfs" 10 | capacity: 11 | storage: 1Mi 12 | accessModes: [ReadWriteMany] 13 | persistentVolumeReclaimPolicy: Retain 14 | nfs: 15 | server: "${IP_TRUENAS}" 16 | path: "${PATH_NAS_BACKUPS_PGBACKREST}" 17 | mountOptions: ["nfsvers=4", "tcp", "hard", "noatime", "nodiratime", "nocto"] 18 | -------------------------------------------------------------------------------- /kube/deploy/core/db/pg/clusters/template/pguser/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - externalsecrets.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/db/pg/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/db/pg/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cnpg 6 | --- 7 | apiVersion: v1 8 | kind: Namespace 9 | metadata: 10 | name: crunchy-pgo 11 | --- 12 | apiVersion: v1 13 | kind: Namespace 14 | metadata: 15 | name: pg 16 | -------------------------------------------------------------------------------- /kube/deploy/core/db/redis/template/standalone-mem/secret-redis.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "${REDIS_APP_NAME}-redis" 6 | namespace: "${REDIS_APP_NS}" 7 | type: Opaque 8 | stringData: 9 | password: "${SECRET_REDIS_PASSWORD}" 10 | -------------------------------------------------------------------------------- /kube/deploy/core/dns/external-dns/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: external-dns 6 | -------------------------------------------------------------------------------- /kube/deploy/core/dns/external-dns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-dns-external-dns-app 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: external-dns 9 | path: ./kube/deploy/core/dns/external-dns/app 10 | dependsOn: [] 11 | -------------------------------------------------------------------------------- /kube/deploy/core/dns/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/dns/internal/_deps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/dns/internal/_deps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: dns 6 | -------------------------------------------------------------------------------- /kube/deploy/core/dns/internal/k8s-gateway/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-dns-internal-k8s-gateway-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/dns/internal/k8s-gateway/app 9 | dependsOn: [] 10 | postBuild: 11 | substitute: 12 | UPSTREAM: "${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3" 13 | CFDOT: "tls://1.0.0.1 tls://1.0.0.2 tls://1.0.0.3 tls://1.1.1.1 tls://1.1.1.2 tls://1.1.1.3" 14 | -------------------------------------------------------------------------------- /kube/deploy/core/dns/internal/k8s-gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/flux-system/alerts/github/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/notification.toolkit.fluxcd.io/provider_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Provider 5 | metadata: 6 | name: github 7 | spec: 8 | type: github 9 | address: https://github.com/JJGadgets/Biohazard 10 | secretRef: 11 | name: flux-system-github 12 | -------------------------------------------------------------------------------- /kube/deploy/core/flux-system/alerts/template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./es.yaml 7 | - ./provider.yaml 8 | - ./alert.yaml 9 | -------------------------------------------------------------------------------- /kube/deploy/core/flux-system/blank/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: [] 5 | -------------------------------------------------------------------------------- /kube/deploy/core/flux-system/healthcheck/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/flux-system/misc/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: &app flux-system 6 | namespace: *app 7 | labels: 8 | flux: localhost 9 | spec: 10 | selector: 11 | matchLabels: 12 | flux: localhost 13 | endpoints: 14 | - port: metrics 15 | -------------------------------------------------------------------------------- /kube/deploy/core/flux-system/webhook/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1 3 | kind: Receiver 4 | metadata: 5 | name: github 6 | namespace: flux-system 7 | spec: 8 | type: github 9 | events: 10 | - "ping" 11 | - "push" 12 | secretRef: 13 | name: webhook-token-github 14 | resources: 15 | - kind: GitRepository 16 | name: flux-system 17 | -------------------------------------------------------------------------------- /kube/deploy/core/flux-system/webhook/secret-token.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: webhook-token-github 5 | namespace: flux-system 6 | type: Opaque 7 | stringData: 8 | token: "${SECRET_FLUX_WEBHOOK_GITHUB}" 9 | -------------------------------------------------------------------------------- /kube/deploy/core/hardware/README.md: -------------------------------------------------------------------------------- 1 | Intel Device Plugins depends on Node Feature Discovery -------------------------------------------------------------------------------- /kube/deploy/core/hardware/intel-device-plugins/app/gpu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta2 3 | kind: HelmRelease 4 | metadata: 5 | name: intel-device-plugins-gpu 6 | namespace: kube-system 7 | spec: 8 | chart: 9 | spec: 10 | chart: intel-device-plugins-gpu 11 | version: 0.32.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: intel 15 | namespace: flux-system 16 | values: 17 | name: intel-device-plugins-gpu 18 | sharedDevNum: 10 19 | nodeFeatureRule: true 20 | -------------------------------------------------------------------------------- /kube/deploy/core/hardware/intel-device-plugins/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-hardware-intel-device-plugins-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/hardware/intel-device-plugins/app 9 | dependsOn: 10 | - name: 1-core-hardware-node-feature-discovery-app -------------------------------------------------------------------------------- /kube/deploy/core/hardware/intel-device-plugins/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/hardware/node-feature-discovery/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-hardware-node-feature-discovery-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/hardware/node-feature-discovery/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/hardware/node-feature-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/_deps/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: [] 5 | # - certs.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/_deps/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-ingress-deps 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/ingress/_deps/app 9 | dependsOn: 10 | - name: 1-core-tls-cert-manager-issuer 11 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/_deps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/core/ingress/_deps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ingress 6 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/cloudflare/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-ingress-cloudflare-tunnel 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/ingress/cloudflare/tunnel 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/ingress/cloudflare/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/cloudflare/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cloudflare 6 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/cloudflare/tunnel/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: cloudflared-credentials 6 | namespace: cloudflare 7 | stringData: 8 | credentials.json: | 9 | ${SECRET_CLOUDFLARE_TUNNEL_CREDS:=sample} 10 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/external-proxy-x/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-ingress-external-proxy-x-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/ingress/external-proxy-x/app 9 | dependsOn: [] 10 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/external-proxy-x/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/ingress-nginx/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | nameReference: 2 | - kind: ConfigMap 3 | version: v1 4 | fieldSpecs: 5 | - kind: HelmRelease 6 | path: spec/valuesFrom/name 7 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/ingress-nginx/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-ingress-nginx-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/ingress/ingress-nginx/app 9 | dependsOn: 10 | - name: 1-core-ingress-deps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/ingress/secrets-sync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-ingress-secrets-sync-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/ingress/secrets-sync/app 9 | targetNamespace: "ingress" 10 | dependsOn: 11 | - name: 1-core-secrets-external-secrets-app -------------------------------------------------------------------------------- /kube/deploy/core/ingress/secrets-sync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/_deps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | # - _crds-prometheus.yaml 7 | #- netpol.yaml 8 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/_deps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: monitoring 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/alertmanager/app/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | configMapGenerator: 5 | - name: alertmanager-config 6 | files: 7 | - ./alertmanager.yaml 8 | generatorOptions: 9 | disableNameSuffixHash: true 10 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/alertmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/fluentbit/app/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | configMapGenerator: 5 | - name: fluentbit-config 6 | namespace: fluentbit 7 | files: 8 | - fluent-bit.yaml 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/fluentbit/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: fluentbit-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "fluentbit" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/monitoring/fluentbit/app 13 | targetNamespace: "fluentbit" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/fluentbit/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/fluentbit/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: fluentbit 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps privileged # hostPath 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/grafana/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-grafana-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/monitoring/grafana/app 9 | dependsOn: 10 | - name: 1-core-monitoring-deps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/grafana/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/intel-gpu-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-intel-gpu-exporter-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "intel-gpu-exporter" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/monitoring/intel-gpu-exporter/app 13 | targetNamespace: "intel-gpu-exporter" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/intel-gpu-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/intel-gpu-exporter/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: intel-gpu-exporter 6 | labels: 7 | pod-security.kubernetes.io/enforce: privileged 8 | pod-security.kubernetes.io/enforce-version: latest 9 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/karma/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-karma-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "karma" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/monitoring/karma/app 13 | targetNamespace: "monitoring" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/karma/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/kps/app/helm-values/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | configMapGenerator: 5 | - name: "kps-config" 6 | namespace: monitoring 7 | files: 8 | - kube.yaml 9 | - prom.yaml 10 | - kube-state-metrics.yaml 11 | #- alertmanager.yaml 12 | configurations: 13 | - kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/kps/app/helm-values/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - kind: HelmRelease 7 | path: spec/valuesFrom/name -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/kps/external/smartctl-exporter.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1alpha1 3 | kind: ScrapeConfig 4 | metadata: 5 | name: smartctl-exporter 6 | namespace: monitoring 7 | spec: 8 | scrapeInterval: 1m 9 | scrapeTimeout: 5s 10 | staticConfigs: 11 | - targets: 12 | - &blackhawk "${IP_BLACKHAWK}:9633" # My laptop 13 | metricsPath: "/metrics" 14 | relabelings: 15 | - sourceLabels: ["__address__"] 16 | targetLabel: "instance" 17 | regex: *blackhawk 18 | replacement: "blackhawk:9633" 19 | 20 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/kps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/metrics-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-metrics-server-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/monitoring/metrics-server/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/node-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: 1-core-monitoring-node-exporter-app 7 | namespace: flux-system 8 | spec: 9 | path: ./kube/deploy/core/monitoring/node-exporter/app 10 | dependsOn: 11 | - name: 1-core-monitoring-deps 12 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/node-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/node-exporter/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: node-exporter 6 | labels: 7 | pod-security.kubernetes.io/enforce: privileged 8 | pod-security.kubernetes.io/enforce-version: latest 9 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/smartctl-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-monitoring-smartctl-exporter-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: &app "smartctl-exporter" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/monitoring/smartctl-exporter/app 13 | targetNamespace: *app 14 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/smartctl-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/smartctl-exporter/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: smartctl-exporter 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps privileged 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/victoria/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/monitoring/victoria/logs/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: victoria-logs 6 | namespace: monitoring 7 | spec: 8 | podSelector: 9 | matchLabels: 10 | app.kubernetes.io/name: victoria-logs 11 | policyTypes: [Ingress, Egress] 12 | ingress: 13 | - from: 14 | - namespaceSelector: 15 | matchLabels: 16 | kubernetes.io/metadata.name: fluentbit 17 | podSelector: 18 | matchLabels: 19 | app.kubernetes.io/name: fluentbit 20 | -------------------------------------------------------------------------------- /kube/deploy/core/reloader/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "reloader-secrets" 6 | namespace: "reloader" 7 | type: Opaque 8 | stringData: 9 | ALERT_WEBHOOK_URL: "${SECRET_RELOADER_ALERT_WEBHOOK_URL}" -------------------------------------------------------------------------------- /kube/deploy/core/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-reloader-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/reloader/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/reloader/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: reloader 6 | -------------------------------------------------------------------------------- /kube/deploy/core/secrets/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/secrets/external-secrets/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: external-secrets 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled -------------------------------------------------------------------------------- /kube/deploy/core/secrets/onepassword-connect/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-secrets-onepassword-connect-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "onepassword-connect" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/secrets/onepassword-connect/app 13 | targetNamespace: "onepassword-connect" 14 | dependsOn: 15 | - name: 1-core-1-networking-cilium-loadbalanacer 16 | -------------------------------------------------------------------------------- /kube/deploy/core/secrets/onepassword-connect/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/secrets/onepassword-connect/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: onepassword-connect 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/secrets/reflector/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-secrets-reflector-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "reflector" 9 | wait.flux.home.arpa/disabled: "true" 10 | spec: 11 | commonMetadata: 12 | labels: *l 13 | path: ./kube/deploy/core/secrets/reflector/app 14 | targetNamespace: "reflector" 15 | wait: false 16 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/secrets/reflector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/secrets/reflector/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: reflector 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/spegel/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: spegel-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/spegel/app 9 | dependsOn: [] 10 | -------------------------------------------------------------------------------- /kube/deploy/core/spegel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/_csi-addons/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - repo.yaml 7 | - ks.yaml 8 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/_csi-addons/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: csi-addons-system 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/_csi-addons/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: csi-addons 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://github.com/csi-addons/kubernetes-csi-addons 10 | ref: 11 | tag: v0.8.0 12 | ignore: | 13 | # exclude all to whitelist 14 | /* 15 | # include manifests to deploy 16 | !/deploy/controller/crds.yaml 17 | !/deploy/controller/rbac.yaml 18 | !/deploy/controller/setup-controller.yaml -------------------------------------------------------------------------------- /kube/deploy/core/storage/_external-snapshotter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/_deps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/_deps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: democratic-csi 6 | labels: 7 | pod-security.kubernetes.io/enforce: privileged 8 | pod-security.kubernetes.io/enforce-version: latest -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/local-hostpath/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-democratic-csi-local-hostpath 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/storage/democratic-csi/local-hostpath/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/local-hostpath/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/manual/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-democratic-csi-manual 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/storage/democratic-csi/manual/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/manual/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/nas-zfs-local/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-democratic-csi-nas-zfs-local 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/storage/democratic-csi/nas-zfs-local/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/storage/democratic-csi/nas-zfs-local/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/fstrim/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-fstrim-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "fstrim" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/storage/fstrim/app 13 | targetNamespace: "fstrim" 14 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/storage/fstrim/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/fstrim/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: fstrim 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps privileged 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/rook-ceph/cluster/biohazard/rgw-admin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ceph.rook.io/v1 3 | kind: CephObjectStoreUser 4 | metadata: 5 | name: rgw-biohazard-admin 6 | namespace: rook-ceph 7 | spec: 8 | store: biohazard 9 | displayName: rgw-biohazard-admin 10 | capabilities: 11 | user: "*" 12 | bucket: "*" 13 | usage: "*" 14 | metadata: "*" 15 | zone: "*" 16 | roles: "*" 17 | info: "*" 18 | amz-cache: "*" 19 | bilog: "*" 20 | mdlog: "*" 21 | datalog: "*" 22 | user-policy: "*" 23 | oidc-provider: "*" 24 | ratelimit: "*" 25 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/rook-ceph/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml -------------------------------------------------------------------------------- /kube/deploy/core/storage/rook-ceph/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-rook-ceph-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/storage/rook-ceph/app 9 | dependsOn: 10 | - name: 0-${CLUSTER_NAME}-config 11 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/rook-ceph/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rook-ceph 6 | labels: 7 | pod-security.kubernetes.io/enforce: privileged 8 | pod-security.kubernetes.io/enforce-version: latest 9 | kustomize.toolkit.fluxcd.io/prune: "disabled" 10 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/snapscheduler/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-snapscheduler-app 6 | namespace: flux-system 7 | labels: &l 8 | app.kubernetes.io/name: "snapscheduler" 9 | spec: 10 | commonMetadata: 11 | labels: *l 12 | path: ./kube/deploy/core/storage/snapscheduler/app 13 | targetNamespace: "snapscheduler" 14 | dependsOn: [] 15 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/snapscheduler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/snapscheduler/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: snapscheduler 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps baseline 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/volsync/component/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | resources: 5 | - ../template/ 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: 1-core-storage-volsync-app 6 | namespace: flux-system 7 | spec: 8 | path: ./kube/deploy/core/storage/volsync/app 9 | dependsOn: [] -------------------------------------------------------------------------------- /kube/deploy/core/storage/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/volsync/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: volsync 6 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/volsync/template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc.yaml 6 | # - secrets-restic.yaml 7 | - externalsecret-r2.yaml 8 | # - externalsecret-rgw.yaml 9 | - rdst.yaml 10 | - rsrc-r2.yaml 11 | # - rsrc-rgw.yaml 12 | -------------------------------------------------------------------------------- /kube/deploy/core/storage/volsync/template/secrets-restic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "${PVC}-r2-restic" 6 | type: Opaque 7 | stringData: 8 | RESTIC_REPOSITORY: "${SECRET_VOLSYNC_R2_REPO}/${PVC}" 9 | RESTIC_PASSWORD: "${SECRET_VOLSYNC_PASSWORD}" 10 | AWS_ACCESS_KEY_ID: "${SECRET_VOLSYNC_R2_ID}" 11 | AWS_SECRET_ACCESS_KEY: "${SECRET_VOLSYNC_R2_KEY}" 12 | -------------------------------------------------------------------------------- /kube/deploy/core/tls/.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - path_regex: .*.yaml 3 | encrypted_regex: ^(email|dnsZones|stringData)$ 4 | age: >- 5 | age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj 6 | pgp: >- 7 | 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 8 | -------------------------------------------------------------------------------- /kube/deploy/core/tls/cert-manager/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cert-manager 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kube/deploy/core/tls/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/vm/_kubevirt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | - repo.yaml 7 | - ks.yaml 8 | -------------------------------------------------------------------------------- /kube/deploy/vm/_kubevirt/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kubevirt 6 | labels: 7 | pod-security.kubernetes.io/enforce: "privileged" 8 | kubevirt.io: "" 9 | -------------------------------------------------------------------------------- /kube/deploy/vm/_kubevirt/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: vm-1-kubevirt-app 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://github.com/JJGadgets/kubevirt-flux.git 10 | ref: 11 | branch: v1.1.0 12 | ignore: | 13 | # exclude all to whitelist 14 | /* 15 | # include operator (with CRDs) and CR to deploy KubeVirt 16 | !/deploy 17 | # TODO: if KubeVirt CR used to actually deploy KubeVirt needs to be modified from defaults, maybe consider self-managing it? -------------------------------------------------------------------------------- /kube/deploy/vm/ad/_deps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: vm-ad -------------------------------------------------------------------------------- /kube/deploy/vm/ad/_deps/svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: "vm-ad" 6 | spec: 7 | type: ClusterIP 8 | clusterIP: None 9 | selector: 10 | vm.home.arpa/windows: "ad" 11 | -------------------------------------------------------------------------------- /kube/deploy/vm/ad/_deps/type.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: instancetype.kubevirt.io/v1beta1 3 | kind: VirtualMachineInstancetype 4 | metadata: 5 | name: "ad-dc" 6 | spec: 7 | cpu: 8 | guest: 2 9 | memory: 10 | guest: 8192Mi 11 | -------------------------------------------------------------------------------- /kube/deploy/vm/ad/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/vm/ad/template-dc/svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: "ad-dc${NUM}" 6 | spec: 7 | type: ClusterIP 8 | clusterIP: None 9 | selector: 10 | vm.home.arpa/ad: "dc${NUM}" 11 | --- 12 | apiVersion: v1 13 | kind: Service 14 | metadata: 15 | name: "ad-dc${NUM}-wg" 16 | spec: 17 | type: ClusterIP 18 | selector: 19 | vm.home.arpa/ad: "dc${NUM}" 20 | ports: 21 | - name: wireguard 22 | port: 45678 23 | protocol: UDP 24 | -------------------------------------------------------------------------------- /kube/deploy/vm/jj/_deps/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: vm-jj -------------------------------------------------------------------------------- /kube/deploy/vm/jj/_deps/svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: "vm-jj" 6 | spec: 7 | type: ClusterIP 8 | clusterIP: None 9 | selector: 10 | vm.home.arpa: "jj" 11 | -------------------------------------------------------------------------------- /kube/deploy/vm/jj/_deps/type.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: instancetype.kubevirt.io/v1beta1 3 | kind: VirtualMachineInstancetype 4 | metadata: 5 | name: "jj" 6 | spec: 7 | cpu: 8 | guest: 2 9 | memory: 10 | guest: 8192Mi 11 | -------------------------------------------------------------------------------- /kube/deploy/vm/jj/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /kube/deploy/vm/jj/template/svc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: "jj-${VM}" 6 | spec: 7 | type: ClusterIP 8 | clusterIP: None 9 | selector: 10 | vm.home.arpa/jj: "${VM}" -------------------------------------------------------------------------------- /kube/repos/flux/helm/bjw-s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://bjw-s-labs.github.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://charts.jetstack.io/ -------------------------------------------------------------------------------- /kube/repos/flux/helm/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: cilium-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | timeout: 3m0s 10 | url: https://helm.cilium.io/ 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/crunchydata.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: cloudnative-pg 6 | namespace: flux-system 7 | spec: 8 | interval: 1h0s 9 | timeout: 3m0s 10 | url: https://cloudnative-pg.github.io/charts 11 | --- 12 | apiVersion: source.toolkit.fluxcd.io/v1beta2 13 | kind: HelmRepository 14 | metadata: 15 | name: crunchydata 16 | namespace: flux-system 17 | spec: 18 | interval: 1h0s 19 | timeout: 3m0s 20 | type: oci 21 | url: oci://registry.developers.crunchydata.com/crunchydata 22 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/csi-driver-nfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: csi-driver-nfs 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts 11 | 12 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/democratic-csi.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: democratic-csi 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://democratic-csi.github.io/charts/ -------------------------------------------------------------------------------- /kube/repos/flux/helm/emberstack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: emberstack-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://emberstack.github.io/helm-charts/ -------------------------------------------------------------------------------- /kube/repos/flux/helm/emqx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: emqx 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://repos.emqx.io/charts 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/external-dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: external-dns 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kubernetes-sigs.github.io/external-dns/ -------------------------------------------------------------------------------- /kube/repos/flux/helm/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: external-secrets 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://charts.external-secrets.io -------------------------------------------------------------------------------- /kube/repos/flux/helm/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: "https://grafana.github.io/helm-charts" 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/haproxy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: haproxytech 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://haproxytech.github.io/helm-charts -------------------------------------------------------------------------------- /kube/repos/flux/helm/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: ingress-nginx 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kubernetes.github.io/ingress-nginx -------------------------------------------------------------------------------- /kube/repos/flux/helm/intel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: intel 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://intel.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/k8s-gateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-gateway 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://ori-edge.github.io/k8s_gateway/ -------------------------------------------------------------------------------- /kube/repos/flux/helm/keda.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: keda 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | timeout: 3m0s 10 | url: https://kedacore.github.io/charts 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/kyverno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kyverno 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kyverno.github.io/kyverno/ 10 | --- 11 | apiVersion: source.toolkit.fluxcd.io/v1beta2 12 | kind: HelmRepository 13 | metadata: 14 | name: kyverno-policy-reporter 15 | namespace: flux-system 16 | spec: 17 | interval: 1h 18 | url: https://kyverno.github.io/policy-reporter/ -------------------------------------------------------------------------------- /kube/repos/flux/helm/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: metrics-server 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m 10 | url: https://kubernetes-sigs.github.io/metrics-server 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/multus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: multus 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://angelnu.github.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/node-feature-discovery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: node-feature-discovery 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/prometheus-community.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-community 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | timeout: 3m0s 10 | url: https://prometheus-community.github.io/helm-charts -------------------------------------------------------------------------------- /kube/repos/flux/helm/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: rook-ceph 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | timeout: 3m0s 10 | url: https://charts.rook.io/release -------------------------------------------------------------------------------- /kube/repos/flux/helm/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: spegel 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | timeout: 3m0s 10 | type: oci 11 | url: oci://ghcr.io/spegel-org/helm-charts 12 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/stakater.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://stakater.github.io/stakater-charts -------------------------------------------------------------------------------- /kube/repos/flux/helm/tailscale.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: tailscale 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | timeout: 3m0s 10 | url: https://pkgs.tailscale.com/helmcharts/ 11 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/victoria.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: victoria 6 | namespace: flux-system 7 | spec: 8 | interval: 1h0s 9 | timeout: 3m0s 10 | type: oci 11 | url: oci://ghcr.io/victoriametrics/helm-charts 12 | -------------------------------------------------------------------------------- /kube/repos/flux/helm/volsync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: backube 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | timeout: 3m0s 10 | url: https://backube.github.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /kube/repos/flux/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ks.yaml 6 | -------------------------------------------------------------------------------- /kube/templates/test/app/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ${APPNAME} 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | pod-security.kubernetes.io/enforce: &ps restricted 9 | pod-security.kubernetes.io/audit: *ps 10 | pod-security.kubernetes.io/warn: *ps 11 | -------------------------------------------------------------------------------- /kube/templates/test/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ns.yaml 6 | - ks.yaml 7 | -------------------------------------------------------------------------------- /ostree/repos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | curl -v -o ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" || wget -O ./ostree/tailscale.repo "https://pkgs.tailscale.com/stable/fedora/tailscale.repo" --------------------------------------------------------------------------------