├── .gitattributes ├── .github ├── lint │ └── .yamllint.yaml ├── renovate.json5 ├── renovate │ ├── commitMessage.json5 │ └── labels.json5 └── workflows │ ├── diff-values-on-pr.yaml │ └── lint.yaml ├── .gitignore ├── .sops.yaml ├── LICENSE ├── README.md ├── apps ├── arrs │ ├── hr-arrs.yaml │ ├── kustomization.yaml │ ├── pvc-arrs-config.yaml │ ├── pvc-arrs-downloads.yaml │ ├── pvc-arrs-media.yaml │ └── secret-arrs.sops.yaml ├── authelia │ ├── hr-authelia.yaml │ ├── hr-postgresql.yaml │ ├── hr-redis.yaml │ ├── kustomization.yaml │ ├── pvc-postgresql.yaml │ ├── secret-authelia-users.sops.yaml │ └── secret-authelia.sops.yaml ├── bind9 │ ├── hr-bind9.yaml │ ├── kustomization.yaml │ ├── pvc-bind9.yaml │ └── secret-bind9.sops.yaml ├── blocky │ ├── hr-blocky.yaml │ ├── kustomization.yaml │ └── resources │ │ └── blocky-config.yaml ├── cert-manager │ ├── hr-cert-manager.yaml │ ├── issuers │ │ ├── clusterissuer-letsencrypt-production.yaml │ │ ├── clusterissuer-letsencrypt-staging.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── monitoring │ │ ├── kustomization.yaml │ │ ├── prometheus-rules.yaml │ │ └── service-monitor.yaml │ ├── ns-cert-manager.yaml │ └── secret-cert-manager.sops.yaml ├── certificate-exporter │ ├── hr-certificate-exporter.yaml │ └── kustomization.yaml ├── cloudflared │ ├── hr-cloudflared.yaml │ ├── kustomization.yaml │ ├── resources │ │ └── cloudflared-config.yaml │ └── secret-cloudflared.sops.yaml ├── csi-driver-smb │ ├── hr-csi-driver-smb.yaml │ ├── kustomization.yaml │ └── secret-smb.sops.yaml ├── descheduler │ ├── hr-descheduler.yaml │ └── kustomization.yaml ├── external-dns-bind │ ├── hr-external-dns-bind.yaml │ ├── kustomization.yaml │ └── secret-external-dns-bind.sops.yaml ├── external-dns-cloudflare │ ├── hr-external-dns-cloudflare.yaml │ ├── kustomization.yaml │ └── secret-external-dns-cloudflare.sops.yaml ├── flux-system │ ├── configs │ │ ├── discord-notifier.yaml │ │ ├── kustomization.yaml │ │ └── secret-discord-webhook.sops.yaml │ └── monitoring │ │ ├── kustomization.yaml │ │ ├── pod-monitor.yaml │ │ └── prometheus-rules.yaml ├── goldilocks │ ├── hr-goldilocks.yaml │ └── kustomization.yaml ├── headlamp │ ├── hr-headlamp.yaml │ ├── kustomization.yaml │ └── secret-headlamp.sops.yaml ├── homer │ ├── hr-homer.yaml │ ├── kustomization.yaml │ └── resources │ │ └── homer-config.yaml ├── immich │ ├── hr-immich-machine-learning.yaml │ ├── hr-immich.yaml │ ├── hr-postgresql.yaml │ ├── hr-redis.yaml │ ├── kustomization.yaml │ ├── pvc-immich.yaml │ └── pvc-postgresql.yaml ├── ingress-nginx-external │ ├── hr-ingress-nginx-external.yaml │ ├── kustomization.yaml │ └── monitoring │ │ ├── kustomization.yaml │ │ ├── prometheus-rules.yaml │ │ └── service-monitor.yaml ├── ingress-nginx │ ├── certs │ │ ├── kustomization.yaml │ │ └── wildcard-certificate.yaml │ ├── hr-ingress-nginx.yaml │ ├── kustomization.yaml │ └── monitoring │ │ ├── kustomization.yaml │ │ ├── prometheus-rules.yaml │ │ └── service-monitor.yaml ├── jd2 │ ├── hr-jd2.yaml │ ├── kustomization.yaml │ └── pvc-jd2.yaml ├── jellyfin │ ├── hr-jellyfin.yaml │ ├── kustomization.yaml │ ├── pvc-jellyfin-config.yaml │ └── pvc-jellyfin-media.yaml ├── jellyseerr │ ├── hr-jellyseerr.yaml │ ├── kustomization.yaml │ └── pvc-jellyseerr-config.yaml ├── kube-prometheus-stack │ ├── flux-kube-state-metrics-config.yaml │ ├── hr-kube-prometheus-stack.yaml │ ├── kustomization.yaml │ ├── prometheus-rules │ │ ├── kustomization.yaml │ │ ├── node-rules.yaml │ │ ├── postgresql-rules.yaml │ │ └── redis-rules.yaml │ └── secret-grafana.sops.yaml ├── kube-vip │ ├── ds-kube-vip.yaml │ ├── kustomization.yaml │ └── rbac-kube-vip.yaml ├── kured │ ├── hr-kured.yaml │ └── kustomization.yaml ├── linkwarden │ ├── hr-linkwarden.yaml │ ├── hr-postgresql.yaml │ ├── kustomization.yaml │ ├── pvc-linkwarden.yaml │ ├── pvc-postgresql.yaml │ └── secret-linkwarden.sops.yaml ├── local-path-provisioner │ ├── hr-local-path-provisioner.yaml │ └── kustomization.yaml ├── loki │ ├── cm-dashboard.yaml │ ├── cm-datasource.yaml │ ├── hr-loki.yaml │ └── kustomization.yaml ├── longhorn │ ├── configs │ │ ├── backup-daily.yaml │ │ ├── kustomization.yaml │ │ └── snapshot-6h.yaml │ ├── hr-longhorn.yaml │ ├── kustomization.yaml │ ├── monitoring │ │ ├── kustomization.yaml │ │ ├── prometheus-rules.yaml │ │ └── service-monitor.yaml │ ├── ns-longhorn.yaml │ ├── sc-longhorn.yaml │ └── secret-longhorn-system.sops.yaml ├── memos │ ├── hr-memos.yaml │ ├── hr-postgresql.yaml │ ├── kustomization.yaml │ └── pvc-postgresql.yaml ├── metallb │ ├── configs │ │ ├── kustomization.yaml │ │ ├── metallb-ip-pool.yaml │ │ └── metallb-l2-advertisement.yaml │ ├── hr-metallb.yaml │ ├── kustomization.yaml │ └── ns-metallb.yaml ├── metrics-server │ ├── hr-metrics-server.yaml │ └── kustomization.yaml ├── minio │ ├── hr-minio.yaml │ ├── kustomization.yaml │ ├── pvc-minio.yaml │ └── secret-minio.sops.yaml ├── paperless-ngx │ ├── hr-paperless-ngx.yaml │ ├── hr-postgresql.yaml │ ├── hr-redis.yaml │ ├── kustomization.yaml │ ├── pvc-paperless-ngx.yaml │ └── pvc-postgresql.yaml ├── pod-gateway-vpn │ ├── hr-pod-gateway.yaml │ ├── kustomization.yaml │ └── secret-pod-gateway.sops.yaml ├── promtail │ ├── hr-promtail.yaml │ ├── kustomization.yaml │ └── prometheus-rules.yaml ├── qbittorrent │ ├── hr-qbittorrent.yaml │ ├── kustomization.yaml │ ├── pvc-qbittorrent-config.yaml │ └── pvc-qbittorrent-downloads.yaml ├── radicale │ ├── cm-radicale.yaml │ ├── hr-radicale.yaml │ ├── kustomization.yaml │ ├── pvc-radicale.yaml │ └── secret-radicale.sops.yaml ├── rancher │ ├── configs │ │ ├── genericoidc.yaml │ │ ├── genericoidcconfig-clientsecret.sops.yaml │ │ ├── kustomization.yaml │ │ └── local.yaml │ ├── hr-rancher.yaml │ ├── kustomization.yaml │ └── ns-cattle-system.yaml ├── reloader │ ├── hr-reloader.yaml │ └── kustomization.yaml ├── restic │ ├── hr-restic.yaml │ ├── kustomization.yaml │ ├── pvc-restic.yaml │ └── secret-restic.sops.yaml ├── sftpgo │ ├── hr-sftpgo.yaml │ ├── kustomization.yaml │ └── pvc-sftpgo.yaml ├── syncthing │ ├── hr-syncthing.yaml │ ├── kustomization.yaml │ └── pvc-syncthing.yaml ├── system-upgrade-controller │ ├── kustomization.yaml │ └── plans │ │ ├── agent-plan.yaml │ │ ├── kustomization.yaml │ │ └── server-plan.yaml ├── tandoor-recipes │ ├── cm-nginx.yaml │ ├── hr-postgresql.yaml │ ├── hr-tandoor-recipes.yaml │ ├── kustomization.yaml │ ├── pvc-postgresql.yaml │ └── pvc-tandoor-recipes.yaml └── weave-gitops │ ├── hr-weave-gitops.yaml │ └── kustomization.yaml ├── base ├── fallback │ ├── apps.yaml │ ├── charts.yaml │ ├── configs.yaml │ ├── gotk-sync.yaml │ └── kustomization.yaml ├── flux-system │ ├── gotk-components.yaml │ ├── init │ │ ├── flux-secret.sops.yaml │ │ └── flux-sops-age-secret.sops.yaml │ └── kustomization.yaml ├── production │ ├── apps.yaml │ ├── charts.yaml │ ├── configs.yaml │ ├── gotk-sync.yaml │ └── kustomization.yaml └── staging │ ├── apps.yaml │ ├── charts.yaml │ ├── configs.yaml │ ├── gotk-sync.yaml │ └── kustomization.yaml ├── charts ├── angelnu-charts.yaml ├── authelia-charts.yaml ├── bitnami-charts.yaml ├── bjw-s-charts.yaml ├── csi-driver-smb-charts.yaml ├── descheduler-charts.yaml ├── enix-charts.yaml ├── external-dns-charts.yaml ├── fairwinds-charts.yaml ├── grafana-charts.yaml ├── headlamp-charts.yaml ├── ingress-nginx-charts.yaml ├── jetstack-charts.yaml ├── kubereboot-charts.yaml ├── kustomization.yaml ├── local-path-provisioner-charts.yaml ├── longhorn-charts.yaml ├── metallb-charts.yaml ├── metrics-server-charts.yaml ├── minio-charts.yaml ├── prometheus-charts.yaml ├── rancher-latest-charts.yaml ├── stakater-charts.yaml └── weave-gitops-charts.yaml ├── cluster-apps ├── arrs.yaml ├── authelia.yaml ├── bind9.yaml ├── blocky.yaml ├── cert-manager.yaml ├── certificate-exporter.yaml ├── cloudflared.yaml ├── csi-driver-smb.yaml ├── descheduler.yaml ├── external-dns-bind.yaml ├── external-dns-cloudflare.yaml ├── fallback │ ├── bind9.yaml │ └── kustomization.yaml ├── flux-system.yaml ├── goldilocks.yaml ├── headlamp.yaml ├── homer.yaml ├── immich.yaml ├── ingress-nginx-external.yaml ├── ingress-nginx.yaml ├── jd2.yaml ├── jellyfin.yaml ├── jellyseerr.yaml ├── kube-prometheus-stack.yaml ├── kube-vip.yaml ├── kured.yaml ├── linkwarden.yaml ├── local-path-provisioner.yaml ├── loki.yaml ├── longhorn.yaml ├── memos.yaml ├── metallb.yaml ├── metrics-server.yaml ├── minio.yaml ├── namespaces.yaml ├── paperless-ngx.yaml ├── pod-gateway-vpn.yaml ├── production │ └── kustomization.yaml ├── promtail.yaml ├── qbittorrent.yaml ├── radicale.yaml ├── rancher.yaml ├── reloader.yaml ├── restic.yaml ├── sftpgo.yaml ├── staging │ ├── ingress-nginx.yaml │ ├── kustomization.yaml │ └── longhorn.yaml ├── syncthing.yaml ├── system-upgrade-controller.yaml ├── tandoor-recipes.yaml └── weave-gitops.yaml └── configs ├── fallback ├── cluster-secrets.sops.yaml ├── cluster-settings.yaml └── kustomization.yaml ├── production ├── cluster-secrets.sops.yaml ├── cluster-settings.yaml └── kustomization.yaml ├── shared-secrets.sops.yaml ├── shared-settings.yaml └── staging ├── cluster-secrets.sops.yaml ├── cluster-settings.yaml └── kustomization.yaml /.gitattributes: -------------------------------------------------------------------------------- 1 | *.sops.* diff=sopsdiffer 2 | -------------------------------------------------------------------------------- /.github/lint/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | ignore: | 2 | *.sops.* 3 | gotk-components.yaml 4 | extends: default 5 | rules: 6 | truthy: 7 | allowed-values: ["true", "false", "on"] 8 | comments: 9 | min-spaces-from-content: 1 10 | line-length: disable 11 | braces: 12 | min-spaces-inside: 0 13 | max-spaces-inside: 1 14 | brackets: 15 | min-spaces-inside: 0 16 | max-spaces-inside: 0 17 | indentation: 18 | spaces: 2 19 | indent-sequences: consistent 20 | -------------------------------------------------------------------------------- /.github/renovate/commitMessage.json5: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | { 4 | "matchDatasources": ["docker"], 5 | "enabled": true, 6 | "commitMessageTopic": "container image {{depName}}" 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /.github/renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | { 4 | "matchUpdateTypes": ["major"], 5 | "labels": ["dep/major"] 6 | }, 7 | { 8 | "matchUpdateTypes": ["minor"], 9 | "labels": ["dep/minor"] 10 | }, 11 | { 12 | "matchUpdateTypes": ["patch"], 13 | "labels": ["dep/patch"] 14 | }, 15 | { 16 | "matchUpdateTypes": ["digest"], 17 | "labels": ["dep/digest"] 18 | }, 19 | { 20 | "matchDatasources": ["helm"], 21 | "addLabels": ["renovate/helm"] 22 | }, 23 | { 24 | "matchDatasources": ["docker"], 25 | "addLabels": ["renovate/image"] 26 | }, 27 | { 28 | "matchPackageNames": ["fluxcd/flux2"], 29 | "addLabels": ["renovate/flux2"] 30 | }, 31 | { 32 | "matchPackageNames": ["k3s-io/k3s"], 33 | "addLabels": ["renovate/k3s"] 34 | }, 35 | ] 36 | } -------------------------------------------------------------------------------- /.github/workflows/lint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Lint YAML files 3 | 4 | on: 5 | pull_request: 6 | paths: 7 | - "**.yaml" 8 | - "**.yml" 9 | 10 | jobs: 11 | yamllint: 12 | runs-on: ubuntu-24.04 13 | steps: 14 | - name: Checkout 15 | uses: actions/checkout@v4 16 | - name: Get changes 17 | uses: dorny/paths-filter@v3 18 | id: filter 19 | with: 20 | list-files: shell 21 | filters: | 22 | yaml: 23 | - added|modified: "**.yaml" 24 | - added|modified: "**.yml" 25 | - name: Lint files 26 | if: ${{ steps.filter.outputs.yaml == 'true' }} 27 | uses: reviewdog/action-yamllint@v1 28 | with: 29 | yamllint_flags: "-c .github/lint/.yamllint.yaml ${{ steps.filter.outputs.yaml_files }}" 30 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Editors 2 | .vscode/ 3 | # Trash 4 | .DS_Store 5 | Thumbs.db 6 | # k8s 7 | kubeconfig 8 | # vscode-sops 9 | .decrypted~*.yaml 10 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - encrypted_regex: '^(data|stringData)$' 4 | age: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 5 | stores: 6 | yaml: 7 | indent: 2 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021-2022 Pumba98 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /apps/arrs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-arrs.yaml 6 | - secret-arrs.sops.yaml 7 | - pvc-arrs-config.yaml 8 | - pvc-arrs-downloads.yaml 9 | - pvc-arrs-media.yaml 10 | -------------------------------------------------------------------------------- /apps/arrs/pvc-arrs-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radarr-data 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolumeClaim 16 | metadata: 17 | name: sonarr-data 18 | spec: 19 | storageClassName: longhorn-backup 20 | accessModes: 21 | - ReadWriteOnce 22 | resources: 23 | requests: 24 | storage: 1Gi 25 | --- 26 | apiVersion: v1 27 | kind: PersistentVolumeClaim 28 | metadata: 29 | name: bazarr-data 30 | spec: 31 | storageClassName: longhorn-backup 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 1Gi 37 | --- 38 | apiVersion: v1 39 | kind: PersistentVolumeClaim 40 | metadata: 41 | name: prowlarr-data 42 | spec: 43 | storageClassName: longhorn-backup 44 | accessModes: 45 | - ReadWriteOnce 46 | resources: 47 | requests: 48 | storage: 1Gi 49 | -------------------------------------------------------------------------------- /apps/arrs/pvc-arrs-downloads.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: arrs-downloads-pv 6 | spec: 7 | capacity: 8 | storage: 1Ti 9 | accessModes: 10 | - ReadWriteMany 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: arrs-downloads-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/downloads" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: arrs-downloads 29 | spec: 30 | volumeName: arrs-downloads-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteMany 34 | resources: 35 | requests: 36 | storage: 1Ti 37 | -------------------------------------------------------------------------------- /apps/arrs/pvc-arrs-media.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: arrs-media-pv 6 | spec: 7 | capacity: 8 | storage: 1Ti 9 | accessModes: 10 | - ReadWriteMany 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: arrs-media-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/media" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: arrs-media 29 | spec: 30 | volumeName: arrs-media-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteMany 34 | resources: 35 | requests: 36 | storage: 1Ti 37 | -------------------------------------------------------------------------------- /apps/arrs/secret-arrs.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: arrs-secrets 5 | stringData: 6 | RADARR_API_KEY: ENC[AES256_GCM,data:v0CHwmHrfRhxrchuaDoU8GP5wPaPdiTg2A6RoCdGRcE=,iv:laxWN1WhLG5dJXjg5wi1CAz38L4p/yu5QQkvkVeZh+I=,tag:BTDh6Qn23E+UcZr9uCBqtQ==,type:str] 7 | SONARR_API_KEY: ENC[AES256_GCM,data:mZwmuLThVlejG+SvqFX+smbCjGmADxdivo3DCi/Z224=,iv:IU6mF1SwZTnTZNNXUTBRPgyZkMKSlkxqdJzfUYrkOfM=,tag:mudwqkHVscxXd37oenNE9w==,type:str] 8 | BAZARR_API_KEY: null 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxemUreEJDTnFad09jNmtw 19 | TTdWL2EvWmlHN3MrbTVUWVNwK3d0WW14Q0c0CjBnanA2MVBrNWhSUzNlRUNZdWx5 20 | NFExUEhQcC9LR2JYRkIzTmVtLy9kVTgKLS0tIHBwWHRNb05KVzBJVjEvREYxcUN1 21 | SVVSMVZ3cnEzbmplVmJSOUFoZ3d5SjQKClOSJOLovaV3xLOG8Cg3Pn9mvW6qaZkK 22 | 4Y0+lK1Tdvhaf6kfePCD89q48y475iMnp62deHW6v8eTZeMs165PQA== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2024-12-07T22:16:01Z" 25 | mac: ENC[AES256_GCM,data:DjCjUqoI4hKkd/q5BQnG76NqN16rqEstIwcAhoJvmcCrKvMEkt6NWpkfcvaHjs1wRPVl4O2T6YW35dsx/TtS/HIoQWM53+jxhGiHZSSON23orLYOVT3IYfuXQQ5+lEudglyM4Wb9+G2e1Gsrv7IeEDa26VlQnkWJmn0brz+PfYY=,iv:5G6DKdb6z9Hm+JsQ7K5uEc/qtZ/ElIvdYuuki0HhPDY=,tag:VPRHZ/+x7XYt5G2h1wDthg==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.9.1 29 | -------------------------------------------------------------------------------- /apps/authelia/hr-redis.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: authelia-redis 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: redis 11 | version: 21.1.11 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bitnami-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: kube-prometheus-stack 19 | namespace: monitoring 20 | - name: longhorn 21 | namespace: longhorn-system 22 | values: 23 | architecture: standalone 24 | master: 25 | persistence: 26 | enabled: true 27 | size: 1Gi 28 | metrics: 29 | enabled: true 30 | serviceMonitor: 31 | enabled: true 32 | auth: 33 | existingSecret: authelia 34 | existingSecretPasswordKey: session.redis.password.txt 35 | -------------------------------------------------------------------------------- /apps/authelia/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-postgresql.yaml 6 | - secret-authelia-users.sops.yaml 7 | - secret-authelia.sops.yaml 8 | - hr-postgresql.yaml 9 | - hr-redis.yaml 10 | - hr-authelia.yaml 11 | -------------------------------------------------------------------------------- /apps/authelia/pvc-postgresql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: authelia-postgresql-data 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/authelia/secret-authelia-users.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: authelia-users 5 | stringData: 6 | users_database.yml: ENC[AES256_GCM,data:ZQlZ6K8ZZSzZsHaM0lYJ9ga46osbrrnZAN35/QlUwOYHOVCyeAmDX+muuVqfA88qvrAzS/j3dTNFcc7O4cD1J3lkt1H600tPMz3nKPBXLRDikGGZ8z3QdtRAWpZm6KR45qhdh3PTSFWtISxpyT3vbBuEvmMk87wpVIIFURWZhySm0IfkRstvWqT+IDNde1p2ly4zBv6xYx/nTTFa/7aC4UnxFS8OMnaiEcMUBUhd4YBV3+uvPchVRaQO0DvXnFc6zqAifMmfPatYYcD30awuJNEwh31tLztxxE5wJ+rkDOwXuXlyvDUoBHjqvNeRA1PH7K2lLgfVyhg/I5eeiHPwFQqosjjE0Jz6UxsXn1sOFf0JGLKUB4nLJNQVn0jgd1rOhueQJwXeS5DaXvnDq8vUJdpDogilvtN52/L0UvI2LCxSXkWUNkHVU4wjDoom+mREL+JqPu3Ig0In2+EqPAVWx8VW6vFrUL/A3daAAQSWOl1MqeHSmo3LersvVGCmmtOmcWUojyY00tZrEPIMuhFx/8m7ZKimDy47/ridqyXpxtUQVw848O0R0n0=,iv:0Q7Kjn3kRqrpnPP+1BRnL7TlvpOKUXMIZXE52cPcia4=,tag:vTfFiGmKm2qeYTpFjVsoUw==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnTzFsTW5oOXd3VUtZVFVt 17 | Qmd0enh2a3NkazVmck93Sm93VCtSTThXVmhjCjEzYlNPRDRrSWVveXBhb05ybGRu 18 | VXFpR1RRSWJFVmVwUUpTOHdYczM5VVkKLS0tIGVrTHdrZlhaZ0o0Ky9vWmVmbzlw 19 | N0xzdGFBN1llZ3l5MjVmTXRmQjYrdVkKrhUCpVU4rrYTj23hDGd1CdUG/WwI7LR0 20 | Gboc19Z5yRiKBMxeVKvxPGdL+2tBMyJRQwA8daBOEZN76I27FA6oIg== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2023-03-18T13:54:42Z" 23 | mac: ENC[AES256_GCM,data:RyG2rTHrlEN10hx03FILC+GCLGPMsvtp5aVR8cUqrCDhPbJmNKK12uYzh30yO03jPIL++Gt1dlunIirzGJYiIFqcEkZPSJb+YYt05fktOaPv5ZtWB7SmSRoCYfXI1sbVbvstapH930YrpkC8OVj1GgjP79ZKvblILKcTRChtqNI=,iv:3uXviNeHZOTIBcK1RfowuuPkYgNo/J7bCzxDKKkzkYU=,tag:FDXJ7AMLCnNax56KZmPkcg==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.7.1 27 | -------------------------------------------------------------------------------- /apps/bind9/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-bind9.yaml 6 | - pvc-bind9.yaml 7 | - secret-bind9.sops.yaml 8 | -------------------------------------------------------------------------------- /apps/bind9/pvc-bind9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: bind9-data 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | -------------------------------------------------------------------------------- /apps/blocky/hr-blocky.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: blocky 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: metallb 18 | namespace: metallb-system 19 | values: 20 | controllers: 21 | main: 22 | replicas: 2 23 | strategy: RollingUpdate 24 | annotations: 25 | reloader.stakater.com/auto: "true" 26 | containers: 27 | main: 28 | image: 29 | repository: ghcr.io/0xerr0r/blocky 30 | tag: v0.26@sha256:b259ada3f943e73283f1fc5e84ac39a791afec7de86515d1aeccc03d2c39e595 31 | probes: 32 | liveness: 33 | enabled: true 34 | readiness: 35 | enabled: true 36 | startup: 37 | enabled: true 38 | spec: 39 | failureThreshold: 30 40 | periodSeconds: 5 41 | service: 42 | main: 43 | controller: main 44 | ports: 45 | http: 46 | port: 4000 47 | dns: 48 | controller: main 49 | type: LoadBalancer 50 | loadBalancerIP: "${LB_IP_BLOCKY_SVC}" 51 | externalTrafficPolicy: Local 52 | ports: 53 | dns-tcp: 54 | port: 53 55 | protocol: TCP 56 | dns-udp: 57 | port: 53 58 | protocol: UDP 59 | ingress: 60 | main: 61 | className: "nginx" 62 | annotations: 63 | kubernetes.io/tls-acme: "true" 64 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 65 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 66 | hosts: 67 | - host: "blocky.${SECRET_DOMAIN}" 68 | paths: 69 | - path: / 70 | service: 71 | identifier: main 72 | port: http 73 | tls: 74 | - secretName: blocky-tls 75 | hosts: 76 | - "blocky.${SECRET_DOMAIN}" 77 | persistence: 78 | config: 79 | type: configMap 80 | name: blocky-config 81 | globalMounts: 82 | - path: /app/config.yml 83 | subPath: config.yml 84 | readOnly: true 85 | # serviceMonitor: 86 | # main: 87 | # enabled: true 88 | -------------------------------------------------------------------------------- /apps/blocky/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-blocky.yaml 6 | configMapGenerator: 7 | - name: blocky-config 8 | files: 9 | - config.yml=./resources/blocky-config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /apps/blocky/resources/blocky-config.yaml: -------------------------------------------------------------------------------- 1 | ports: 2 | dns: 53 3 | http: 4000 4 | upstreams: 5 | strategy: strict 6 | groups: 7 | default: 8 | - bind9 9 | - 1.1.1.1 10 | - 1.0.0.1 11 | - 9.9.9.9 12 | caching: 13 | cacheTimeNegative: -1 14 | blocking: 15 | blackLists: 16 | ads: 17 | - https://big.oisd.nl/domainswild 18 | - https://raw.githubusercontent.com/mmotti/pihole-regex/master/regex.list 19 | - https://raw.githubusercontent.com/lassekongo83/Frellwits-filter-lists/master/Frellwits-Swedish-Hosts-File.txt 20 | - https://v.firebog.net/hosts/AdguardDNS.txt 21 | - https://raw.githubusercontent.com/d3ward/toolz/master/src/d3host.txt 22 | trackers: 23 | - https://v.firebog.net/hosts/Easyprivacy.txt 24 | - https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt 25 | - https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/alexa 26 | - https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/apple 27 | - https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/samsung 28 | - https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/windows 29 | - https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/huawei 30 | - https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/xiaomi 31 | - https://raw.githubusercontent.com/nextdns/native-tracking-domains/main/domains/sonos 32 | - https://raw.githubusercontent.com/mullvad/dns-blocklists/main/files/tracker 33 | whiteLists: 34 | ads: 35 | - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt 36 | - https://raw.githubusercontent.com/mmotti/pihole-regex/master/whitelist.list 37 | - https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/optional-list.txt 38 | - | 39 | # Sport1 40 | www.asadcdn.com 41 | tag.aticdn.net 42 | # Bild.de 43 | acdn.adnxs.com 44 | cdn1.smartadserver.com 45 | ec-ns.sascdn.com 46 | # ChatGPT 47 | *.chatgpt.com 48 | clientGroupsBlock: 49 | default: 50 | - ads 51 | - trackers 52 | -------------------------------------------------------------------------------- /apps/cert-manager/hr-cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: cert-manager 11 | version: v1.17.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: jetstack-charts 15 | namespace: flux-system 16 | install: 17 | crds: CreateReplace 18 | upgrade: 19 | crds: CreateReplace 20 | values: 21 | crds: 22 | enabled: true 23 | keep: true 24 | extraArgs: 25 | - --dns01-recursive-nameservers=1.1.1.1:53 26 | - --dns01-recursive-nameservers-only 27 | cainjector: 28 | replicaCount: 1 29 | podDnsPolicy: "None" 30 | podDnsConfig: 31 | nameservers: 32 | - "1.1.1.1" 33 | - "8.8.8.8" 34 | ingressShim: 35 | defaultIssuerName: letsencrypt-production 36 | defaultIssuerKind: ClusterIssuer 37 | defaultIssuerGroup: cert-manager.io 38 | -------------------------------------------------------------------------------- /apps/cert-manager/issuers/clusterissuer-letsencrypt-production.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-production 6 | spec: 7 | acme: 8 | server: https://acme-v02.api.letsencrypt.org/directory 9 | email: "${SECRET_CLOUDFLARE_EMAIL}" 10 | privateKeySecretRef: 11 | name: letsencrypt-production 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "${SECRET_CLOUDFLARE_EMAIL}" 16 | apiTokenSecretRef: 17 | name: cloudflare-token-secret 18 | key: cloudflare-token 19 | -------------------------------------------------------------------------------- /apps/cert-manager/issuers/clusterissuer-letsencrypt-staging.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | spec: 7 | acme: 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | email: "${SECRET_CLOUDFLARE_EMAIL}" 10 | privateKeySecretRef: 11 | name: letsencrypt-staging 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "${SECRET_CLOUDFLARE_EMAIL}" 16 | apiTokenSecretRef: 17 | name: cloudflare-token-secret 18 | key: cloudflare-token 19 | -------------------------------------------------------------------------------- /apps/cert-manager/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - clusterissuer-letsencrypt-production.yaml 6 | - clusterissuer-letsencrypt-staging.yaml 7 | -------------------------------------------------------------------------------- /apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns-cert-manager.yaml 6 | - secret-cert-manager.sops.yaml 7 | - hr-cert-manager.yaml 8 | -------------------------------------------------------------------------------- /apps/cert-manager/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - service-monitor.yaml 6 | - prometheus-rules.yaml 7 | -------------------------------------------------------------------------------- /apps/cert-manager/monitoring/prometheus-rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | groups: 8 | - name: cert-manager 9 | rules: 10 | - alert: CertManagerCertExpirySoon 11 | annotations: 12 | description: The domain that this cert covers will be unavailable after 13 | {{ $value | humanizeDuration }}. Clients using endpoints that this cert 14 | protects will start to fail in {{ $value | humanizeDuration }}. 15 | runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon 16 | summary: The cert {{ $labels.name }} is {{ $value | humanizeDuration }} 17 | from expiry, it should have renewed over a week ago. 18 | expr: | 19 | avg by (exported_namespace, namespace, name) ( 20 | certmanager_certificate_expiration_timestamp_seconds - time()) 21 | < (21 * 24 * 3600) 22 | for: 1h 23 | labels: 24 | severity: warning 25 | - alert: CertManagerCertNotReady 26 | annotations: 27 | description: This certificate has not been ready to serve traffic for at least 28 | 10m. If the cert is being renewed or there is another valid cert, the ingress 29 | controller _may_ be able to serve that instead. 30 | runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready 31 | summary: The cert {{ $labels.name }} is not ready to serve traffic. 32 | expr: | 33 | max by (name, exported_namespace, namespace, condition) ( 34 | certmanager_certificate_ready_status{condition!="True"} == 1) 35 | for: 10m 36 | labels: 37 | severity: critical 38 | - alert: CertManagerHittingRateLimits 39 | annotations: 40 | description: Depending on the rate limit, cert-manager may be unable to generate 41 | certificates for up to a week. 42 | runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits 43 | summary: Cert manager hitting LetsEncrypt rate limits. 44 | expr: | 45 | sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m])) 46 | > 0 47 | for: 5m 48 | labels: 49 | severity: critical 50 | -------------------------------------------------------------------------------- /apps/cert-manager/monitoring/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: cert-manager-prometheus-servicemonitor 5 | labels: 6 | name: cert-manager-prometheus-servicemonitor 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: cert-manager 11 | namespaceSelector: 12 | matchNames: 13 | - cert-manager 14 | endpoints: 15 | - targetPort: 9402 16 | -------------------------------------------------------------------------------- /apps/cert-manager/ns-cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cert-manager 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | -------------------------------------------------------------------------------- /apps/cert-manager/secret-cert-manager.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cloudflare-token-secret 5 | stringData: 6 | cloudflare-token: ENC[AES256_GCM,data:h02tBnfWjajXuMyGX8y6n9iarAu306OSkUev6qWHqMI9a9JoaI/Rxg==,iv:58ZNy5XeG3l1efXKqJh9qEX4TLyJHhkxxmejTCvqATY=,tag:FyUvQssW4yKnoZPxDAOUgA==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRmNqYVhlMmMzdXJiM1Nk 17 | N1RTVHl4d3JFL1RDUmxuWm5CaXlCWUxVOFIwCmloRElVQ0lsN1JaWG1GdnovMDFL 18 | WG12YVFibVJua245UVZjZGNLY1ZpajgKLS0tIGdRdS9zd2oxRWdMVUJTUVZrMzVk 19 | ZzJpVGxEdXErTk9yNytvbDRjeDZ3Nm8KbESA6DyX4LA1QeeyszoNkQVP/kd7Fh6R 20 | pNPX9durSypKXKzQMq/OR/Ojjz8FxB/4FfA3eNflDkUqYbM8ApsDhg== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2023-03-18T13:55:59Z" 23 | mac: ENC[AES256_GCM,data:W2ioTh6GpyHVmsmwMqQwPsm/h4QcalJkVLWPpLDwuZ6+PIZZccI9q9abu27N+ChKqVSzUwL548E7Z+Jz0rTMLKFftubIiJuucXngpVE57YfKsSmn9XPgU/28YQz/M/mW+Akx4o3pg/SQtHzytY7+NP1RrTpr7L1E5J2azh0a80I=,iv:Wlakox+qmwQ57TizHifFdGbahKsgWImfpr7fB6zg99k=,tag:4ILcymVlotb6yMH74cbO7w==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.7.1 27 | -------------------------------------------------------------------------------- /apps/certificate-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-certificate-exporter.yaml 6 | -------------------------------------------------------------------------------- /apps/cloudflared/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-cloudflared.yaml 6 | - secret-cloudflared.sops.yaml 7 | configMapGenerator: 8 | - name: cloudflared-config 9 | files: 10 | - config.yaml=./resources/cloudflared-config.yaml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /apps/cloudflared/resources/cloudflared-config.yaml: -------------------------------------------------------------------------------- 1 | originRequest: 2 | http2Origin: true 3 | ingress: 4 | - hostname: "*.${SECRET_DOMAIN}" 5 | service: https://ingress-nginx-external-controller.networking.svc.cluster.local:443 6 | originRequest: 7 | originServerName: "${SECRET_GATEWAY}" 8 | noTLSVerify: true 9 | - service: http_status:404 10 | -------------------------------------------------------------------------------- /apps/cloudflared/secret-cloudflared.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cloudflared-secret 5 | stringData: 6 | credentials.json: ENC[AES256_GCM,data:hZMwJ1J+FTyU6ky1X9f9Hk/Ct9xfe67hxwQnvFxRb4pNOQ14man8jOB5SYMePImBsi9uG/k5XzwbnyfkIuCT/krZkzfcSnSCnRRxwSsStFayjgqBtS71UcCLODoAwiXvji7K1P0J8FM3z0Jv/SsPuyQudahuvK5ElpHXOWSIcd12c0bnk8+vJGH4KXXwaCuqjbGvZhm6OncoyE6q3+ezjitzuazNPoanRHqpG4wXLNJRH8SPNwv+Avs=,iv:s09eVwC/EUHzZhjy/cOthIqKK/GVg9Ld2osubXzRfOM=,tag:CthZbp6t8iTJmSdBjByBOA==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESjNDZDVWdlc2NXVCOHda 17 | THhEMnBDemRBaW5XTWJrcG1WcklmTHN4dWhvCmZKNnVXN3U0V2hKQ2NnSlN2cXJj 18 | TjkxYWFCYUFaNEFKWiswWjFZczNCakEKLS0tIGJMOUNBQW5FVHpCY0IwQlVrMWFx 19 | QjI1QTJLbmMrTGErL0VaZ3hnSW5FRDAK0ottbpvOe+3sY0JK28QVfbNhmuagBqNH 20 | ag7HFJZxhYu2LSJRwy4xAaW4X9A12NXH5Jx7RlSCJ+eWCLvC/voLFQ== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2025-01-30T17:58:12Z" 23 | mac: ENC[AES256_GCM,data:5ibuUZ2JFfYNbB0sKHNQsb5txtAzLtMRPuq3Cc+yTxTLgBhAyh8N3S29l0dXSFXUXmq6hIikGLCrkJ+uwqqzkFfcFZZHsr17KD/UzY9hXcYCPuy0cbQsfGpMWwjbc613WBY991DC8AreLZk3w4nVEAUfiq7ofA1xPsCCIUzIiRo=,iv:lkw8qh+VUL4Q/EUoOB2Z1uR0K+JG7H6sE7DRBKRM16g=,tag:biS5Q/ouWyTEStUFgSUIYQ==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.8.1 27 | -------------------------------------------------------------------------------- /apps/csi-driver-smb/hr-csi-driver-smb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: csi-driver-smb 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: csi-driver-smb 11 | version: v1.16.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: csi-driver-smb-charts 15 | namespace: flux-system 16 | values: 17 | -------------------------------------------------------------------------------- /apps/csi-driver-smb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret-smb.sops.yaml 6 | - hr-csi-driver-smb.yaml 7 | -------------------------------------------------------------------------------- /apps/csi-driver-smb/secret-smb.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: smb-secrets 5 | stringData: 6 | username: ENC[AES256_GCM,data:fYbWfkb7/Q==,iv:yTahyzsCBxcy2S53lcVBCk3sVOqxTz7vcxODNoD7zJU=,tag:pqx47MbTQjmZQAlyaCJQjg==,type:str] 7 | password: ENC[AES256_GCM,data:aO8FR3tI4nuEg0AI2jlSKQ==,iv:6UVGAaQPKjqyvvSSJ1/nArM5EQo3Wz5WUF+5MB7hYXg=,tag:U5IS8v5LV62yvB+zSOVXIA==,type:str] 8 | sops: 9 | kms: [] 10 | gcp_kms: [] 11 | azure_kv: [] 12 | hc_vault: [] 13 | age: 14 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 15 | enc: | 16 | -----BEGIN AGE ENCRYPTED FILE----- 17 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJT1hoODdlRFRPZEQ0L2ZL 18 | RUdHK0hZSS9mZzVUdTVHQk4zd3psWnZSSjI0CmFuT3A2SXdST0s4d1FmNnd4MnpM 19 | bWl0WllCamc4MTMrNStjejRkbGNsSXMKLS0tIFpHNkQ4bHN4SVgwVkJ1d0Via2JV 20 | VzlBeFVvNFdiT0VEdVh1aDlqRlN4RnMKQ2DHCANdAgAjZ972nYuN953iaY28H9CH 21 | uri00FaOT8pgTzNZS4BmMvUsRVN5ZywQjByu1QFwg1pvyLzvywAsyA== 22 | -----END AGE ENCRYPTED FILE----- 23 | lastmodified: "2023-03-18T14:10:12Z" 24 | mac: ENC[AES256_GCM,data:PCNvCPU9eC3I/795rL9kIPHYSoAxSQsnS0JXsjZGggYcFH3fflbYaZ4N6TBndbR3G2gjzWPw7Ziq5R93+PWlOhOSySaZckiRO+Su6IfcA5Hy6pmT43UEWRexXjYf1LLu904VBRg6RXwNM7mB0LdMYCnbnmQq4mKNnATz6EuNEo0=,iv:G4Sf/XSrwxZ6b2PUZRzmNSUXTRfN6i/mRifW+928R3A=,tag:1Sn9SKoT0dJhWXh60dr0bQ==,type:str] 25 | pgp: [] 26 | encrypted_regex: ^(data|stringData)$ 27 | version: 3.7.1 28 | -------------------------------------------------------------------------------- /apps/descheduler/hr-descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: descheduler 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: descheduler 11 | version: 0.33.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: descheduler-charts 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | kind: Deployment 19 | deschedulerPolicy: 20 | profiles: 21 | - name: default 22 | pluginConfig: 23 | - name: DefaultEvictor 24 | args: 25 | ignorePvcPods: true 26 | evictLocalStoragePods: true 27 | - name: RemoveDuplicates 28 | # - name: RemovePodsHavingTooManyRestarts 29 | # args: 30 | # podRestartThreshold: 100 31 | # includingInitContainers: true 32 | - name: RemovePodsViolatingNodeAffinity 33 | args: 34 | nodeAffinityType: 35 | - requiredDuringSchedulingIgnoredDuringExecution 36 | - name: RemovePodsViolatingNodeTaints 37 | - name: RemovePodsViolatingInterPodAntiAffinity 38 | # - name: RemovePodsViolatingTopologySpreadConstraint 39 | - name: LowNodeUtilization 40 | args: 41 | thresholds: 42 | cpu: 20 43 | memory: 20 44 | pods: 20 45 | targetThresholds: 46 | cpu: 50 47 | memory: 50 48 | pods: 50 49 | plugins: 50 | balance: 51 | enabled: 52 | - RemoveDuplicates 53 | # - RemovePodsViolatingTopologySpreadConstraint 54 | - LowNodeUtilization 55 | deschedule: 56 | enabled: 57 | # - RemovePodsHavingTooManyRestarts 58 | - RemovePodsViolatingNodeTaints 59 | - RemovePodsViolatingNodeAffinity 60 | - RemovePodsViolatingInterPodAntiAffinity 61 | -------------------------------------------------------------------------------- /apps/descheduler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-descheduler.yaml 6 | -------------------------------------------------------------------------------- /apps/external-dns-bind/hr-external-dns-bind.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: external-dns-bind 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: external-dns 11 | version: 1.16.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: external-dns-charts 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | env: 19 | - name: EXTERNAL_DNS_RFC2136_ZONE 20 | value: "${SECRET_DOMAIN}" 21 | - name: EXTERNAL_DNS_RFC2136_HOST 22 | valueFrom: 23 | secretKeyRef: 24 | name: external-dns-bind-secrets 25 | key: bind_host 26 | - name: EXTERNAL_DNS_RFC2136_PORT 27 | valueFrom: 28 | secretKeyRef: 29 | name: external-dns-bind-secrets 30 | key: bind_port 31 | - name: EXTERNAL_DNS_RFC2136_TSIG_SECRET 32 | valueFrom: 33 | secretKeyRef: 34 | name: external-dns-bind-secrets 35 | key: bind_tsig_secret 36 | resources: 37 | requests: 38 | memory: 100Mi 39 | cpu: 25m 40 | limits: 41 | memory: 250Mi 42 | logLevel: debug 43 | sources: 44 | - ingress 45 | - service 46 | policy: sync 47 | # domainFilters: 48 | # - "${SECRET_DOMAIN}" 49 | provider: 50 | name: rfc2136 51 | extraArgs: 52 | - --rfc2136-tsig-secret-alg=hmac-sha512 53 | - --rfc2136-tsig-keyname=external-dns-key 54 | - --rfc2136-tsig-axfr 55 | - --txt-prefix=txt- 56 | -------------------------------------------------------------------------------- /apps/external-dns-bind/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret-external-dns-bind.sops.yaml 6 | - hr-external-dns-bind.yaml 7 | -------------------------------------------------------------------------------- /apps/external-dns-bind/secret-external-dns-bind.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: external-dns-bind-secrets 5 | stringData: 6 | bind_host: ENC[AES256_GCM,data:URaao6n0fy90DG3Y10E=,iv:OPl6MSfdper4udrv2n0dA+XCsdbGh0D2+eMuE6GJLRc=,tag:lMIfrtwMz/cGzCCOjQBxAw==,type:str] 7 | bind_port: ENC[AES256_GCM,data:Tvg=,iv:94F5Ylz7AaS4j//Gk+xubrg3nGTYtZWcB0wHbFmGK8E=,tag:tGOpoWBtuXS7yqY8C7UigA==,type:str] 8 | bind_tsig_secret: ENC[AES256_GCM,data:ZOn8sc2z8U4IjN3MQYrtsebUGKvhk3ucr/9ft3PMJV52r3HQskxFnImPDehUnSiXkukfb4xnYTBqQyqaYUvsdRbncuWOM+WSYkazeHRC9IVtc8MxYBEv6w==,iv:j5EPcIsTLebXyRWz6IXzUwI6njt0FPBn78+gq0IAEXs=,tag:fUOFWra5gnZWjl2jQUAuPA==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdHlLTXFoQjVSalh0b00w 19 | T0xhQ25HcjZZVS9VckF6VUd4d1hsdnFYK3lJCmdQaEREU01jb0VjNVU1Ykh1N1k5 20 | TWU5ZS93Tzc2RUd5eDA3eHdOV2FvcHcKLS0tIFp4QVlYaXY0Njg1YzAvTzlkWlY3 21 | QmU2TmkxWmNVQnpidUVJQm1YeTZ4MTAKrLWFrHG6lXtsxLGyxDQMqfD3cfsUzuIa 22 | 5BrWb4oD8BzuVQS+e3/a6lOyq6tiwWtyZ0Vm/kQ7WQhU4wdfGD6VFg== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2024-07-04T12:52:01Z" 25 | mac: ENC[AES256_GCM,data:j0n8NKD7i1gepBOKPCQROQ2RHOf6a/HDWN/AYaPat5BDyi29BNkoUsgzdjBkMCLvS7Tg+zDanhy+cPSK9dPxAA8ajRA+si4q2KpzW0HcU0DzAi2WdJKQzx7UVpZEFrCdZwiUD/PSNvSjiWX/owvKe8Xa/AzU7fvKmumRQMjiBso=,iv:Y26aBydym9LjT/VNcGfdvNFhaLmn0i4CGsiuXzZGP84=,tag:hbqD3JYUmhjcpscQKZ6NUw==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.8.1 29 | -------------------------------------------------------------------------------- /apps/external-dns-cloudflare/hr-external-dns-cloudflare.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: external-dns-cloudflare 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: external-dns 11 | version: 1.16.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: external-dns-charts 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | env: 19 | - name: CF_API_EMAIL 20 | value: "${SECRET_CLOUDFLARE_EMAIL}" 21 | - name: CF_API_TOKEN 22 | valueFrom: 23 | secretKeyRef: 24 | name: external-dns-cloudflare-secrets 25 | key: cloudflare_api_token 26 | resources: 27 | requests: 28 | memory: 100Mi 29 | cpu: 25m 30 | limits: 31 | memory: 250Mi 32 | logLevel: debug 33 | sources: 34 | - ingress 35 | policy: sync 36 | # domainFilters: 37 | # - "${SECRET_DOMAIN}" 38 | provider: 39 | name: cloudflare 40 | extraArgs: 41 | - --cloudflare-proxied 42 | - --ingress-class=nginx-external 43 | -------------------------------------------------------------------------------- /apps/external-dns-cloudflare/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret-external-dns-cloudflare.sops.yaml 6 | - hr-external-dns-cloudflare.yaml 7 | -------------------------------------------------------------------------------- /apps/external-dns-cloudflare/secret-external-dns-cloudflare.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: external-dns-cloudflare-secrets 5 | stringData: 6 | cloudflare_api_token: ENC[AES256_GCM,data:nzYcV8QTaXtPimgipWT7DlVrF5TwfO8D8A11Knj/ZbPBU8TydglAFQ==,iv:aDKOTV1nyPGE93vk69/VTb6HAKhKQ6Jn++CzeTundFY=,tag:zqYapaVmmuc8HWQYYqvGbA==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmQW9MVDJkV2tQeFkrS2lD 17 | Y3VTbGpXRGhzZ3JPVDVVaVFmYk44WkdSTnhrCjM3cUd2WjJSZlRQZFZJYnEzZ1lI 18 | RE1Hb1kwQzhVMXR5NlJLWC8rMkN3cU0KLS0tIFdlaCtSV05LaUZreXFUMEd6eDFR 19 | d09RVTZEcVhaZTNadmtpV29BaW82R3cKvUZtUEePl6+Ppw3PvbIo5U4DMK9uYGpT 20 | tU5ypDt20GK/Mu1lFsnbPQeKS2rAspCiRlK01YXMj+0LKipheJnhpQ== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2024-01-01T00:45:58Z" 23 | mac: ENC[AES256_GCM,data:V+V74daIHJ78BgLjjPcYC1ISLoHzd7/eSpvyZ/TK/JwBJ/oIrSc5Ype2PfHLm4TyrAmrEQ9I0mxvbXLuWDC7nwxrq75nZdJ63gSYRr1PErVFlVFn6EQI7MUWcH+yhwhre79wVZtCK/2voK3TUP6kkSBQuaDh+p9SCrFImLZfIx0=,iv:e6KYoxGoabO4fKuo7lv/oFn5aeHEovli+ygdR0Vf8F4=,tag:NTlv0ll23b/0Uf86DoQKqw==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.8.1 27 | -------------------------------------------------------------------------------- /apps/flux-system/configs/discord-notifier.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Provider 4 | metadata: 5 | name: discord 6 | spec: 7 | type: discord 8 | username: Flux 9 | channel: flux 10 | secretRef: 11 | name: discord-webhook-secret 12 | --- 13 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 14 | kind: Alert 15 | metadata: 16 | name: home-cluster 17 | spec: 18 | providerRef: 19 | name: discord 20 | eventSeverity: info 21 | eventSources: 22 | - kind: GitRepository 23 | name: '*' 24 | # - kind: Kustomization 25 | # name: '*' 26 | suspend: false 27 | --- 28 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 29 | kind: Alert 30 | metadata: 31 | name: helmreleases 32 | spec: 33 | providerRef: 34 | name: discord 35 | eventSeverity: info 36 | eventSources: 37 | - kind: HelmRelease 38 | name: '*' 39 | suspend: false 40 | -------------------------------------------------------------------------------- /apps/flux-system/configs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret-discord-webhook.sops.yaml 6 | - discord-notifier.yaml 7 | -------------------------------------------------------------------------------- /apps/flux-system/configs/secret-discord-webhook.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: discord-webhook-secret 5 | stringData: 6 | address: ENC[AES256_GCM,data:JXV5PKTHT41DJsjjzZ9eNKc8fkBYfS+RFQYMKqOuDVFhA8Y9pqc69BeilyYmVkMYc289lPvBGOXg2V2gENVkIVF///J9sIfTk1rZKGRw2n7EFIx9SVKSnN9lYa4pRYl6s5JK72yOl18MCLauokzt7SVoL32yrApj,iv:l1L4beh84I5GcnlRdvhwfWqab157J03k7/xwnnA70+g=,tag:mfkL2+9Sni39nApbZmfzEQ==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4MS81dzJrQUNJZkNOUExU 17 | UWFHWWVpUXlTaCtYZGNHN2hFL3ZyQTVzZzJRCmZzTlArYks0OEN2alBVV0pETml3 18 | L3R5cTJKYk8yaEFoNklkL1N0UmJGZ0kKLS0tIGQ3TlNQUmhNY2M4OWZjVnU3dGpn 19 | YWo4TWtxZjV3cnV6akhCSHJtNG9ZTVEKgJf+JTcWBhkO/Wjsmvkchn9kHuM6wMcm 20 | r1JFJKpxIlsoscWXbtjKFDzm3kSenX8A0l88W2teoGosr8/HuuBY/A== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2023-03-18T13:59:29Z" 23 | mac: ENC[AES256_GCM,data:vy7y0uSAoXuEQRA2nJhQVm8h2B+J+ECAYZJfl8nMBSQzJPoP2PEP/VsIoN9yRxw3S3k0Js8JAxpie/n4inqIn7V8l1RtXjOYNaMWf1/tqMikOFqZW4u5Fb2TvYY6k+2oZ7NeO8/XXZXl+8+Pwti57ZBYQDO1ve9tD+L3WhBcFHo=,iv:ZIFd5J91GP6eaPJyTigqUhHbfzznIO3Fi0S3V5QWX8Y=,tag:sg3NCo1AmTMVKMDaa6ukkg==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.7.1 27 | -------------------------------------------------------------------------------- /apps/flux-system/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pod-monitor.yaml 6 | - prometheus-rules.yaml 7 | -------------------------------------------------------------------------------- /apps/flux-system/monitoring/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: flux-system 6 | labels: 7 | app.kubernetes.io/part-of: flux 8 | spec: 9 | namespaceSelector: 10 | matchNames: 11 | - flux-system 12 | selector: 13 | matchExpressions: 14 | - key: app 15 | operator: Exists 16 | podMetricsEndpoints: 17 | - port: http-prom 18 | -------------------------------------------------------------------------------- /apps/flux-system/monitoring/prometheus-rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: flux 6 | spec: 7 | groups: 8 | - name: flux 9 | rules: 10 | - alert: FluxComponentAbsent 11 | annotations: 12 | description: Flux component has disappeared from Prometheus target discovery. 13 | summary: Flux component is down. 14 | expr: | 15 | absent(up{job=~".*flux-system.*"} == 1) 16 | for: 5m 17 | labels: 18 | severity: critical 19 | - alert: FluxReconciliationFailure 20 | annotations: 21 | description: '{{ $labels.kind }} {{ $labels.namespace }}/{{ $labels.name }} reconciliation has been failing 22 | for more than ten minutes.' 23 | summary: Flux reconciliation failure. 24 | expr: | 25 | max(gotk_resource_info{ready="False"}) by (namespace, name, kind) == 1 26 | for: 10m 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /apps/goldilocks/hr-goldilocks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: goldilocks 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: goldilocks 11 | version: 9.0.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: fairwinds-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx-external 18 | namespace: networking 19 | values: 20 | vpa: 21 | enabled: true 22 | dashboard: 23 | enabled: true 24 | replicaCount: 1 25 | ingress: 26 | enabled: true 27 | ingressClassName: nginx-external 28 | annotations: 29 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 30 | kubernetes.io/tls-acme: "true" 31 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 32 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 33 | hosts: 34 | - host: "goldilocks.${SECRET_DOMAIN}" 35 | paths: 36 | - path: / 37 | type: ImplementationSpecific 38 | tls: 39 | - secretName: goldilocks-tls 40 | hosts: 41 | - "goldilocks.${SECRET_DOMAIN}" 42 | -------------------------------------------------------------------------------- /apps/goldilocks/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-goldilocks.yaml 6 | -------------------------------------------------------------------------------- /apps/headlamp/hr-headlamp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: headlamp 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: headlamp 11 | version: 0.30.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: headlamp-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx-external 18 | namespace: networking 19 | values: 20 | initContainers: 21 | - image: ghcr.io/headlamp-k8s/headlamp-plugin-flux:v0.2.0@sha256:6727bb58c95feef9f62f8fe125c244601d31ca62eab546b0f88c045560ed33de 22 | command: 23 | - /bin/sh 24 | - -c 25 | - mkdir -p /build/plugins && cp -r /plugins/* /build/plugins/ 26 | name: headlamp-plugins 27 | volumeMounts: 28 | - mountPath: /build/plugins 29 | name: headlamp-plugins 30 | config: 31 | oidc: 32 | secret: 33 | create: false 34 | externalSecret: 35 | enabled: true 36 | name: headlamp-secrets 37 | pluginsDir: /build/plugins 38 | volumeMounts: 39 | - mountPath: /build/plugins 40 | name: headlamp-plugins 41 | volumes: 42 | - name: headlamp-plugins 43 | emptyDir: {} 44 | ingress: 45 | enabled: true 46 | ingressClassName: nginx-external 47 | annotations: 48 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 49 | kubernetes.io/tls-acme: "true" 50 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 51 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 52 | hosts: 53 | - host: "headlamp.${SECRET_DOMAIN}" 54 | paths: 55 | - path: / 56 | type: ImplementationSpecific 57 | tls: 58 | - secretName: headlamp-tls 59 | hosts: 60 | - "headlamp.${SECRET_DOMAIN}" 61 | -------------------------------------------------------------------------------- /apps/headlamp/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-headlamp.yaml 6 | - secret-headlamp.sops.yaml 7 | -------------------------------------------------------------------------------- /apps/headlamp/secret-headlamp.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: headlamp-secrets 5 | stringData: 6 | OIDC_ISSUER_URL: ENC[AES256_GCM,data:3lqNM4Fc3wxGX/bjh1HS6FeuRvqRRHnOUw==,iv:5WJu+iP+Sa3oPSU9NFWzVfxK+pV5T0zlgl1D9DJWiLU=,tag:r5trMSynezPDyM+YEOTGiA==,type:str] 7 | OIDC_CLIENT_ID: ENC[AES256_GCM,data:BAH0Ie4/+ECTfVQ9ltRihsDI/jMFqFgx04ozdrMIDMn/gpghgcHe5CbRN/BuqtgTKqmQcLLBd/zlc4yUkFDwmb2shYjEd6Jf,iv:IXmD0JHU0cwoOfJFC65avDsCUtV7hQ/zhBXRDKxr7h0=,tag:oNJrGruiS8qmb31U7EBhgA==,type:str] 8 | OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:/oIQ5wOygpcgKYPV9/rpP0iczBMtm3HBl524h2nC6kZuQRv0BUP8a8GeOpRTV/M4naruFlIu1lE4d3JZqbgRpmNvzoc8a9NR,iv:v2HLUKlR7m/O2x8dSBpnqa6Q1BkbWd9HEmNfc6nbzP4=,tag:VbFOjMrOcscLTYb+rTCayw==,type:str] 9 | OIDC_SCOPES: ENC[AES256_GCM,data:OZxAWYBByEtRgsOqfbiwbzcI7EM=,iv:OwAvTQc1uQCeMOLBil6UhXIZnthqzDaIiPk1uLfySm4=,tag:goTpbXxaGk8IlKRdjCZbAw==,type:str] 10 | sops: 11 | kms: [] 12 | gcp_kms: [] 13 | azure_kv: [] 14 | hc_vault: [] 15 | age: 16 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 17 | enc: | 18 | -----BEGIN AGE ENCRYPTED FILE----- 19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQXFGZXFXU2g5Tllic1VD 20 | dXFzQ3JRMitGV3FmTitlNnRSdEhsZm1ySmtvClRLdFEwUjBnM1NZNXZhV2ZhSXRK 21 | WmVSWHhsNEJiR2p3bTBOSG5TRDE0YW8KLS0tIG1NTmpKdlZMcDlqUFZrYjkrNVRp 22 | Z000cDNTZ3ArZ1kzanlUcDF0NG43alEK7ULLwkT6FnnowOSKYWoAZ8g2mDU4tndt 23 | fkkbxyPYxgCqG7vc4NkGnS0+/6c8rnIkKkVigYL5mOsZWnvOnVzOmg== 24 | -----END AGE ENCRYPTED FILE----- 25 | lastmodified: "2025-06-07T14:26:26Z" 26 | mac: ENC[AES256_GCM,data:nIkYvNtd8WBFsxWZM8YycHU7pPxEvwXJ/J7mDHxA9KVNii67as+OAmsFlDxqCmwOPZFuD4ilagj8yHzPJHtWtgMI2G15n7pUepkRABBZbOq0S9lD/47M/QSy1ZuhjB+OWbJ85csFELltx+PrYY6dNYv/OqdWNTCTWaoxhnS11Ug=,iv:QBnET17WPYbE0jW9CQRkldb/VIpUPGuTxotok06cSNE=,tag:M6BlznmNzqSng2BsM+OTMQ==,type:str] 27 | pgp: [] 28 | encrypted_regex: ^(data|stringData)$ 29 | version: 3.8.1 30 | -------------------------------------------------------------------------------- /apps/homer/hr-homer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: homer 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx-external 18 | namespace: networking 19 | values: 20 | controllers: 21 | main: 22 | annotations: 23 | reloader.stakater.com/auto: "true" 24 | containers: 25 | main: 26 | image: 27 | repository: ghcr.io/bastienwirtz/homer 28 | tag: v25.05.2@sha256:8270c5631f7494f01bb6d9d459de37ab65f13998aa64dfd980ce5236b7be525e 29 | pullPolicy: IfNotPresent 30 | probes: 31 | liveness: 32 | enabled: true 33 | readiness: 34 | enabled: true 35 | startup: 36 | enabled: true 37 | spec: 38 | failureThreshold: 30 39 | periodSeconds: 5 40 | service: 41 | main: 42 | controller: main 43 | ports: 44 | http: 45 | port: 8080 46 | ingress: 47 | main: 48 | className: "nginx-external" 49 | annotations: 50 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 51 | kubernetes.io/tls-acme: "true" 52 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 53 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 54 | hosts: 55 | - host: "homer.${SECRET_DOMAIN}" 56 | paths: 57 | - path: / 58 | service: 59 | identifier: main 60 | port: http 61 | tls: 62 | - secretName: homer-tls 63 | hosts: 64 | - "homer.${SECRET_DOMAIN}" 65 | persistence: 66 | config: 67 | type: configMap 68 | name: homer-config 69 | globalMounts: 70 | - path: "/www/assets/config.yml" 71 | subPath: config.yml 72 | readOnly: true 73 | -------------------------------------------------------------------------------- /apps/homer/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-homer.yaml 6 | configMapGenerator: 7 | - name: homer-config 8 | files: 9 | - config.yml=./resources/homer-config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /apps/immich/hr-immich-machine-learning.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: immich-machine-learning 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: csi-driver-smb 19 | namespace: kube-system 20 | - name: ingress-nginx 21 | namespace: networking 22 | - name: immich-redis 23 | - name: immich-postgresql 24 | values: 25 | controllers: 26 | main: 27 | containers: 28 | main: 29 | image: 30 | repository: ghcr.io/immich-app/immich-machine-learning 31 | tag: v1.134.0@sha256:e157e0fa0d4363b0b6bab1923adab5951bbcdb71cd9016470bc6810dae21d115 32 | env: 33 | DB_HOSTNAME: immich-postgresql 34 | DB_DATABASE_NAME: immich 35 | DB_USERNAME: immich 36 | DB_PASSWORD: "${SECRET_IMMICH_DB_PASSWORD}" 37 | REDIS_HOSTNAME: immich-redis-master 38 | probes: 39 | liveness: 40 | enabled: true 41 | readiness: 42 | enabled: true 43 | startup: 44 | enabled: true 45 | service: 46 | main: 47 | controller: main 48 | ports: 49 | http: 50 | port: 3003 51 | persistence: 52 | cache: 53 | type: emptyDir 54 | -------------------------------------------------------------------------------- /apps/immich/hr-immich.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: immich 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: csi-driver-smb 19 | namespace: kube-system 20 | - name: ingress-nginx 21 | namespace: networking 22 | - name: immich-redis 23 | - name: immich-postgresql 24 | values: 25 | controllers: 26 | main: 27 | containers: 28 | main: 29 | image: 30 | repository: ghcr.io/immich-app/immich-server 31 | tag: v1.134.0@sha256:073fc04c7e3d18ace466c20763809cf17aa55765ed610f12971b392a6a80b50c 32 | env: 33 | DB_HOSTNAME: immich-postgresql 34 | DB_DATABASE_NAME: immich 35 | DB_USERNAME: immich 36 | DB_PASSWORD: "${SECRET_IMMICH_DB_PASSWORD}" 37 | REDIS_HOSTNAME: immich-redis-master 38 | IMMICH_LOG_LEVEL: verbose 39 | probes: 40 | liveness: 41 | enabled: true 42 | readiness: 43 | enabled: true 44 | startup: 45 | enabled: true 46 | spec: 47 | failureThreshold: 30 48 | periodSeconds: 5 49 | service: 50 | main: 51 | controller: main 52 | ports: 53 | http: 54 | port: 2283 55 | ingress: 56 | main: 57 | className: "nginx-external" 58 | annotations: 59 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 60 | kubernetes.io/tls-acme: "true" 61 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 62 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 63 | nginx.ingress.kubernetes.io/proxy-body-size: "0" 64 | hosts: 65 | - host: immich.${SECRET_DOMAIN} 66 | paths: 67 | - path: / 68 | service: 69 | identifier: main 70 | port: http 71 | tls: 72 | - secretName: immich-tls 73 | hosts: 74 | - immich.${SECRET_DOMAIN} 75 | persistence: 76 | data: 77 | existingClaim: immich 78 | globalMounts: 79 | - path: /usr/src/app/upload 80 | -------------------------------------------------------------------------------- /apps/immich/hr-redis.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: immich-redis 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: redis 11 | version: 21.1.11 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bitnami-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: kube-prometheus-stack 19 | namespace: monitoring 20 | - name: longhorn 21 | namespace: longhorn-system 22 | values: 23 | architecture: standalone 24 | master: 25 | resourcesPreset: "small" 26 | persistence: 27 | enabled: true 28 | size: 1Gi 29 | metrics: 30 | enabled: true 31 | serviceMonitor: 32 | enabled: true 33 | auth: 34 | enabled: false 35 | -------------------------------------------------------------------------------- /apps/immich/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-postgresql.yaml 6 | - pvc-immich.yaml 7 | - hr-postgresql.yaml 8 | - hr-redis.yaml 9 | - hr-immich.yaml 10 | - hr-immich-machine-learning.yaml 11 | -------------------------------------------------------------------------------- /apps/immich/pvc-immich.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: immich-static-pv 6 | spec: 7 | capacity: 8 | storage: 250Gi 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: immich-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/immich" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: immich 29 | spec: 30 | volumeName: immich-static-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 250Gi 37 | -------------------------------------------------------------------------------- /apps/immich/pvc-postgresql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: immich-postgresql-data 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/ingress-nginx-external/hr-ingress-nginx-external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: ingress-nginx-external 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: ingress-nginx 11 | version: 4.12.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: ingress-nginx-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: metallb 18 | namespace: metallb-system 19 | values: 20 | controller: 21 | image: 22 | registry: registry.k8s.io 23 | image: ingress-nginx/controller 24 | tag: v1.11.2 25 | digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce 26 | kind: DaemonSet 27 | ingressClassResource: 28 | enabled: true 29 | name: nginx-external 30 | controllerValue: "k8s.io/ingress-nginx-external" 31 | default: false 32 | admissionWebhooks: 33 | objectSelector: 34 | matchExpressions: 35 | - key: ingress-class 36 | operator: In 37 | values: ["nginx-external"] 38 | service: 39 | type: LoadBalancer 40 | loadBalancerIP: "${LB_IP_NGINX_INGRESS_EXTERNAL}" 41 | externalTrafficPolicy: Local 42 | config: 43 | ssl-protocols: "TLSv1.3 TLSv1.2" 44 | proxy-body-size: "100m" 45 | use-forwarded-headers: "true" 46 | metrics: 47 | enabled: true 48 | serviceMonitor: 49 | enabled: false 50 | resources: 51 | requests: 52 | memory: 100Mi 53 | cpu: 100m 54 | limits: 55 | memory: 500Mi 56 | -------------------------------------------------------------------------------- /apps/ingress-nginx-external/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-ingress-nginx-external.yaml 6 | -------------------------------------------------------------------------------- /apps/ingress-nginx-external/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - service-monitor.yaml 6 | - prometheus-rules.yaml 7 | -------------------------------------------------------------------------------- /apps/ingress-nginx-external/monitoring/prometheus-rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: ingress-nginx-external 6 | spec: 7 | groups: 8 | - name: nginx-external 9 | rules: 10 | - alert: NginxHighHttp4xxErrorRate 11 | expr: sum(rate(nginx_http_requests_total{status=~"^4.."}[1m])) / sum(rate(nginx_http_requests_total[1m])) * 100 > 5 12 | for: 1m 13 | labels: 14 | severity: critical 15 | annotations: 16 | summary: Nginx high HTTP 4xx error rate (instance {{ $labels.instance }}) 17 | description: "Too many HTTP requests with status 4xx (> 5%)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" 18 | - alert: NginxHighHttp5xxErrorRate 19 | expr: sum(rate(nginx_http_requests_total{status=~"^5.."}[1m])) / sum(rate(nginx_http_requests_total[1m])) * 100 > 5 20 | for: 1m 21 | labels: 22 | severity: critical 23 | annotations: 24 | summary: Nginx high HTTP 5xx error rate (instance {{ $labels.instance }}) 25 | description: "Too many HTTP requests with status 5xx (> 5%)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" 26 | - alert: NginxLatencyHigh 27 | expr: histogram_quantile(0.99, sum(rate(nginx_http_request_duration_seconds_bucket[2m])) by (host, node)) > 3 28 | for: 2m 29 | labels: 30 | severity: warning 31 | annotations: 32 | summary: Nginx latency high (instance {{ $labels.instance }}) 33 | description: "Nginx p99 latency is higher than 3 seconds\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" -------------------------------------------------------------------------------- /apps/ingress-nginx-external/monitoring/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: ingress-nginx-external-prometheus-servicemonitor 5 | labels: 6 | name: ingress-nginx-external-prometheus-servicemonitor 7 | spec: 8 | selector: 9 | matchLabels: 10 | app.kubernetes.io/name: ingress-nginx-external 11 | namespaceSelector: 12 | matchNames: 13 | - networking 14 | endpoints: 15 | - port: metrics 16 | interval: 30s 17 | -------------------------------------------------------------------------------- /apps/ingress-nginx/certs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - wildcard-certificate.yaml 6 | -------------------------------------------------------------------------------- /apps/ingress-nginx/certs/wildcard-certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "${SECRET_DOMAIN/./-}" 6 | spec: 7 | secretName: "${SECRET_DOMAIN/./-}-tls" 8 | issuerRef: 9 | name: letsencrypt-production 10 | kind: ClusterIssuer 11 | commonName: "${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "${SECRET_DOMAIN}" 14 | - "*.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /apps/ingress-nginx/hr-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: ingress-nginx 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: ingress-nginx 11 | version: 4.12.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: ingress-nginx-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: metallb 18 | namespace: metallb-system 19 | values: 20 | controller: 21 | image: 22 | registry: registry.k8s.io 23 | image: ingress-nginx/controller 24 | tag: v1.11.2 25 | digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce 26 | kind: DaemonSet 27 | ingressClassResource: 28 | enabled: true 29 | name: nginx 30 | controllerValue: "k8s.io/ingress-nginx" 31 | default: true 32 | admissionWebhooks: 33 | objectSelector: 34 | matchExpressions: 35 | - key: ingress-class 36 | operator: In 37 | values: ["nginx"] 38 | service: 39 | type: LoadBalancer 40 | loadBalancerIP: "${LB_IP_NGINX_INGRESS}" 41 | externalTrafficPolicy: Local 42 | config: 43 | ssl-protocols: "TLSv1.3 TLSv1.2" 44 | proxy-body-size: "100m" 45 | metrics: 46 | enabled: true 47 | serviceMonitor: 48 | enabled: false 49 | extraArgs: 50 | default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-tls" 51 | resources: 52 | requests: 53 | memory: 100Mi 54 | cpu: 100m 55 | limits: 56 | memory: 500Mi 57 | -------------------------------------------------------------------------------- /apps/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-ingress-nginx.yaml 6 | -------------------------------------------------------------------------------- /apps/ingress-nginx/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - service-monitor.yaml 6 | - prometheus-rules.yaml 7 | -------------------------------------------------------------------------------- /apps/ingress-nginx/monitoring/prometheus-rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: ingress-nginx 6 | spec: 7 | groups: 8 | - name: nginx 9 | rules: 10 | - alert: NginxHighHttp4xxErrorRate 11 | expr: sum(rate(nginx_http_requests_total{status=~"^4.."}[1m])) / sum(rate(nginx_http_requests_total[1m])) * 100 > 5 12 | for: 1m 13 | labels: 14 | severity: critical 15 | annotations: 16 | summary: Nginx high HTTP 4xx error rate (instance {{ $labels.instance }}) 17 | description: "Too many HTTP requests with status 4xx (> 5%)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" 18 | - alert: NginxHighHttp5xxErrorRate 19 | expr: sum(rate(nginx_http_requests_total{status=~"^5.."}[1m])) / sum(rate(nginx_http_requests_total[1m])) * 100 > 5 20 | for: 1m 21 | labels: 22 | severity: critical 23 | annotations: 24 | summary: Nginx high HTTP 5xx error rate (instance {{ $labels.instance }}) 25 | description: "Too many HTTP requests with status 5xx (> 5%)\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" 26 | - alert: NginxLatencyHigh 27 | expr: histogram_quantile(0.99, sum(rate(nginx_http_request_duration_seconds_bucket[2m])) by (host, node)) > 3 28 | for: 2m 29 | labels: 30 | severity: warning 31 | annotations: 32 | summary: Nginx latency high (instance {{ $labels.instance }}) 33 | description: "Nginx p99 latency is higher than 3 seconds\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" -------------------------------------------------------------------------------- /apps/ingress-nginx/monitoring/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: ingress-nginx-prometheus-servicemonitor 5 | labels: 6 | name: ingress-nginx-prometheus-servicemonitor 7 | spec: 8 | selector: 9 | matchLabels: 10 | app.kubernetes.io/name: ingress-nginx 11 | namespaceSelector: 12 | matchNames: 13 | - networking 14 | endpoints: 15 | - port: metrics 16 | interval: 30s 17 | -------------------------------------------------------------------------------- /apps/jd2/hr-jd2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: jd2 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx-external 18 | namespace: networking 19 | - name: csi-driver-smb 20 | namespace: kube-system 21 | - name: longhorn 22 | namespace: longhorn-system 23 | - name: pod-gateway-vpn 24 | namespace: networking 25 | values: 26 | controllers: 27 | main: 28 | containers: 29 | main: 30 | image: 31 | repository: jlesage/jdownloader-2 32 | tag: v25.02.1@sha256:a597e25a5be386cac5519f2fc705eadb786727f9f0f2c7440fb5585efa41973f 33 | pullPolicy: IfNotPresent 34 | env: 35 | KEEP_APP_RUNNING: true 36 | probes: 37 | liveness: 38 | enabled: true 39 | readiness: 40 | enabled: true 41 | startup: 42 | enabled: true 43 | spec: 44 | failureThreshold: 30 45 | periodSeconds: 5 46 | service: 47 | main: 48 | controller: main 49 | ports: 50 | http: 51 | port: 5800 52 | ingress: 53 | main: 54 | className: "nginx-external" 55 | annotations: 56 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 57 | kubernetes.io/tls-acme: "true" 58 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 59 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 60 | hosts: 61 | - host: jd2.${SECRET_DOMAIN} 62 | paths: 63 | - path: / 64 | service: 65 | identifier: main 66 | port: http 67 | tls: 68 | - secretName: jd2-tls 69 | hosts: 70 | - jd2.${SECRET_DOMAIN} 71 | persistence: 72 | config: 73 | type: persistentVolumeClaim 74 | size: 1Gi 75 | storageClass: longhorn-backup 76 | accessMode: ReadWriteOnce 77 | globalMounts: 78 | - path: "/config" 79 | output: 80 | existingClaim: jd2-output 81 | globalMounts: 82 | - path: "/output" 83 | -------------------------------------------------------------------------------- /apps/jd2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-jd2.yaml 6 | - hr-jd2.yaml 7 | -------------------------------------------------------------------------------- /apps/jd2/pvc-jd2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: jd2-static-pv 6 | spec: 7 | capacity: 8 | storage: 250Gi 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: jd2-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/downloads" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: jd2-output 29 | spec: 30 | volumeName: jd2-static-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 250Gi 37 | -------------------------------------------------------------------------------- /apps/jellyfin/hr-jellyfin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: jellyfin 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx 18 | namespace: networking 19 | - name: csi-driver-smb 20 | namespace: kube-system 21 | - name: longhorn 22 | namespace: longhorn-system 23 | values: 24 | controllers: 25 | main: 26 | containers: 27 | main: 28 | image: 29 | repository: ghcr.io/jellyfin/jellyfin 30 | tag: 10.10.7@sha256:e4d1dc5374344446a3a78e43dd211247f22afba84ea2e5a13cbe1a94e1ff2141 31 | service: 32 | main: 33 | controller: main 34 | ports: 35 | http: 36 | port: 8096 37 | ingress: 38 | main: 39 | className: "nginx" 40 | annotations: 41 | kubernetes.io/tls-acme: "true" 42 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 43 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 44 | hosts: 45 | - host: jellyfin.${SECRET_DOMAIN} 46 | paths: 47 | - path: / 48 | service: 49 | identifier: main 50 | port: http 51 | tls: 52 | - secretName: jellyfin-tls 53 | hosts: 54 | - jellyfin.${SECRET_DOMAIN} 55 | persistence: 56 | config: 57 | existingClaim: jellyfin-config 58 | globalMounts: 59 | - path: "/config" 60 | output: 61 | existingClaim: jellyfin-media 62 | globalMounts: 63 | - path: "/media" 64 | transcode: 65 | enabled: true 66 | type: emptyDir 67 | globalMounts: 68 | - path: /transcode 69 | cache: 70 | enabled: true 71 | type: emptyDir 72 | globalMounts: 73 | - path: /cache 74 | -------------------------------------------------------------------------------- /apps/jellyfin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-jellyfin-config.yaml 6 | - pvc-jellyfin-media.yaml 7 | - hr-jellyfin.yaml 8 | -------------------------------------------------------------------------------- /apps/jellyfin/pvc-jellyfin-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: jellyfin-config 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/jellyfin/pvc-jellyfin-media.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: jellyfin-static-pv 6 | spec: 7 | capacity: 8 | storage: 250Gi 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: jellyfin-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/media" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: jellyfin-media 29 | spec: 30 | volumeName: jellyfin-static-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 250Gi 37 | -------------------------------------------------------------------------------- /apps/jellyseerr/hr-jellyseerr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: jellyseerr 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx 18 | namespace: networking 19 | - name: csi-driver-smb 20 | namespace: kube-system 21 | - name: longhorn 22 | namespace: longhorn-system 23 | values: 24 | controllers: 25 | main: 26 | containers: 27 | main: 28 | image: 29 | repository: fallenbagel/jellyseerr 30 | tag: 2.5.2@sha256:2a611369ad1d0d501c2d051fc89b6246ff081fb4a30879fdc75642cf6a37b1a6 31 | service: 32 | main: 33 | controller: main 34 | ports: 35 | http: 36 | port: 5055 37 | ingress: 38 | main: 39 | className: "nginx" 40 | annotations: 41 | kubernetes.io/tls-acme: "true" 42 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 43 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 44 | hosts: 45 | - host: jellyseerr.${SECRET_DOMAIN} 46 | paths: 47 | - path: / 48 | service: 49 | identifier: main 50 | port: http 51 | tls: 52 | - secretName: jellyseerr-tls 53 | hosts: 54 | - jellyseerr.${SECRET_DOMAIN} 55 | persistence: 56 | config: 57 | existingClaim: jellyseerr-config 58 | globalMounts: 59 | - path: "/app/config" 60 | -------------------------------------------------------------------------------- /apps/jellyseerr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-jellyseerr-config.yaml 6 | - hr-jellyseerr.yaml 7 | -------------------------------------------------------------------------------- /apps/jellyseerr/pvc-jellyseerr-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: jellyseerr-config 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | -------------------------------------------------------------------------------- /apps/kube-prometheus-stack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret-grafana.sops.yaml 6 | - hr-kube-prometheus-stack.yaml 7 | configMapGenerator: 8 | - name: flux-kube-state-metrics-config 9 | files: 10 | - kube-state-metrics-config.yaml=flux-kube-state-metrics-config.yaml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /apps/kube-prometheus-stack/prometheus-rules/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - postgresql-rules.yaml 6 | - redis-rules.yaml 7 | - node-rules.yaml 8 | -------------------------------------------------------------------------------- /apps/kube-prometheus-stack/secret-grafana.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: grafana-secrets 5 | stringData: 6 | admin-user: ENC[AES256_GCM,data:wXYtuqU=,iv:DJj54GSTn2gQ7WIkabGlI30xRfQpv6uip40lS9Vo2gM=,tag:5VAzmLdzbSfKll1/Ig+7MQ==,type:str] 7 | admin-password: ENC[AES256_GCM,data:RdhBMEtYr4HetVnJbHr3VhENAG8u,iv:s/Y2K9aDKBtzHzLijY4EYq5ql62kX9Qe+l+o348wry8=,tag:CtCpv/i9f5yMoa2zSoHQZg==,type:str] 8 | GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:Q10kgJ3KIC6m8Kwrei+wV/Z98c9CX/x4leGzMp0TvtYGEEZKtBz9V01RUYhttpVKTHEJvw3wSObd1RUENuVLx3cgOb1rUM6x,iv:om2JMyvywYMEV8rAqFvJZfN7JDH2R9yjITnUoVSsk3A=,tag:CsTYeRP7iftNWEVB+H8gDQ==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMzRVTG1MT3ltNHFiR0dn 19 | bzFDNytFUzM5N0RQNzVrLzlBZFg0NDdnakd3CmFzcHlKN0QzWUt4L3pveFBITHNB 20 | NzBQaEtzd0V0d3ExRnpqRis2c055NWcKLS0tIG56Y3owdVBGL1ZIaVVtMzBaM2sy 21 | cVlBMnhOQ1NZdEsvaWJ4cFQ3VzM2OU0K+l918LTVkQ3MsQbhJBDq5J00FrBMVBhN 22 | 8wfY9f4IkV3xBlQFccTOECJTLUfr5FReSD4tXP6mtmfHUvs+RSTbUw== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2024-08-07T19:23:38Z" 25 | mac: ENC[AES256_GCM,data:+gkvrS+vvWYsnc048etH9/Qp1yIt9kEkLNhGlAfzHxehovPz7Mp4Cn0h031nL29gmumtbYMJJlmLL2uUq4PhgvBZxutObvXcg8w5KA1+ANLQrdif4QBaN7FDezp4KOjdVtFiJMrnt8jdGCXXfb+GEn+liNd7+RQv4+QnAJ2zCL8=,iv:VCsQTgK6GquUVoLNKNpDo/T//ML/9ki/jtf0GMXS/Vk=,tag:2NTpR1I4XS+/yAXOXph2YA==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.9.0 29 | -------------------------------------------------------------------------------- /apps/kube-vip/ds-kube-vip.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: kube-vip 6 | labels: 7 | app.kubernetes.io/instance: kube-vip 8 | app.kubernetes.io/name: kube-vip 9 | spec: 10 | selector: 11 | matchLabels: 12 | app.kubernetes.io/instance: kube-vip 13 | app.kubernetes.io/name: kube-vip 14 | template: 15 | metadata: 16 | labels: 17 | app.kubernetes.io/instance: kube-vip 18 | app.kubernetes.io/name: kube-vip 19 | spec: 20 | containers: 21 | - name: kube-vip 22 | image: ghcr.io/kube-vip/kube-vip:v0.9.1@sha256:37036d0f81745c4a5948abd069006264b699b3a98d26aadb24e63f86b7a3fdef 23 | imagePullPolicy: IfNotPresent 24 | args: 25 | - manager 26 | env: 27 | - name: vip_arp 28 | value: "true" 29 | - name: vip_interface 30 | value: eth0 31 | - name: port 32 | value: "6443" 33 | - name: vip_subnet 34 | value: "32" 35 | - name: cp_enable 36 | value: "true" 37 | - name: cp_namespace 38 | value: kube-system 39 | - name: svc_enable 40 | value: "false" 41 | - name: address 42 | value: ${KUBEVIP_ADDRESS} 43 | securityContext: 44 | capabilities: 45 | add: 46 | - NET_ADMIN 47 | - NET_RAW 48 | - SYS_TIME 49 | hostNetwork: true 50 | serviceAccountName: kube-vip 51 | nodeSelector: 52 | node-role.kubernetes.io/master: "true" 53 | tolerations: 54 | - effect: NoSchedule 55 | key: node-role.kubernetes.io/master 56 | - key: CriticalAddonsOnly 57 | operator: Exists 58 | - effect: NoExecute 59 | operator: Exists 60 | -------------------------------------------------------------------------------- /apps/kube-vip/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - rbac-kube-vip.yaml 6 | - ds-kube-vip.yaml 7 | -------------------------------------------------------------------------------- /apps/kube-vip/rbac-kube-vip.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: kube-vip 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRole 8 | metadata: 9 | annotations: 10 | rbac.authorization.kubernetes.io/autoupdate: "true" 11 | name: system:kube-vip-role 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["services", "services/status", "nodes"] 15 | verbs: ["list","get","watch", "update"] 16 | - apiGroups: ["coordination.k8s.io"] 17 | resources: ["leases"] 18 | verbs: ["list", "get", "watch", "update", "create"] 19 | --- 20 | kind: ClusterRoleBinding 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | metadata: 23 | name: system:kube-vip-binding 24 | roleRef: 25 | apiGroup: rbac.authorization.k8s.io 26 | kind: ClusterRole 27 | name: system:kube-vip-role 28 | subjects: 29 | - kind: ServiceAccount 30 | name: kube-vip 31 | namespace: kube-system -------------------------------------------------------------------------------- /apps/kured/hr-kured.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: kured 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: kured 11 | version: 5.6.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: kubereboot-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: kube-prometheus-stack 19 | namespace: monitoring 20 | values: 21 | updateStrategy: RollingUpdate 22 | configuration: 23 | prometheusUrl: "http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090" 24 | alertFilterRegexp: "^(HostRequiresReboot|Watchdog)$" 25 | alertFiringOnly: true 26 | rebootCommand: "/usr/bin/systemctl reboot" 27 | lockReleaseDelay: 30m 28 | tolerations: 29 | - effect: NoSchedule 30 | operator: Exists 31 | - effect: NoExecute 32 | operator: Exists 33 | metrics: 34 | create: true 35 | -------------------------------------------------------------------------------- /apps/kured/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-kured.yaml 6 | -------------------------------------------------------------------------------- /apps/linkwarden/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-linkwarden.yaml 6 | - hr-postgresql.yaml 7 | - secret-linkwarden.sops.yaml 8 | - pvc-linkwarden.yaml 9 | - pvc-postgresql.yaml 10 | -------------------------------------------------------------------------------- /apps/linkwarden/pvc-linkwarden.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: linkwarden-data 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/linkwarden/pvc-postgresql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: linkwarden-postgresql 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/linkwarden/secret-linkwarden.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: linkwarden 5 | stringData: 6 | NEXTAUTH_SECRET: ENC[AES256_GCM,data:QydkXf5haop+EKSIRBSgyaKm3ou1km5ExRzUskAngBF12DXrKs+X3Q==,iv:TJjxcaqMQqbAJrqOJU2MPpl+ch2bYEwpKxhfjE49GBQ=,tag:10pM606zE+8twUaaEH6XGA==,type:str] 7 | AUTHELIA_CLIENT_ID: ENC[AES256_GCM,data:/OZvKIQ0XoIPMdI6s34lgabmhIUzazeZ3v+WNYduTFSAOW4EquaGs53kzmpRlouZNifFLF4/bGWgFlHAsLstaczjR3ts/sVd,iv:vXYX3lB08c97rcptptbK0DSERQu9jqMyrGD6G+dFZQo=,tag:Bm1PnlLVGrSwR4tzFVbduA==,type:str] 8 | AUTHELIA_CLIENT_SECRET: ENC[AES256_GCM,data:I0dlN6AdFZimkT5Y+XAzgrvyyetgljSzRrOZRfuU1C2Ukd3zu0SH9Puvmoy2Ri9tKJ257/oA1+GOOdaXRo9ab7Lw1dnxwDix,iv:w1VbdivZPC5S2KzL09VMoUkz5xAJP3+u5J474Tnvd3U=,tag:BATDAk2cSlgZeSB6XkZpVg==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHOHJPK1Y1cG4wVXJmZ2g4 19 | TWFvcE1iQ3puYTd5ZDRsU2xvSkZYTjFKdjJFCnlRN21hQVN1TC9zZmY4c0FCVEFL 20 | S1QvbDRRbmF3SXNGcWg1UGVCMWVNSEUKLS0tIFc0UTEzRkkxZkJJcDRXbUU3SU1u 21 | cFJXSzljZS80VXdpOFFTWjhZcFVUL2MK0ydxzET5Buks7vx6U8KlR9npyPze4J+A 22 | zk8cccU9VyzVyDW5K4cLixGzo9zRoHpWQ52pIE7L6Qc6+nF45L2f6A== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2024-12-04T17:58:43Z" 25 | mac: ENC[AES256_GCM,data:x5OycaICqSTi0bbYuv3rRnzeQmTudDC7ifShCuc3zz0Ws/qgmrv8hBastDNQGKLqGdIVm2f2QBKpJrM0pDBc6DopLe8hGIs4AEyVDseelQaw4MsIcA8HPEjmLD6UX3dFt9vupBhTHSgFBl96BgFW1eELkeHFA8ajZWPLOqrghas=,iv:4g0ShJmBDJcDPPUR4tjRe/EvHs1Z3fvZbB7tbLxu3ec=,tag:VUaG1OKPLBF1uIUwMcIhJg==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.9.1 29 | -------------------------------------------------------------------------------- /apps/local-path-provisioner/hr-local-path-provisioner.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: local-path-provisioner 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: deploy/chart/local-path-provisioner 11 | version: 0.0.25 12 | sourceRef: 13 | kind: GitRepository 14 | name: local-path-provisioner-charts 15 | namespace: flux-system 16 | values: 17 | storageClass: 18 | defaultClass: true 19 | -------------------------------------------------------------------------------- /apps/local-path-provisioner/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-local-path-provisioner.yaml 6 | -------------------------------------------------------------------------------- /apps/loki/cm-datasource.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: loki-datasource 6 | labels: 7 | grafana_datasource: "1" 8 | data: 9 | datasource.yaml: | 10 | apiVersion: 1 11 | datasources: 12 | - name: Loki 13 | type: loki 14 | access: proxy 15 | url: http://loki-gateway:80 16 | version: 1 17 | isDefault: false 18 | -------------------------------------------------------------------------------- /apps/loki/hr-loki.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: loki 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: loki 11 | version: 6.30.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: grafana-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: longhorn 19 | namespace: longhorn-system 20 | - name: kube-prometheus-stack 21 | namespace: monitoring 22 | values: 23 | deploymentMode: SingleBinary 24 | loki: 25 | image: 26 | repository: grafana/loki 27 | tag: 3.5.1@sha256:a74594532eec4cc313401beedc4dd2708c43674c032084b1aeb87c14a5be1745 28 | auth_enabled: false 29 | storage: 30 | type: filesystem 31 | schemaConfig: 32 | configs: 33 | - from: "2024-04-01" 34 | object_store: filesystem 35 | store: tsdb 36 | schema: v13 37 | index: 38 | prefix: index_ 39 | period: 24h 40 | commonConfig: 41 | replication_factor: 1 42 | limits_config: 43 | retention_period: 7d 44 | rulerConfig: 45 | alertmanager_url: http://kube-prometheus-stack-alertmanager:9093 46 | write: 47 | replicas: 0 48 | read: 49 | replicas: 0 50 | backend: 51 | replicas: 0 52 | singleBinary: 53 | replicas: 1 54 | persistence: 55 | size: 8Gi 56 | storageClass: longhorn-xfs 57 | test: 58 | enabled: false 59 | monitoring: 60 | selfMonitoring: 61 | enabled: false 62 | lokiCanary: 63 | enabled: false 64 | resultsCache: 65 | enabled: false 66 | chunksCache: 67 | enabled: false 68 | # extraObjects: 69 | # - apiVersion: v1 70 | # kind: ConfigMap 71 | # metadata: 72 | # name: loki-alerting-rules 73 | # data: 74 | # loki-alerting-rules.yaml: |- 75 | # groups: 76 | # # 77 | # # PostgreSQL 78 | # # 79 | # - name: postgresql 80 | # rules: 81 | # - alert: PostgreSQLReadOnlyFS 82 | # expr: sum by (app) (count_over_time({app_kubernetes_io_name="postgresql"} |~ "Read-only file system"[2m])) > 0 83 | # for: 0m 84 | # labels: 85 | # severity: critical 86 | # category: logs 87 | # annotations: 88 | # summary: "PostgreSQL has read-only file system" 89 | -------------------------------------------------------------------------------- /apps/loki/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - cm-dashboard.yaml 6 | - cm-datasource.yaml 7 | - hr-loki.yaml 8 | -------------------------------------------------------------------------------- /apps/longhorn/configs/backup-daily.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: longhorn.io/v1beta2 3 | kind: RecurringJob 4 | metadata: 5 | name: backup-daily 6 | spec: 7 | name: backup-daily 8 | cron: "0 6 * * *" 9 | task: "backup" 10 | retain: 14 11 | concurrency: 1 12 | -------------------------------------------------------------------------------- /apps/longhorn/configs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - backup-daily.yaml 6 | - snapshot-6h.yaml 7 | -------------------------------------------------------------------------------- /apps/longhorn/configs/snapshot-6h.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: longhorn.io/v1beta2 3 | kind: RecurringJob 4 | metadata: 5 | name: snapshot-6h 6 | spec: 7 | name: snapshot-6h 8 | cron: "0 */6 * * *" 9 | task: "snapshot" 10 | retain: 8 11 | concurrency: 2 12 | -------------------------------------------------------------------------------- /apps/longhorn/hr-longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: longhorn 6 | spec: 7 | interval: 5m 8 | timeout: 15m 9 | chart: 10 | spec: 11 | chart: longhorn 12 | version: 1.9.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: longhorn-charts 16 | namespace: flux-system 17 | install: 18 | crds: CreateReplace 19 | upgrade: 20 | crds: CreateReplace 21 | dependsOn: 22 | - name: minio 23 | namespace: selfhosted 24 | values: 25 | persistence: 26 | defaultClass: true 27 | defaultClassReplicaCount: 3 28 | reclaimPolicy: Delete 29 | recurringJobSelector: 30 | enable: false 31 | removeSnapshotsDuringFilesystemTrim: enabled 32 | dataEngine: v1 33 | ingress: 34 | enabled: true 35 | ingressClassName: nginx-external 36 | annotations: 37 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 38 | kubernetes.io/tls-acme: "true" 39 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 40 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 41 | host: longhorn.${SECRET_DOMAIN} 42 | tls: true 43 | tlsSecret: longhorn-tls 44 | defaultSettings: 45 | storageOverProvisioningPercentage: 100 46 | storageMinimalAvailablePercentage: 10 47 | defaultLonghornStaticStorageClass: longhorn-backup 48 | restoreVolumeRecurringJobs: true 49 | nodeDownPodDeletionPolicy: delete-both-statefulset-and-deployment-pod 50 | autoCleanupSystemGeneratedSnapshot: true 51 | autoCleanupRecurringJobBackupSnapshot: true 52 | concurrentAutomaticEngineUpgradePerNodeLimit: 1 53 | orphanResourceAutoDeletion: replica-data 54 | snapshotDataIntegrity: enabled 55 | snapshotDataIntegrityImmediateCheckAfterSnapshotCreation: false 56 | snapshotDataIntegrityCronjob: "0 4 * * *" 57 | fastReplicaRebuildEnabled: true 58 | removeSnapshotsDuringFilesystemTrim: true 59 | v1DataEngine: true 60 | v2DataEngine: false 61 | allowCollectingLonghornUsageMetrics: false 62 | freezeFilesystemForSnapshot: true 63 | autoCleanupSnapshotWhenDeleteBackup: true 64 | autoCleanupSnapshotAfterOnDemandBackupCompleted: true 65 | rwxVolumeFastFailover: true 66 | defaultBackupStore: 67 | backupTarget: s3://longhorn@us-east-1/ 68 | backupTargetCredentialSecret: longhorn-system-secrets 69 | -------------------------------------------------------------------------------- /apps/longhorn/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns-longhorn.yaml 6 | - secret-longhorn-system.sops.yaml 7 | - hr-longhorn.yaml 8 | - sc-longhorn.yaml 9 | -------------------------------------------------------------------------------- /apps/longhorn/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - service-monitor.yaml 6 | - prometheus-rules.yaml 7 | -------------------------------------------------------------------------------- /apps/longhorn/monitoring/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: ServiceMonitor 3 | metadata: 4 | name: longhorn-prometheus-servicemonitor 5 | labels: 6 | name: longhorn-prometheus-servicemonitor 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: longhorn-manager 11 | namespaceSelector: 12 | matchNames: 13 | - longhorn-system 14 | endpoints: 15 | - port: manager 16 | -------------------------------------------------------------------------------- /apps/longhorn/ns-longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: longhorn-system 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | pod-security.kubernetes.io/enforce: privileged 9 | -------------------------------------------------------------------------------- /apps/longhorn/sc-longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StorageClass 3 | apiVersion: storage.k8s.io/v1 4 | metadata: 5 | name: longhorn-backup 6 | provisioner: driver.longhorn.io 7 | allowVolumeExpansion: true 8 | parameters: 9 | numberOfReplicas: "3" 10 | staleReplicaTimeout: "2880" # 48 hours in minutes 11 | fromBackup: "" 12 | fsType: "ext4" 13 | recurringJobSelector: '[ { "name":"snapshot-6h", "isGroup":false }, { "name":"backup-daily", "isGroup":false } ]' 14 | --- 15 | kind: StorageClass 16 | apiVersion: storage.k8s.io/v1 17 | metadata: 18 | name: longhorn-xfs 19 | provisioner: driver.longhorn.io 20 | allowVolumeExpansion: true 21 | parameters: 22 | numberOfReplicas: "3" 23 | staleReplicaTimeout: "2880" # 48 hours in minutes 24 | fromBackup: "" 25 | fsType: "xfs" 26 | -------------------------------------------------------------------------------- /apps/longhorn/secret-longhorn-system.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: longhorn-system-secrets 5 | stringData: 6 | AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:0lgNWxX7s7c=,iv:MCvFfbi5T4cax4qpjoFwTTIoGxftY7Rd3dS62pPsIWs=,tag:U292aN+pstcduqWQKKY2Kg==,type:str] 7 | AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:vn8VLF6RDrUjNlJHf8FTWSmZRycbmQzklk70+3E9B6G7H7xPLnoS7A==,iv:/EOTHi0dNVR62ZNK1ky+FZ9HYsojfdZBOFS0kvpcEps=,tag:1i0I4aRqKdiyaJ+ugDLYFw==,type:str] 8 | AWS_ENDPOINTS: ENC[AES256_GCM,data:Uhq/2iaikuBrUWbfw3zmTsk0jVm6yQ8BmaQZxA==,iv:SwIj57X1855Gg/b9KGXMKMQnZW6PzQJgPb9bEqT4OTk=,tag:S4bqI1DrrE4Cri1AlcqWAQ==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UWQyRlpBUnhVdmx4ZWtJ 19 | QVhpQjZqQlpnWHVDak1uRzRrTzBPQVZaaEh3CjdtQW9SdG9LcGxuR2JScHFUd0Z1 20 | NFVjMVMwYnl2SHowR3FxYzVLcXNwM3MKLS0tIHNDU1l5WFhLZmFrRk05bVJHTXlQ 21 | OXV5NUJIeEZTWW9iWGNtM2ZEN05tUWcKb7sY2AW6+9Js0H/v7TJLa1C7ox7Lko/x 22 | DCwgNdC9Rk1alhpPuOMXyZzmPudsjbiiL0KdO5MmOYf1X51YeQ8hGg== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2024-07-19T16:24:42Z" 25 | mac: ENC[AES256_GCM,data:XcYkS3u1Occr7m5MgRy3nHz4X1SJm8vs6x8q5c0yVFmOTQeCbrxnekZVGRnEiTBLcDqbhw0aeGFE9s22sl0XVYXZdhshlWgHWRhhMPhPU/5aRYwHUnh2GC/Db1oW6iO22ylFtZ1620pWSEv3Rw7TaOfNlQ5ylLPdsYfowimxoZE=,iv:oEr/X7/xQzYKHzve6ETh1hIHJwXF+qLYPMeURegUwEM=,tag:G1NQJigccmScAk1CIqYynQ==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.8.1 29 | -------------------------------------------------------------------------------- /apps/memos/hr-memos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: memos 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx-external 18 | namespace: networking 19 | - name: longhorn 20 | namespace: longhorn-system 21 | - name: memos-postgresql 22 | values: 23 | controllers: 24 | main: 25 | containers: 26 | main: 27 | image: 28 | repository: ghcr.io/usememos/memos 29 | tag: 0.24.4@sha256:c6defc2dfb98fb97f78d86f94efb1464c959653cadf5123e1d4ad7452aefb973 30 | env: 31 | MEMOS_PORT: "5230" 32 | MEMOS_DRIVER: postgres 33 | MEMOS_DSN: postgresql://memos:${SECRET_MEMOS_DB_PASSWORD}@memos-postgresql:5432/memos?sslmode=disable 34 | MEMOS_PUBLIC: false 35 | MEMOS_PASSWORD_AUTH: false 36 | probes: 37 | liveness: 38 | enabled: true 39 | readiness: 40 | enabled: true 41 | startup: 42 | enabled: true 43 | service: 44 | main: 45 | controller: main 46 | ports: 47 | http: 48 | port: 5230 49 | ingress: 50 | main: 51 | className: nginx-external 52 | annotations: 53 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 54 | kubernetes.io/tls-acme: "true" 55 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 56 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 57 | hosts: 58 | - host: memos.${SECRET_DOMAIN} 59 | paths: 60 | - path: / 61 | service: 62 | identifier: main 63 | port: http 64 | tls: 65 | - secretName: memos-tls 66 | hosts: 67 | - memos.${SECRET_DOMAIN} 68 | -------------------------------------------------------------------------------- /apps/memos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-memos.yaml 6 | - hr-postgresql.yaml 7 | - pvc-postgresql.yaml -------------------------------------------------------------------------------- /apps/memos/pvc-postgresql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: memos-postgresql 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/metallb/configs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - metallb-ip-pool.yaml 6 | - metallb-l2-advertisement.yaml 7 | -------------------------------------------------------------------------------- /apps/metallb/configs/metallb-ip-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: IPAddressPool 4 | metadata: 5 | name: l2-pool 6 | spec: 7 | addresses: 8 | - "${LB_IP_NGINX_INGRESS}/32" 9 | - "${LB_IP_NGINX_INGRESS_EXTERNAL}/32" 10 | - "${LB_IP_BIND_SVC}/32" 11 | - "${LB_IP_BLOCKY_SVC}/32" 12 | - "${LB_IP_SYNCTHING_SVC}/32" 13 | - "${LB_IP_SFTPGO_SVC}/32" 14 | -------------------------------------------------------------------------------- /apps/metallb/configs/metallb-l2-advertisement.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: L2Advertisement 4 | metadata: 5 | name: metallb-l2-advertisement 6 | spec: 7 | ipAddressPools: 8 | - l2-pool 9 | -------------------------------------------------------------------------------- /apps/metallb/hr-metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: metallb 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: metallb 11 | version: 0.14.9 12 | sourceRef: 13 | kind: HelmRepository 14 | name: metallb-charts 15 | namespace: flux-system 16 | install: 17 | crds: CreateReplace 18 | upgrade: 19 | crds: CreateReplace 20 | values: 21 | -------------------------------------------------------------------------------- /apps/metallb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns-metallb.yaml 6 | - hr-metallb.yaml 7 | -------------------------------------------------------------------------------- /apps/metallb/ns-metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: metallb-system 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | pod-security.kubernetes.io/enforce: privileged 9 | -------------------------------------------------------------------------------- /apps/metrics-server/hr-metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: metrics-server 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: metrics-server 11 | version: 3.12.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: metrics-server-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: kube-prometheus-stack 19 | namespace: monitoring 20 | values: 21 | args: 22 | - --kubelet-insecure-tls 23 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 24 | - --kubelet-use-node-status-port 25 | - --metric-resolution=15s 26 | metrics: 27 | enabled: true 28 | serviceMonitor: 29 | enabled: true 30 | -------------------------------------------------------------------------------- /apps/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-metrics-server.yaml 6 | -------------------------------------------------------------------------------- /apps/minio/hr-minio.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: minio 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: minio 11 | version: 5.4.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: minio-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: csi-driver-smb 18 | namespace: kube-system 19 | values: 20 | image: 21 | repository: quay.io/minio/minio 22 | tag: RELEASE.2025-05-24T17-08-30Z@sha256:a616cd8f37758b0296db62cc9e6af05a074e844cc7b5c0a0e62176d73828d440 23 | rootUser: "${SECRET_MINIO_ACCESSKEY}" 24 | rootPassword: "${SECRET_MINIO_SECRETKEY}" 25 | mode: standalone 26 | replicas: 1 27 | resources: 28 | requests: 29 | memory: null 30 | persistence: 31 | enabled: true 32 | existingClaim: minio-data 33 | policies: 34 | - name: longhorn-policy 35 | statements: 36 | - resources: 37 | - 'arn:aws:s3:::longhorn' 38 | - 'arn:aws:s3:::longhorn/*' 39 | actions: 40 | - 's3:PutObject' 41 | - 's3:GetObject' 42 | - 's3:ListBucket' 43 | - 's3:DeleteObject' 44 | users: 45 | - accessKey: longhorn 46 | existingSecret: minio-secrets 47 | existingSecretKey: longhorn-accesskey 48 | policy: longhorn-policy 49 | buckets: 50 | - name: longhorn 51 | policy: none 52 | purge: false 53 | versioning: false 54 | objectlocking: false 55 | consoleIngress: 56 | enabled: false 57 | ingressClassName: nginx-external 58 | path: / 59 | hosts: 60 | - minio.${SECRET_DOMAIN} 61 | tls: 62 | - hosts: 63 | - minio.${SECRET_DOMAIN} 64 | -------------------------------------------------------------------------------- /apps/minio/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-minio.yaml 6 | - hr-minio.yaml 7 | - secret-minio.sops.yaml 8 | -------------------------------------------------------------------------------- /apps/minio/pvc-minio.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: minio-static-pv 6 | spec: 7 | capacity: 8 | storage: 10Gi 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | - uid=1000 17 | - gid=1000 18 | csi: 19 | driver: smb.csi.k8s.io 20 | volumeHandle: minio-smb-volume 21 | volumeAttributes: 22 | source: "${SECRET_CIFS_SHARE}/minio" 23 | nodeStageSecretRef: 24 | name: smb-secrets 25 | namespace: kube-system 26 | --- 27 | apiVersion: v1 28 | kind: PersistentVolumeClaim 29 | metadata: 30 | name: minio-data 31 | spec: 32 | volumeName: minio-static-pv 33 | storageClassName: smb 34 | accessModes: 35 | - ReadWriteOnce 36 | resources: 37 | requests: 38 | storage: 10Gi 39 | -------------------------------------------------------------------------------- /apps/minio/secret-minio.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: minio-secrets 5 | stringData: 6 | longhorn-accesskey: ENC[AES256_GCM,data:ZUjllNys5CJ4uSxSfq66DWJjRe66uqX7Wncyhf5ZrcucZ+npiewsKw==,iv:Cf7re0tDRjrXizuVg7frtluQ/nEUJKCjnfbbcdyC9to=,tag:J+e+vZW7/VihaJMYm7unmA==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UWQyRlpBUnhVdmx4ZWtJ 17 | QVhpQjZqQlpnWHVDak1uRzRrTzBPQVZaaEh3CjdtQW9SdG9LcGxuR2JScHFUd0Z1 18 | NFVjMVMwYnl2SHowR3FxYzVLcXNwM3MKLS0tIHNDU1l5WFhLZmFrRk05bVJHTXlQ 19 | OXV5NUJIeEZTWW9iWGNtM2ZEN05tUWcKb7sY2AW6+9Js0H/v7TJLa1C7ox7Lko/x 20 | DCwgNdC9Rk1alhpPuOMXyZzmPudsjbiiL0KdO5MmOYf1X51YeQ8hGg== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2024-07-19T16:24:32Z" 23 | mac: ENC[AES256_GCM,data:qgyXgeUcICufWt3z2NGl8xg78xqUai+jLaP5B05x3bmaKP3yum7ZL80DNZQVulc1vrvHZv3dtuQ76PAaoncISd+qK50iGvNGgw2TlkyOekZIaTRzcMbWhkWYI59MCI47/uRJfF51A13uiQJBOkR6Rzj0gGEa+vtFIkCYU/f2QJc=,iv:UDcjPGb6kBKKR9zRDea/T2mR/KoNSQXDWVj73+R9yzI=,tag:XKpJc7U7ePEu9QJWmY/tmA==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.8.1 27 | -------------------------------------------------------------------------------- /apps/paperless-ngx/hr-redis.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: paperless-ngx-redis 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: redis 11 | version: 21.1.11 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bitnami-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: kube-prometheus-stack 19 | namespace: monitoring 20 | - name: longhorn 21 | namespace: longhorn-system 22 | values: 23 | architecture: standalone 24 | master: 25 | persistence: 26 | enabled: true 27 | size: 1Gi 28 | metrics: 29 | enabled: true 30 | serviceMonitor: 31 | enabled: true 32 | auth: 33 | enabled: false 34 | -------------------------------------------------------------------------------- /apps/paperless-ngx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-paperless-ngx.yaml 6 | - pvc-postgresql.yaml 7 | - hr-postgresql.yaml 8 | - hr-redis.yaml 9 | - hr-paperless-ngx.yaml 10 | -------------------------------------------------------------------------------- /apps/paperless-ngx/pvc-paperless-ngx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: paperless-ngx-static-pv 6 | spec: 7 | capacity: 8 | storage: 50Gi 9 | accessModes: 10 | - ReadWriteMany 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0770 15 | - file_mode=0660 16 | - uid=33 17 | - gid=33 18 | csi: 19 | driver: smb.csi.k8s.io 20 | volumeHandle: paperless-ngx-smb-volume 21 | volumeAttributes: 22 | source: "${SECRET_CIFS_SHARE}/paperless-ngx" 23 | nodeStageSecretRef: 24 | name: smb-secrets 25 | namespace: kube-system 26 | --- 27 | apiVersion: v1 28 | kind: PersistentVolumeClaim 29 | metadata: 30 | name: paperless-ngx-data 31 | spec: 32 | volumeName: paperless-ngx-static-pv 33 | storageClassName: smb 34 | accessModes: 35 | - ReadWriteMany 36 | resources: 37 | requests: 38 | storage: 50Gi 39 | -------------------------------------------------------------------------------- /apps/paperless-ngx/pvc-postgresql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: paperless-ngx-postgresql 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/pod-gateway-vpn/hr-pod-gateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: pod-gateway-vpn 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: pod-gateway 11 | version: 6.5.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-charts 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | image: 19 | repository: ghcr.io/angelnu/pod-gateway 20 | tag: v1.13.0@sha256:a5b032e15f7570493977b330a5a86dcffebb807d35685ad803e47afb62d105f2 21 | DNS: ${POD_GATEWAY_VPN_VXLAN}.1 22 | routed_namespaces: 23 | - vpn 24 | settings: 25 | VXLAN_IP_NETWORK: ${POD_GATEWAY_VPN_VXLAN} 26 | VPN_INTERFACE: tun0 27 | VPN_BLOCK_OTHER_TRAFFIC: true 28 | VPN_TRAFFIC_PORT: "1194" 29 | NOT_ROUTED_TO_GATEWAY_CIDRS: "${NETWORK_K8S_CLUSTER_CIDR} ${NETWORK_K8S_SERVICE_CIDR}" 30 | VPN_LOCAL_CIDRS: "${POD_GATEWAY_VPN_VXLAN}.0/24 ${NETWORK_K8S_CLUSTER_CIDR} ${NETWORK_K8S_SERVICE_CIDR}" 31 | webhook: 32 | image: 33 | repository: ghcr.io/angelnu/gateway-admision-controller 34 | tag: v3.12.0@sha256:6f6ab596afd5fef0ca4648eadfb21cd37ba86fa5afa8b85edcc072976a61fbed 35 | addons: 36 | vpn: 37 | enabled: true 38 | type: gluetun 39 | gluetun: 40 | image: 41 | repository: qmcgaw/gluetun 42 | tag: v3.40.0@sha256:2b42bfa046757145a5155acece417b65b4443c8033fb88661a8e9dcf7fda5a00 43 | env: 44 | - name: FIREWALL 45 | value: "off" 46 | - name: DOT 47 | value: "off" 48 | envFrom: 49 | - secretRef: 50 | name: pod-gateway-vpn-secrets 51 | securityContext: 52 | capabilities: 53 | add: 54 | - NET_ADMIN 55 | networkPolicy: 56 | enabled: true 57 | egress: 58 | - to: 59 | - ipBlock: 60 | cidr: 0.0.0.0/0 61 | ports: 62 | # VPN traffic 63 | - port: 1194 64 | protocol: UDP 65 | - to: 66 | - ipBlock: 67 | cidr: ${NETWORK_K8S_CLUSTER_CIDR} 68 | - to: 69 | - ipBlock: 70 | cidr: ${NETWORK_K8S_SERVICE_CIDR} 71 | -------------------------------------------------------------------------------- /apps/pod-gateway-vpn/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret-pod-gateway.sops.yaml 6 | - hr-pod-gateway.yaml 7 | -------------------------------------------------------------------------------- /apps/pod-gateway-vpn/secret-pod-gateway.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: pod-gateway-vpn-secrets 5 | stringData: 6 | VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:NEycfJv4Og==,iv:VjMOH7ro6eNXWmtYfT0Rxuxd5PwKjy1wAMUMHxEuLhI=,tag:Y/JulrY8XcLGwRkoob6tyQ==,type:str] 7 | OPENVPN_USER: ENC[AES256_GCM,data:bpQRXunpgii5HqLwLwQrpw==,iv:cxoUyD/smVTpkFVGhwWZKRUS47bXRLf7wxwO1YQrCwc=,tag:8W9SOWDrhVavuvoj69UGdQ==,type:str] 8 | SERVER_COUNTRIES: ENC[AES256_GCM,data:bAeGyrT0vY4r3wQ=,iv:XIcL9yB0n1HZUwU6ztTBm1N9WcfO5KZLr9PMKMWAuuQ=,tag:jYUB+2DNB8LflfDxKMGoXQ==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQR0t5NGROMmpOekN6bDBP 19 | VFIzWXFndmE4b25kM1g2ZWRBejRQYXdidlUwCjQweDVvTXlQbndsK2RqSEdSTTZV 20 | YnVZU0VsOTBrNS9qZUVhRG5oK3pvYzAKLS0tIFlhUVZHc0owcUxkenEySTNpMlF3 21 | ZS9yWVdnT3dSZE1hTHl6Rm43OHVpTjgKMfst8CdNXSJEzcApuBLS3T8HhiKatseV 22 | lTgcgBJFyTjY88raW4Jmta21UR95EGJon+gjqQfuwwd9pZjuHyE24w== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2023-10-24T15:23:20Z" 25 | mac: ENC[AES256_GCM,data:xw9kHksO3sj8WOJEfy5w4df+w5buZ3dSeScjg+djhjjAj5iZgAUrHUqhpISnwLuOcOt785nNTpe9PgfqqGfl/wi2FvmXEldmZGid8di327zPVZ6MFJ15aBtz58aDAU2yVD3MTofcVsUEBIYSG78gK9pOWY3hYKWSYjxpNSPjy1Q=,iv:UXO5oInviEfbJQUo71ORoqZkrmxfJfhoHWsZSb4CaHk=,tag:vQmt8h0kQR464xLlyPvgCQ==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.7.3 29 | -------------------------------------------------------------------------------- /apps/promtail/hr-promtail.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: promtail 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: promtail 11 | version: 6.17.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: grafana-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: loki 19 | values: 20 | image: 21 | repository: grafana/promtail 22 | tag: 3.5.1@sha256:65bfae480b572854180c78f7dc567a4ad2ba548b0c410e696baa1e0fa6381299 23 | serviceMonitor: 24 | enabled: true 25 | tolerations: 26 | - effect: NoSchedule 27 | operator: Exists 28 | - effect: NoExecute 29 | operator: Exists 30 | -------------------------------------------------------------------------------- /apps/promtail/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-promtail.yaml 6 | - prometheus-rules.yaml 7 | -------------------------------------------------------------------------------- /apps/qbittorrent/hr-qbittorrent.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: qbittorrent 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx 18 | namespace: networking 19 | - name: csi-driver-smb 20 | namespace: kube-system 21 | - name: longhorn 22 | namespace: longhorn-system 23 | - name: pod-gateway-vpn 24 | namespace: networking 25 | values: 26 | controllers: 27 | main: 28 | containers: 29 | main: 30 | image: 31 | repository: ghcr.io/linuxserver/qbittorrent 32 | tag: 5.1.0@sha256:dc7de5505e7bb806270c9d1ad2f13ad5861dffe02eaff09084624db6f3c1b64e 33 | env: 34 | WEBUI_PORT: 8080 35 | TORRENTING_PORT: 6881 36 | service: 37 | main: 38 | controller: main 39 | ports: 40 | http: 41 | port: 8080 42 | torrent: 43 | enabled: true 44 | port: 6881 45 | protocol: TCP 46 | ingress: 47 | main: 48 | className: "nginx" 49 | annotations: 50 | kubernetes.io/tls-acme: "true" 51 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 52 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 53 | hosts: 54 | - host: qb.${SECRET_DOMAIN} 55 | paths: 56 | - path: / 57 | service: 58 | identifier: main 59 | port: http 60 | tls: 61 | - secretName: qbittorrent-tls 62 | hosts: 63 | - qb.${SECRET_DOMAIN} 64 | persistence: 65 | config: 66 | existingClaim: qbittorrent-config 67 | globalMounts: 68 | - path: "/config" 69 | downloads: 70 | existingClaim: qbittorrent-downloads 71 | globalMounts: 72 | - path: "/downloads" 73 | -------------------------------------------------------------------------------- /apps/qbittorrent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-qbittorrent-config.yaml 6 | - pvc-qbittorrent-downloads.yaml 7 | - hr-qbittorrent.yaml 8 | -------------------------------------------------------------------------------- /apps/qbittorrent/pvc-qbittorrent-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: qbittorrent-config 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | -------------------------------------------------------------------------------- /apps/qbittorrent/pvc-qbittorrent-downloads.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: qbittorrent-static-pv 6 | spec: 7 | capacity: 8 | storage: 250Gi 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: qbittorrent-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/downloads" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: qbittorrent-downloads 29 | spec: 30 | volumeName: qbittorrent-static-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 250Gi 37 | -------------------------------------------------------------------------------- /apps/radicale/cm-radicale.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: radicale-config 6 | data: 7 | config.cfg: | 8 | [server] 9 | hosts = 0.0.0.0:5232 10 | 11 | [auth] 12 | type = htpasswd 13 | htpasswd_filename = /config/users 14 | htpasswd_encryption = plain 15 | delay = 1 16 | realm = Password Required 17 | 18 | [storage] 19 | filesystem_folder = /data/collections 20 | 21 | [logging] 22 | level = info 23 | mask_passwords = True 24 | -------------------------------------------------------------------------------- /apps/radicale/hr-radicale.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: radicale 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | interval: 5m 17 | dependsOn: 18 | - name: ingress-nginx-external 19 | namespace: networking 20 | - name: longhorn 21 | namespace: longhorn-system 22 | values: 23 | controllers: 24 | main: 25 | containers: 26 | app: 27 | image: 28 | repository: tomsquest/docker-radicale 29 | tag: 3.5.4.0@sha256:99a1145aafab55f211389a303a553109d06ff2c00f634847a52b8561bd01f172 30 | probes: 31 | liveness: 32 | enabled: true 33 | readiness: 34 | enabled: true 35 | startup: 36 | enabled: true 37 | service: 38 | main: 39 | controller: main 40 | ports: 41 | http: 42 | port: 5232 43 | ingress: 44 | main: 45 | className: "nginx-external" 46 | annotations: 47 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 48 | kubernetes.io/tls-acme: "true" 49 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 50 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 51 | hosts: 52 | - host: radicale.${SECRET_DOMAIN} 53 | paths: 54 | - path: / 55 | service: 56 | identifier: main 57 | port: http 58 | tls: 59 | - secretName: radicale-tls 60 | hosts: 61 | - radicale.${SECRET_DOMAIN} 62 | persistence: 63 | config: 64 | type: configMap 65 | name: radicale-config 66 | globalMounts: 67 | - path: /config/config 68 | subPath: config.cfg 69 | readOnly: true 70 | auth: 71 | type: secret 72 | name: radicale-secrets 73 | globalMounts: 74 | - path: /config/users 75 | subPath: users 76 | readOnly: true 77 | data: 78 | existingClaim: radicale 79 | globalMounts: 80 | - path: /data 81 | -------------------------------------------------------------------------------- /apps/radicale/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-radicale.yaml 6 | - pvc-radicale.yaml 7 | - cm-radicale.yaml 8 | - secret-radicale.sops.yaml 9 | -------------------------------------------------------------------------------- /apps/radicale/pvc-radicale.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radicale 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/radicale/secret-radicale.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: radicale-secrets 5 | stringData: 6 | users: ENC[AES256_GCM,data:tK4f+o4pVYcFGGdUgI5f5GbEhajY/g44CExH1QAPztQKQWdAM145iQ587Gz+iYueKA==,iv:DvScV59ZrSuPvd5tK5OZhi5QHeB6pv/X/WZl4U57KV0=,tag:6dLeTezld1aTmOCI83RaJw==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUcUp6Y003SzhmR3RzMDhN 17 | WjV5UVJuZkhCSys2QkdodkVpSEFudXB3eEdZCnlkMkRKNzlHSnNEVXZGRFo1SGFJ 18 | U2lqMUdEQ285ckdhQUN0SThISHpoNVkKLS0tIHAzZXcxWHlFUHM4N1NQNGtINDNG 19 | OXlqclVMckZjZ2doWjBWeFFDdStEUG8KHgfyuhjJ1CGASqnGLSIBO4A0hp8H3N5q 20 | /eWQ1TgnEvrNRySCBxn3ctPSRx8SxjCrSlYA2KmOu/e7Rob23ILK5w== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2024-06-26T16:10:18Z" 23 | mac: ENC[AES256_GCM,data:M5xJ2ZXGrQsyH+TBParmZU2Ne1QrjinYjUSOs1hiK7ur+quueO6NWcQNQE+C59hf4WNw6IAugsQk/ECaS7PX0MziRlzh19UBgu+wVCewutUWbOpTxxBucVmnrbQ1zFrtDxheaxBb5DX7gapfu3eNzwB4EbAkvj+RBRggZO/OBIg=,iv:2MwRaOxfnTleF9vCY6kSY1+oJ0m82fZuliXxKU+STpA=,tag:EBNEctlE3RpgFYvXD+G3PA==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.8.1 27 | -------------------------------------------------------------------------------- /apps/rancher/configs/genericoidc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: management.cattle.io/v3 3 | kind: AuthConfig 4 | metadata: 5 | name: genericoidc 6 | labels: 7 | cattle.io/creator: norman 8 | annotations: 9 | management.cattle.io/auth-provider-cleanup: unlocked 10 | type: genericOIDCConfig 11 | enabled: true 12 | groupSearchEnabled: false 13 | clientId: R4Fy_RAZUfHmPsCAWaD89Snt7wABRsD2IUTP3Xm0AxKbRWzBLIMqQNIpTvuLfKkC6_bvNagL 14 | clientSecret: cattle-global-data:genericoidcconfig-clientsecret 15 | scope: openid profile email 16 | issuer: https://auth.${SECRET_DOMAIN} 17 | authEndpoint: https://auth.${SECRET_DOMAIN}/api/oidc/authorization 18 | tokenEndpoint: https://auth.${SECRET_DOMAIN}/api/oidc/token 19 | userInfoEndpoint: https://auth.${SECRET_DOMAIN}/api/oidc/userinfo 20 | rancherUrl: https://rancher.${SECRET_DOMAIN}/verify-auth 21 | accessMode: unrestricted 22 | allowedPrincipalIds: 23 | - genericoidc_user://e6ebe8b3-c196-4144-898a-c8b8f482819a 24 | -------------------------------------------------------------------------------- /apps/rancher/configs/genericoidcconfig-clientsecret.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: genericoidcconfig-clientsecret 5 | stringData: 6 | clientsecret: ENC[AES256_GCM,data:m2xqvm+EKMj2qCVNLWpjSiLLrm84iu6WL0m0Hg0VQrnqlpKPhtb3b/kiOkPFgqnsZnU6+/YIpQ+JihLRE8G+Xdal9SevwVDy,iv:3F4SRNhmmqSSgNgMSYc9AKo6oD8j3Pq9675oSCCz5GU=,tag:Ho/rXRFqArcvgrnGbmsz9Q==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOUhJVmh2ZmdmNFFxMmVq 17 | TG9WZ1Q5eUlDSFBjeklRbHZIc0NVWWN4MmswCmJyYlRab210MFlUNVhZSDN4a0JP 18 | VWtNQTZ2ZlA5Mm9XblVvd05IQ3JoeXMKLS0tIGtwL2Q5aitpNTZibHJSZjJrNURX 19 | azIrSlFqUzFkQnNJYzk0Wit1MStzVUEK1+ad20wS5iPFA/e2npNiRcARPIC7uJfz 20 | JO6NlLRa7K/rUXnA26WSWUIAABuVU77i9G/iGFtiGRM8qLHLVp6W7w== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2024-08-07T18:42:05Z" 23 | mac: ENC[AES256_GCM,data:svli2BgjNLdyIlScr9c3F9PT3IHne22PWU3y4LJgGox+SaneJdOony5e35o44Eu32eoDyo3wdhhkkoyeJYn+8w/kBPf1H6LvyrWGK7W+GtQo+N6YsHntO2+CbPPUtL0qAShThsKXqNvo2Waf0C5eRBFhYK863nk8269xNf3CSYY=,iv:De90P5PNnUTt72KdLYq7NI+eQa7lMWvyiB1d3ceirXY=,tag:YANgfixJbfbZ1ygUXpp9Mg==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.9.0 27 | -------------------------------------------------------------------------------- /apps/rancher/configs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - local.yaml 6 | - genericoidc.yaml 7 | - genericoidcconfig-clientsecret.sops.yaml -------------------------------------------------------------------------------- /apps/rancher/configs/local.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: management.cattle.io/v3 3 | kind: AuthConfig 4 | metadata: 5 | name: local 6 | labels: 7 | cattle.io/creator: norman 8 | annotations: 9 | management.cattle.io/auth-provider-cleanup: unlocked 10 | type: localConfig 11 | enabled: false -------------------------------------------------------------------------------- /apps/rancher/hr-rancher.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: rancher 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: rancher 11 | version: 2.11.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: rancher-latest 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx-external 18 | namespace: networking 19 | values: 20 | replicas: 1 21 | hostname: rancher.${SECRET_DOMAIN} 22 | tls: ingress 23 | ingress: 24 | ingressClassName: nginx-external 25 | extraAnnotations: 26 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 27 | kubernetes.io/tls-acme: "true" 28 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 29 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 30 | tls: 31 | source: secret 32 | secretName: rancher-tls 33 | bootstrapPassword: "${SECRET_RANCHER_ADMIN_PASSWORD}" 34 | -------------------------------------------------------------------------------- /apps/rancher/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns-cattle-system.yaml 6 | - hr-rancher.yaml 7 | -------------------------------------------------------------------------------- /apps/rancher/ns-cattle-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cattle-system 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | -------------------------------------------------------------------------------- /apps/reloader/hr-reloader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: reloader 11 | version: 2.1.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: stakater-charts 15 | namespace: flux-system 16 | values: 17 | reloader: 18 | # podMonitor: 19 | # enabled: true 20 | reloadStrategy: annotations 21 | -------------------------------------------------------------------------------- /apps/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-reloader.yaml 6 | -------------------------------------------------------------------------------- /apps/restic/hr-restic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: restic 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: metallb 18 | namespace: metallb-system 19 | values: 20 | controllers: 21 | main: 22 | type: cronjob 23 | containers: 24 | main: 25 | image: 26 | repository: ghcr.io/restic/restic 27 | tag: 0.18.0@sha256:c34f8216c1536fc6a1677d088b195b9353e0f1615c842407efefb84ed761c435 28 | command: 29 | - /bin/sh 30 | - -c 31 | - | 32 | restic backup /data --exclude="downloads/*" --exclude="media/*" --exclude="staging/*" --host k3s 33 | restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 3 --prune 34 | envFrom: 35 | - secretRef: 36 | name: restic-secrets 37 | initContainers: 38 | init-repo: 39 | image: 40 | repository: ghcr.io/restic/restic 41 | tag: 0.18.0@sha256:c34f8216c1536fc6a1677d088b195b9353e0f1615c842407efefb84ed761c435 42 | command: 43 | - /bin/sh 44 | - -c 45 | - | 46 | restic init || true 47 | envFrom: 48 | - secretRef: 49 | name: restic-secrets 50 | cronjob: 51 | concurrencyPolicy: Forbid 52 | schedule: "0 0 * * *" 53 | startingDeadlineSeconds: 30 54 | successfulJobsHistory: 1 55 | failedJobsHistory: 1 56 | backoffLimit: 3 57 | persistence: 58 | data: 59 | existingClaim: restic-data 60 | globalMounts: 61 | - path: "/data" 62 | -------------------------------------------------------------------------------- /apps/restic/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-restic.yaml 6 | - pvc-restic.yaml 7 | - secret-restic.sops.yaml -------------------------------------------------------------------------------- /apps/restic/pvc-restic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: restic-static-pv 6 | spec: 7 | capacity: 8 | storage: 1Ti 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: restic-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: restic-data 29 | spec: 30 | volumeName: restic-static-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 1Ti 37 | -------------------------------------------------------------------------------- /apps/restic/secret-restic.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: restic-secrets 5 | stringData: 6 | RESTIC_REPOSITORY: ENC[AES256_GCM,data:EA6GswdsERIcu7dyZC/XEzeKFrJAXpYPMIWEykYoZWpSq+jcA3nxkjo=,iv:Fqk9N6fV5UARxcRHPPjiKknTj/2DHjyw4WwTNMGGS2U=,tag:3bZZnOwUB05pB3xwx+T7Fg==,type:str] 7 | RESTIC_PASSWORD: ENC[AES256_GCM,data:rxZDNgsCq9jdTEap/mri+YIXYXJMdPF3nY0NE9y+QmypapV72/cHmw==,iv:8mLNbDVkAoU+cB7E4gpbtA0mVUb9/4RLc/eMVbbWM58=,tag:k2iJpUFY8Cf5QVqFrGgqcg==,type:str] 8 | AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:BFgQPUCPZO/U01l5BB9vqsPor9c=,iv:pGkah95FqW2R8/oTS7D7xnvVtx6slowU7tfhk2PXcZE=,tag:kWrce19zwDDyce/KL9x63w==,type:str] 9 | AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:AN4lCiC2ptC4n7xqWq3wmCB93ihTs52HvoNPvICK0vKmxIzWIXzOFQ==,iv:JzX+9e+cfI6nacSZMvXrJoOojFC5gZgf8ht4cB7Z7RE=,tag:iMSknI1jRJqPXAMmo4J3DQ==,type:str] 10 | sops: 11 | kms: [] 12 | gcp_kms: [] 13 | azure_kv: [] 14 | hc_vault: [] 15 | age: 16 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 17 | enc: | 18 | -----BEGIN AGE ENCRYPTED FILE----- 19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1cEMxT2E1bVhPeFY4NzYv 20 | TzVsY3RXaHdBN0RoSTE2eW94YW1OV0JKS2g4ClFwY3pITG83MGpwRVczUFZxVFR3 21 | dzVDMXQrZlk5Z0pyODZxclNmOEMwOEUKLS0tIHp1UWppeExmTjJMcHNGcGE1RUlL 22 | dlZnNzY2dUg0WW05RkhpOS9oOGJCQ2MKx9XT/zVTOkczwY9TiHUgk+OThfKs+xKQ 23 | FBLB4yZmKzig09Pc/8XMfOTAMvpLbu06be0QzNI8zahETyUw5KtspQ== 24 | -----END AGE ENCRYPTED FILE----- 25 | lastmodified: "2024-09-25T09:11:03Z" 26 | mac: ENC[AES256_GCM,data:XmcoVMxFCEczxO1RibVF5mzl3Lz3J1s3Ywf7Yo7sBl8Q6tZLCsMRoZyOlCYhLHUyO8YclBrAZJA70dtlwFbuHXJ3mpg90KxWzWhetI6J52CRCiqCAj4nWwIw4u3u2sHYT7LmH++XTU9U9p5aCSapw+z+GfHpppXwlgdcHpOhdtw=,iv:o/IJggmKge9rM/8FaOHmViSsNO0T1ECroEbKNwuN368=,tag:cozIvuOspC65MKu9aWVy6Q==,type:str] 27 | pgp: [] 28 | encrypted_regex: ^(data|stringData)$ 29 | version: 3.9.0 30 | -------------------------------------------------------------------------------- /apps/sftpgo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-sftpgo.yaml 6 | - pvc-sftpgo.yaml 7 | -------------------------------------------------------------------------------- /apps/sftpgo/pvc-sftpgo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: sftpgo-static-pv 6 | spec: 7 | capacity: 8 | storage: 1Ti 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: sftpgo-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: sftpgo-data 29 | spec: 30 | volumeName: sftpgo-static-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 1Ti 37 | -------------------------------------------------------------------------------- /apps/syncthing/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-syncthing.yaml 6 | - pvc-syncthing.yaml 7 | -------------------------------------------------------------------------------- /apps/syncthing/pvc-syncthing.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: syncthing-static-pv 6 | spec: 7 | capacity: 8 | storage: 1Ti 9 | accessModes: 10 | - ReadWriteOnce 11 | persistentVolumeReclaimPolicy: Retain 12 | storageClassName: smb 13 | mountOptions: 14 | - dir_mode=0777 15 | - file_mode=0777 16 | csi: 17 | driver: smb.csi.k8s.io 18 | volumeHandle: syncthing-smb-volume 19 | volumeAttributes: 20 | source: "${SECRET_CIFS_SHARE}/" 21 | nodeStageSecretRef: 22 | name: smb-secrets 23 | namespace: kube-system 24 | --- 25 | apiVersion: v1 26 | kind: PersistentVolumeClaim 27 | metadata: 28 | name: syncthing-data 29 | spec: 30 | volumeName: syncthing-static-pv 31 | storageClassName: smb 32 | accessModes: 33 | - ReadWriteOnce 34 | resources: 35 | requests: 36 | storage: 1Ti 37 | -------------------------------------------------------------------------------- /apps/system-upgrade-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - github.com/rancher/system-upgrade-controller?ref=v0.15.2 6 | images: 7 | - name: rancher/system-upgrade-controller 8 | newTag: v0.15.2@sha256:3e899833afcea9a8788d384ce976df9a05be84636fe5c01ec2307b5bd8fe9810 9 | patches: 10 | - target: 11 | kind: Namespace 12 | patch: | 13 | apiVersion: v1 14 | kind: Namespace 15 | metadata: 16 | name: system-upgrade 17 | labels: 18 | goldilocks.fairwinds.com/enabled: "true" 19 | -------------------------------------------------------------------------------- /apps/system-upgrade-controller/plans/agent-plan.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: k3s-agent 6 | spec: 7 | # renovate: datasource=github-releases depName=k3s-io/k3s 8 | version: v1.33.1+k3s1 9 | concurrency: 1 10 | serviceAccountName: system-upgrade 11 | nodeSelector: 12 | matchExpressions: 13 | - key: node-role.kubernetes.io/master 14 | operator: NotIn 15 | values: 16 | - "true" 17 | cordon: true 18 | prepare: 19 | image: rancher/k3s-upgrade 20 | args: 21 | - "prepare" 22 | - "k3s-server" 23 | upgrade: 24 | image: rancher/k3s-upgrade 25 | -------------------------------------------------------------------------------- /apps/system-upgrade-controller/plans/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - server-plan.yaml 6 | - agent-plan.yaml 7 | -------------------------------------------------------------------------------- /apps/system-upgrade-controller/plans/server-plan.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: k3s-server 6 | spec: 7 | # renovate: datasource=github-releases depName=k3s-io/k3s 8 | version: v1.33.1+k3s1 9 | concurrency: 1 10 | serviceAccountName: system-upgrade 11 | nodeSelector: 12 | matchExpressions: 13 | - key: node-role.kubernetes.io/master 14 | operator: In 15 | values: 16 | - "true" 17 | tolerations: 18 | - key: CriticalAddonsOnly 19 | operator: Exists 20 | cordon: true 21 | upgrade: 22 | image: rancher/k3s-upgrade 23 | -------------------------------------------------------------------------------- /apps/tandoor-recipes/cm-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: tandoor-nginx 6 | data: 7 | nginx-config: | 8 | pid /tmp/nginx.pid; 9 | events { 10 | worker_connections 1024; 11 | } 12 | http { 13 | include mime.types; 14 | server { 15 | listen 8081; 16 | server_name _; 17 | 18 | client_max_body_size 16M; 19 | 20 | # serve static files 21 | location /static/ { 22 | alias /opt/recipes/staticfiles/; 23 | } 24 | 25 | # serve media files 26 | location /media/ { 27 | alias /opt/recipes/mediafiles/; 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /apps/tandoor-recipes/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - pvc-postgresql.yaml 6 | - pvc-tandoor-recipes.yaml 7 | - hr-postgresql.yaml 8 | - hr-tandoor-recipes.yaml 9 | - cm-nginx.yaml -------------------------------------------------------------------------------- /apps/tandoor-recipes/pvc-postgresql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tandoor-recipes-postgresql 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/tandoor-recipes/pvc-tandoor-recipes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tandoor-recipes-static 6 | spec: 7 | storageClassName: longhorn-backup 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | -------------------------------------------------------------------------------- /apps/weave-gitops/hr-weave-gitops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: weave-gitops 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: weave-gitops 11 | version: 4.0.36 12 | sourceRef: 13 | kind: HelmRepository 14 | name: weave-gitops-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: ingress-nginx-external 18 | namespace: networking 19 | values: 20 | adminUser: 21 | create: true 22 | username: admin 23 | passwordHash: $2a$12$HQu99eymhRdEq9qZqqXqcewgY4HoRGPhxtlA5/l4E34p3lt1VNHz6 24 | ingress: 25 | enabled: true 26 | className: nginx-external 27 | annotations: 28 | external-dns.alpha.kubernetes.io/target: "${SECRET_GATEWAY}" 29 | kubernetes.io/tls-acme: "true" 30 | nginx.ingress.kubernetes.io/auth-url: http://authelia.networking.svc.cluster.local/api/authz/auth-request 31 | nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_DOMAIN} 32 | hosts: 33 | - host: gitops.${SECRET_DOMAIN} 34 | paths: 35 | - path: / 36 | pathType: Prefix 37 | tls: 38 | - secretName: weave-gitops-tls 39 | hosts: 40 | - gitops.${SECRET_DOMAIN} 41 | -------------------------------------------------------------------------------- /apps/weave-gitops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr-weave-gitops.yaml 6 | -------------------------------------------------------------------------------- /base/fallback/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: apps 6 | namespace: flux-system 7 | spec: 8 | path: ./cluster-apps/fallback 9 | interval: 10m 10 | prune: true 11 | dependsOn: 12 | - name: configs 13 | - name: charts 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | decryption: 18 | provider: sops 19 | secretRef: 20 | name: sops-age 21 | postBuild: 22 | substitute: {} 23 | substituteFrom: 24 | - kind: ConfigMap 25 | name: shared-settings 26 | - kind: ConfigMap 27 | name: cluster-settings 28 | - kind: Secret 29 | name: shared-secrets 30 | - kind: Secret 31 | name: cluster-secrets 32 | patches: 33 | - patch: |- 34 | apiVersion: kustomize.toolkit.fluxcd.io/v1 35 | kind: Kustomization 36 | metadata: 37 | name: name 38 | spec: 39 | decryption: 40 | provider: sops 41 | secretRef: 42 | name: sops-age 43 | postBuild: 44 | substitute: {} 45 | substituteFrom: 46 | - kind: ConfigMap 47 | name: shared-settings 48 | - kind: ConfigMap 49 | name: cluster-settings 50 | - kind: Secret 51 | name: shared-secrets 52 | - kind: Secret 53 | name: cluster-secrets 54 | target: 55 | group: kustomize.toolkit.fluxcd.io 56 | kind: Kustomization 57 | -------------------------------------------------------------------------------- /base/fallback/charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: charts 6 | namespace: flux-system 7 | spec: 8 | path: ./charts 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | -------------------------------------------------------------------------------- /base/fallback/configs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: configs 6 | namespace: flux-system 7 | spec: 8 | path: ./configs/fallback 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | -------------------------------------------------------------------------------- /base/fallback/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | interval: 1m 9 | ref: 10 | branch: main 11 | url: ssh://git@github.com/Pumba98/flux2-gitops 12 | secretRef: 13 | name: flux-system 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1 16 | kind: Kustomization 17 | metadata: 18 | name: flux-system 19 | namespace: flux-system 20 | spec: 21 | path: ./base/fallback 22 | interval: 10m 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | -------------------------------------------------------------------------------- /base/fallback/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../flux-system 6 | - gotk-sync.yaml 7 | - configs.yaml 8 | - charts.yaml 9 | - apps.yaml 10 | -------------------------------------------------------------------------------- /base/flux-system/init/flux-sops-age-secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: sops-age 6 | namespace: flux-system 7 | stringData: 8 | age.agekey: ENC[AES256_GCM,data:aLHuV0p2+nGS/vr37h9RJsCSH0ZqFLGFkZEz2jeYoPeP5RpbpPVfxCZyMXF4zvYG0FEumt4/rKsuT2Bhu54gYogdD/lpwDzSjLB4RUhgWoFGJfKprVjEu4OwPxLdwaruSs8BE0X7HkyLXvVYzSPE6waZhXroKczAKcNXfdS9pvv+zomVajtBqSpEFUiQHsw7MDti+hKU4JfX49YZ15eRdPRPXqjd3VCgPOqa61xdjz5oEW9++hZ7DipHxeXp,iv:uJd61mR+igh8x/rizJGB8Jw/frlOuRvC9P39sym6+7E=,tag:A7nPCgWW0mF5XhwNTxQsMg==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqcU52NEZGd3A5TThYQUFk 19 | Q0h0L2tSM0RzY2dBdE0ydFZoQ2RjK2w3eFdRCjEvOGN0QkhWUkNMU0hHSVd5elhl 20 | NDZIQjRPa0VISDN4Zzh5bDJvQjdiMVkKLS0tIHVFQzFVSTh5UVdHSjM3UUZTOGVa 21 | cUJmWkdqcGNMQTJPZXZhZ2JBVDR3RjQKeJNcjkZwLh7dhCh7lFSb9gdGlPjte0FQ 22 | IKPLG7AODix8Q6YlXIvKo4rFlHjO9GcdsQBvYB1X787juuxoxpHAKg== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2024-02-24T18:09:36Z" 25 | mac: ENC[AES256_GCM,data:AaWR6hHpuQiykWzVALLWKVZdZ4fSVbKc7NOI7TK55nSBl7j/0QIxnaNdhyIWqI4RKehxlXZQYyuojqWCrps2s7RSUy70gwVpmN5DL76/MpEm1TzRd+cyj/JJ7IRaLiKWV9a5dX/Klb3I7WHzj9GXM0WqTdt78ZRHibVFvpSdEdU=,iv:QslsqVihEHBfk4ACf3+6N+a2ONMKI6K2lXvaDtz0UkA=,tag:sBMercUObyyBFK7zj++/Vg==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.8.1 29 | -------------------------------------------------------------------------------- /base/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - gotk-components.yaml 6 | -------------------------------------------------------------------------------- /base/production/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: apps 6 | namespace: flux-system 7 | spec: 8 | path: ./cluster-apps/production 9 | interval: 10m 10 | prune: true 11 | dependsOn: 12 | - name: configs 13 | - name: charts 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | decryption: 18 | provider: sops 19 | secretRef: 20 | name: sops-age 21 | postBuild: 22 | substitute: {} 23 | substituteFrom: 24 | - kind: ConfigMap 25 | name: shared-settings 26 | - kind: ConfigMap 27 | name: cluster-settings 28 | - kind: Secret 29 | name: shared-secrets 30 | - kind: Secret 31 | name: cluster-secrets 32 | patches: 33 | - patch: |- 34 | apiVersion: kustomize.toolkit.fluxcd.io/v1 35 | kind: Kustomization 36 | metadata: 37 | name: name 38 | spec: 39 | decryption: 40 | provider: sops 41 | secretRef: 42 | name: sops-age 43 | postBuild: 44 | substitute: {} 45 | substituteFrom: 46 | - kind: ConfigMap 47 | name: shared-settings 48 | - kind: ConfigMap 49 | name: cluster-settings 50 | - kind: Secret 51 | name: shared-secrets 52 | - kind: Secret 53 | name: cluster-secrets 54 | target: 55 | group: kustomize.toolkit.fluxcd.io 56 | kind: Kustomization 57 | -------------------------------------------------------------------------------- /base/production/charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: charts 6 | namespace: flux-system 7 | spec: 8 | path: ./charts 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | -------------------------------------------------------------------------------- /base/production/configs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: configs 6 | namespace: flux-system 7 | spec: 8 | path: ./configs/production 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | -------------------------------------------------------------------------------- /base/production/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | interval: 1m 9 | ref: 10 | branch: main 11 | url: ssh://git@github.com/Pumba98/flux2-gitops 12 | secretRef: 13 | name: flux-system 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1 16 | kind: Kustomization 17 | metadata: 18 | name: flux-system 19 | namespace: flux-system 20 | spec: 21 | path: ./base/production 22 | interval: 10m 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | -------------------------------------------------------------------------------- /base/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../flux-system 6 | - gotk-sync.yaml 7 | - configs.yaml 8 | - charts.yaml 9 | - apps.yaml 10 | -------------------------------------------------------------------------------- /base/staging/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: apps 6 | namespace: flux-system 7 | spec: 8 | path: ./cluster-apps/staging 9 | interval: 10m 10 | prune: true 11 | dependsOn: 12 | - name: configs 13 | - name: charts 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | decryption: 18 | provider: sops 19 | secretRef: 20 | name: sops-age 21 | postBuild: 22 | substitute: {} 23 | substituteFrom: 24 | - kind: ConfigMap 25 | name: shared-settings 26 | - kind: ConfigMap 27 | name: cluster-settings 28 | - kind: Secret 29 | name: shared-secrets 30 | - kind: Secret 31 | name: cluster-secrets 32 | patches: 33 | - patch: |- 34 | apiVersion: kustomize.toolkit.fluxcd.io/v1 35 | kind: Kustomization 36 | metadata: 37 | name: name 38 | spec: 39 | decryption: 40 | provider: sops 41 | secretRef: 42 | name: sops-age 43 | postBuild: 44 | substitute: {} 45 | substituteFrom: 46 | - kind: ConfigMap 47 | name: shared-settings 48 | - kind: ConfigMap 49 | name: cluster-settings 50 | - kind: Secret 51 | name: shared-secrets 52 | - kind: Secret 53 | name: cluster-secrets 54 | target: 55 | group: kustomize.toolkit.fluxcd.io 56 | kind: Kustomization 57 | -------------------------------------------------------------------------------- /base/staging/charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: charts 6 | namespace: flux-system 7 | spec: 8 | path: ./charts 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | -------------------------------------------------------------------------------- /base/staging/configs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: configs 6 | namespace: flux-system 7 | spec: 8 | path: ./configs/staging 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | decryption: 16 | provider: sops 17 | secretRef: 18 | name: sops-age 19 | -------------------------------------------------------------------------------- /base/staging/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | interval: 1m 9 | ref: 10 | branch: main 11 | url: ssh://git@github.com/Pumba98/flux2-gitops 12 | secretRef: 13 | name: flux-system 14 | --- 15 | apiVersion: kustomize.toolkit.fluxcd.io/v1 16 | kind: Kustomization 17 | metadata: 18 | name: flux-system 19 | namespace: flux-system 20 | spec: 21 | path: ./base/staging 22 | interval: 10m 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | -------------------------------------------------------------------------------- /base/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../flux-system 6 | - gotk-sync.yaml 7 | - configs.yaml 8 | - charts.yaml 9 | - apps.yaml 10 | -------------------------------------------------------------------------------- /charts/angelnu-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: angelnu-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://angelnu.github.io/helm-charts 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/authelia-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: authelia-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.authelia.com 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/bitnami-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bitnami-charts 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 30m 10 | url: oci://registry-1.docker.io/bitnamicharts 11 | timeout: 2m 12 | -------------------------------------------------------------------------------- /charts/bjw-s-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s-charts 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 30m 10 | url: oci://ghcr.io/bjw-s/helm 11 | timeout: 2m 12 | -------------------------------------------------------------------------------- /charts/csi-driver-smb-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: csi-driver-smb-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/descheduler-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: descheduler-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes-sigs.github.io/descheduler 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/enix-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: enix-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.enix.io 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/external-dns-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: external-dns-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes-sigs.github.io/external-dns 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/fairwinds-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: fairwinds-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.fairwinds.com/stable 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/grafana-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://grafana.github.io/helm-charts 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/headlamp-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: headlamp-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes-sigs.github.io/headlamp 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/ingress-nginx-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: ingress-nginx-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes.github.io/ingress-nginx 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/jetstack-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.jetstack.io/ 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/kubereboot-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: kubereboot-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubereboot.github.io/charts/ 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - angelnu-charts.yaml 6 | - authelia-charts.yaml 7 | - bitnami-charts.yaml 8 | - bjw-s-charts.yaml 9 | - csi-driver-smb-charts.yaml 10 | - descheduler-charts.yaml 11 | - enix-charts.yaml 12 | - external-dns-charts.yaml 13 | - fairwinds-charts.yaml 14 | - grafana-charts.yaml 15 | - headlamp-charts.yaml 16 | - ingress-nginx-charts.yaml 17 | - jetstack-charts.yaml 18 | - kubereboot-charts.yaml 19 | - local-path-provisioner-charts.yaml 20 | - longhorn-charts.yaml 21 | - metallb-charts.yaml 22 | - metrics-server-charts.yaml 23 | - minio-charts.yaml 24 | - prometheus-charts.yaml 25 | - rancher-latest-charts.yaml 26 | - stakater-charts.yaml 27 | - weave-gitops-charts.yaml 28 | -------------------------------------------------------------------------------- /charts/local-path-provisioner-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta1 2 | kind: GitRepository 3 | metadata: 4 | name: local-path-provisioner-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://github.com/rancher/local-path-provisioner.git 9 | ref: 10 | tag: v0.0.31 11 | ignore: | 12 | /* 13 | !/deploy/ 14 | -------------------------------------------------------------------------------- /charts/longhorn-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: longhorn-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.longhorn.io 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/metallb-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metallb-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://metallb.github.io/metallb 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/metrics-server-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metrics-server-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes-sigs.github.io/metrics-server 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/minio-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: minio-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.min.io 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/prometheus-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-charts 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 30m 10 | url: oci://ghcr.io/prometheus-community/charts 11 | timeout: 2m 12 | -------------------------------------------------------------------------------- /charts/rancher-latest-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: rancher-latest 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://releases.rancher.com/server-charts/latest 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/stakater-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://stakater.github.io/stakater-charts 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /charts/weave-gitops-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: weave-gitops-charts 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 30m 10 | url: oci://ghcr.io/weaveworks/charts 11 | timeout: 2m 12 | -------------------------------------------------------------------------------- /cluster-apps/arrs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: arrs-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/arrs 9 | targetNamespace: vpn 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/authelia.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: authelia-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/authelia 9 | targetNamespace: networking 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/bind9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: bind9-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/bind9 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/blocky.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: blocky-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/blocky 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cert-manager-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/cert-manager 9 | targetNamespace: cert-manager 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: cert-manager-issuers 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/cert-manager/issuers 23 | targetNamespace: cert-manager 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: cert-manager-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | --- 32 | apiVersion: kustomize.toolkit.fluxcd.io/v1 33 | kind: Kustomization 34 | metadata: 35 | name: cert-manager-monitoring 36 | namespace: flux-system 37 | spec: 38 | path: ./apps/cert-manager/monitoring 39 | targetNamespace: cert-manager 40 | interval: 10m 41 | prune: true 42 | dependsOn: 43 | - name: kube-prometheus-stack-app 44 | sourceRef: 45 | kind: GitRepository 46 | name: flux-system 47 | -------------------------------------------------------------------------------- /cluster-apps/certificate-exporter.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: certificate-exporter-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/certificate-exporter 9 | targetNamespace: monitoring 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/cloudflared.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cloudflared-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/cloudflared 9 | targetNamespace: networking 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/csi-driver-smb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: csi-driver-smb-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/csi-driver-smb 9 | targetNamespace: kube-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: descheduler-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/descheduler 9 | targetNamespace: kube-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/external-dns-bind.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: external-dns-bind-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/external-dns-bind 9 | targetNamespace: networking 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/external-dns-cloudflare.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: external-dns-cloudflare-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/external-dns-cloudflare 9 | targetNamespace: networking 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/fallback/bind9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: bind9-app 6 | namespace: flux-system 7 | spec: 8 | patches: 9 | - target: 10 | kind: PersistentVolumeClaim 11 | name: bind9-data 12 | patch: |- 13 | apiVersion: v1 14 | kind: PersistentVolumeClaim 15 | metadata: 16 | name: bind9-data 17 | spec: 18 | storageClassName: local-path 19 | -------------------------------------------------------------------------------- /cluster-apps/fallback/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../namespaces.yaml 6 | - ../bind9.yaml 7 | - ../blocky.yaml 8 | - ../flux-system.yaml 9 | - ../local-path-provisioner.yaml 10 | - ../metallb.yaml 11 | - ../reloader.yaml 12 | - ../system-upgrade-controller.yaml 13 | 14 | patchesStrategicMerge: 15 | - bind9.yaml 16 | -------------------------------------------------------------------------------- /cluster-apps/flux-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: flux-system-configs 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/flux-system/configs 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system-monitoring 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/flux-system/monitoring 23 | targetNamespace: flux-system 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: kube-prometheus-stack-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | -------------------------------------------------------------------------------- /cluster-apps/goldilocks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: goldilocks-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/goldilocks 9 | targetNamespace: monitoring 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/headlamp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: headlamp-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/headlamp 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/homer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: homer-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/homer 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/immich.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: immich-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/immich 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/ingress-nginx-external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: ingress-nginx-external-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/ingress-nginx-external 9 | targetNamespace: networking 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: ingress-nginx-external-monitoring 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/ingress-nginx/monitoring 23 | targetNamespace: networking 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: kube-prometheus-stack-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | -------------------------------------------------------------------------------- /cluster-apps/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: ingress-nginx-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/ingress-nginx 9 | targetNamespace: networking 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: ingress-nginx-certs 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/ingress-nginx/certs 23 | targetNamespace: networking 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: cert-manager-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | --- 32 | apiVersion: kustomize.toolkit.fluxcd.io/v1 33 | kind: Kustomization 34 | metadata: 35 | name: ingress-nginx-monitoring 36 | namespace: flux-system 37 | spec: 38 | path: ./apps/ingress-nginx/monitoring 39 | targetNamespace: networking 40 | interval: 10m 41 | prune: true 42 | dependsOn: 43 | - name: kube-prometheus-stack-app 44 | sourceRef: 45 | kind: GitRepository 46 | name: flux-system 47 | -------------------------------------------------------------------------------- /cluster-apps/jd2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: jd2-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/jd2 9 | targetNamespace: vpn 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/jellyfin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: jellyfin-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/jellyfin 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/jellyseerr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: jellyseerr-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/jellyseerr 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/kube-prometheus-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kube-prometheus-stack-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/kube-prometheus-stack 9 | targetNamespace: monitoring 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: kube-prometheus-stack-rules 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/kube-prometheus-stack/prometheus-rules 23 | targetNamespace: monitoring 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: kube-prometheus-stack-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | -------------------------------------------------------------------------------- /cluster-apps/kube-vip.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kube-vip-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/kube-vip 9 | targetNamespace: kube-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/kured.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kured-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/kured 9 | targetNamespace: kube-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/linkwarden.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: linkwarden-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/linkwarden 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/local-path-provisioner.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: local-path-provisioner-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/local-path-provisioner 9 | targetNamespace: default 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/loki.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: loki-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/loki 9 | targetNamespace: monitoring 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/longhorn 9 | targetNamespace: longhorn-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: longhorn-configs 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/longhorn/configs 23 | targetNamespace: networking 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: longhorn-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | --- 32 | apiVersion: kustomize.toolkit.fluxcd.io/v1 33 | kind: Kustomization 34 | metadata: 35 | name: longhorn-monitoring 36 | namespace: flux-system 37 | spec: 38 | path: ./apps/longhorn/monitoring 39 | targetNamespace: networking 40 | interval: 10m 41 | prune: true 42 | dependsOn: 43 | - name: kube-prometheus-stack-app 44 | sourceRef: 45 | kind: GitRepository 46 | name: flux-system 47 | -------------------------------------------------------------------------------- /cluster-apps/memos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: memos-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/memos 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: metallb-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/metallb 9 | targetNamespace: metallb-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: metallb-configs 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/metallb/configs 23 | targetNamespace: metallb-system 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: metallb-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | -------------------------------------------------------------------------------- /cluster-apps/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: metrics-server-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/metrics-server 9 | targetNamespace: kube-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/minio.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: minio-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/minio 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/namespaces.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: default 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: monitoring 13 | labels: 14 | goldilocks.fairwinds.com/enabled: "true" 15 | pod-security.kubernetes.io/enforce: privileged # for NodeExporter 16 | --- 17 | apiVersion: v1 18 | kind: Namespace 19 | metadata: 20 | name: networking 21 | labels: 22 | goldilocks.fairwinds.com/enabled: "true" 23 | pod-security.kubernetes.io/enforce: privileged # for PodGateway 24 | --- 25 | apiVersion: v1 26 | kind: Namespace 27 | metadata: 28 | name: selfhosted 29 | labels: 30 | goldilocks.fairwinds.com/enabled: "true" 31 | pod-security.kubernetes.io/enforce: privileged # for sftpgo 32 | --- 33 | apiVersion: v1 34 | kind: Namespace 35 | metadata: 36 | name: vpn 37 | labels: 38 | goldilocks.fairwinds.com/enabled: "true" 39 | routed-gateway: "true" 40 | pod-security.kubernetes.io/enforce: privileged # for jd2 41 | -------------------------------------------------------------------------------- /cluster-apps/paperless-ngx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: paperless-ngx-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/paperless-ngx 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/pod-gateway-vpn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: pod-gateway-vpn-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/pod-gateway-vpn 9 | targetNamespace: networking 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | 16 | -------------------------------------------------------------------------------- /cluster-apps/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../namespaces.yaml 6 | - ../arrs.yaml 7 | - ../authelia.yaml 8 | - ../bind9.yaml 9 | - ../blocky.yaml 10 | - ../certificate-exporter.yaml 11 | - ../cert-manager.yaml 12 | - ../cloudflared.yaml 13 | - ../csi-driver-smb.yaml 14 | - ../descheduler.yaml 15 | - ../external-dns-bind.yaml 16 | - ../external-dns-cloudflare.yaml 17 | - ../flux-system.yaml 18 | - ../goldilocks.yaml 19 | - ../headlamp.yaml 20 | - ../homer.yaml 21 | - ../immich.yaml 22 | - ../ingress-nginx.yaml 23 | - ../ingress-nginx-external.yaml 24 | - ../jd2.yaml 25 | - ../jellyfin.yaml 26 | - ../jellyseerr.yaml 27 | - ../kube-prometheus-stack.yaml 28 | - ../kube-vip.yaml 29 | - ../kured.yaml 30 | - ../linkwarden.yaml 31 | - ../loki.yaml 32 | - ../longhorn.yaml 33 | - ../memos.yaml 34 | - ../metallb.yaml 35 | - ../metrics-server.yaml 36 | - ../minio.yaml 37 | - ../paperless-ngx.yaml 38 | - ../pod-gateway-vpn.yaml 39 | - ../promtail.yaml 40 | - ../qbittorrent.yaml 41 | - ../radicale.yaml 42 | - ../rancher.yaml 43 | - ../reloader.yaml 44 | - ../restic.yaml 45 | - ../sftpgo.yaml 46 | - ../syncthing.yaml 47 | - ../system-upgrade-controller.yaml 48 | - ../tandoor-recipes.yaml 49 | - ../weave-gitops.yaml 50 | -------------------------------------------------------------------------------- /cluster-apps/promtail.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: promtail-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/promtail 9 | targetNamespace: monitoring 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/qbittorrent.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: qbittorrent-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/qbittorrent 9 | targetNamespace: vpn 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/radicale.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: radicale-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/radicale 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/rancher.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: rancher-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/rancher 9 | targetNamespace: cattle-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: rancher-configs 20 | namespace: flux-system 21 | spec: 22 | path: ./apps/rancher/configs 23 | targetNamespace: cattle-global-data 24 | interval: 10m 25 | prune: true 26 | dependsOn: 27 | - name: rancher-app 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | -------------------------------------------------------------------------------- /cluster-apps/reloader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: reloader-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/reloader 9 | targetNamespace: kube-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/restic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: restic-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/restic 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/sftpgo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: sftpgo-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/sftpgo 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/staging/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: ingress-nginx-app 6 | namespace: flux-system 7 | spec: 8 | patches: 9 | - target: 10 | kind: Certificate 11 | name: "${SECRET_DOMAIN/./-}" 12 | patch: |- 13 | apiVersion: cert-manager.io/v1 14 | kind: Certificate 15 | metadata: 16 | name: "${SECRET_DOMAIN/./-}" 17 | namespace: networking 18 | spec: 19 | issuerRef: 20 | name: letsencrypt-staging 21 | -------------------------------------------------------------------------------- /cluster-apps/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../namespaces.yaml 6 | - ../arrs.yaml 7 | - ../authelia.yaml 8 | # - ../bind9.yaml 9 | # - ../blocky.yaml 10 | - ../certificate-exporter.yaml 11 | - ../cert-manager.yaml 12 | # - ../cloudflared.yaml 13 | - ../csi-driver-smb.yaml 14 | - ../descheduler.yaml 15 | # - ../external-dns-bind.yaml 16 | - ../external-dns-cloudflare.yaml 17 | - ../flux-system.yaml 18 | - ../goldilocks.yaml 19 | - ../headlamp.yaml 20 | - ../homer.yaml 21 | - ../immich.yaml 22 | - ../ingress-nginx.yaml 23 | - ../ingress-nginx-external.yaml 24 | - ../jd2.yaml 25 | - ../jellyfin.yaml 26 | - ../jellyseerr.yaml 27 | - ../kube-prometheus-stack.yaml 28 | - ../kube-vip.yaml 29 | - ../kured.yaml 30 | - ../linkwarden.yaml 31 | - ../loki.yaml 32 | - ../longhorn.yaml 33 | - ../memos.yaml 34 | - ../metallb.yaml 35 | - ../metrics-server.yaml 36 | - ../minio.yaml 37 | - ../paperless-ngx.yaml 38 | - ../pod-gateway-vpn.yaml 39 | - ../promtail.yaml 40 | - ../qbittorrent.yaml 41 | - ../radicale.yaml 42 | - ../rancher.yaml 43 | - ../reloader.yaml 44 | # - ../restic.yaml 45 | - ../sftpgo.yaml 46 | - ../syncthing.yaml 47 | # - ../system-upgrade-controller.yaml 48 | - ../tandoor-recipes.yaml 49 | - ../weave-gitops.yaml 50 | 51 | patchesStrategicMerge: 52 | - longhorn.yaml 53 | - ingress-nginx.yaml 54 | -------------------------------------------------------------------------------- /cluster-apps/staging/longhorn.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: longhorn-app 6 | namespace: flux-system 7 | spec: 8 | patches: 9 | - target: 10 | kind: HelmRelease 11 | name: longhorn 12 | patch: |- 13 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 14 | kind: HelmRelease 15 | metadata: 16 | name: longhorn 17 | spec: 18 | values: 19 | persistence: 20 | defaultClassReplicaCount: 1 21 | - target: 22 | kind: StorageClass 23 | name: longhorn-backup 24 | patch: |- 25 | kind: StorageClass 26 | apiVersion: storage.k8s.io/v1 27 | metadata: 28 | name: longhorn-backup 29 | parameters: 30 | numberOfReplicas: "1" 31 | - target: 32 | kind: StorageClass 33 | name: longhorn-xfs 34 | patch: |- 35 | kind: StorageClass 36 | apiVersion: storage.k8s.io/v1 37 | metadata: 38 | name: longhorn-xfs 39 | parameters: 40 | numberOfReplicas: "1" 41 | -------------------------------------------------------------------------------- /cluster-apps/syncthing.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: syncthing-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/syncthing 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/system-upgrade-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: system-upgrade-controller-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/system-upgrade-controller 9 | targetNamespace: system-upgrade 10 | interval: 10m 11 | prune: true 12 | wait: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: system-upgrade-plans 21 | namespace: flux-system 22 | spec: 23 | path: ./apps/system-upgrade-controller/plans 24 | targetNamespace: system-upgrade 25 | interval: 10m 26 | prune: true 27 | dependsOn: 28 | - name: system-upgrade-controller-app 29 | sourceRef: 30 | kind: GitRepository 31 | name: flux-system 32 | -------------------------------------------------------------------------------- /cluster-apps/tandoor-recipes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tandoor-recipes-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/tandoor-recipes 9 | targetNamespace: selfhosted 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /cluster-apps/weave-gitops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: weave-gitops-app 6 | namespace: flux-system 7 | spec: 8 | path: ./apps/weave-gitops 9 | targetNamespace: flux-system 10 | interval: 10m 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | -------------------------------------------------------------------------------- /configs/fallback/cluster-secrets.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cluster-secrets 5 | stringData: 6 | SECRET_DOMAIN: ENC[AES256_GCM,data:O2giVKFbbmQBXWjz,iv:b9p9hwm+Axw+viKRE2777C5J0LZjhxOf8nNeNHsqNhw=,tag:2KO6s27JMvmOs5ztHnyCng==,type:str] 7 | SECRET_GATEWAY: ENC[AES256_GCM,data:D0857pthBXV0ZktbtuqX5htr48E=,iv:Ojje3GbiMTCpxaC5SyN/+YGqKJQT6/XeywxCCo428C4=,tag:vZfv3FThNfQUcK+TY5Y0jA==,type:str] 8 | sops: 9 | kms: [] 10 | gcp_kms: [] 11 | azure_kv: [] 12 | hc_vault: [] 13 | age: 14 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 15 | enc: | 16 | -----BEGIN AGE ENCRYPTED FILE----- 17 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QnRmSEM2ay9NdEx2L2lC 18 | c0lGK2hOcGVmU01KUWhmSThvU1dPQW9sS3pnCmNQS1VXb094NVZIcnJKOUpwTDcx 19 | Tld2MU1pa0EyeEUyNXdQUHBxNnVuNW8KLS0tIE5Hd0YzUFU4N0F6cUhyWGF5RjdV 20 | ZUtFNlhlRWtDYU9weURBZWNGTm81U3MKq3/9+SNLNtUQo4dwpd51HVWs0HL+NtWy 21 | SXIragepYIECXhndPtxlZn1Tc+ZNlA6dJX9jOibkXfvJUB+O/qQQsA== 22 | -----END AGE ENCRYPTED FILE----- 23 | lastmodified: "2024-03-08T18:48:26Z" 24 | mac: ENC[AES256_GCM,data:N9HQ9I8smdE5xn6s9ihZvA3B+h5CiCgcmvsr6OHzY9+mMVUewWJ2ZS9ZjaY116cZkKY5KX2eDs46J5zEimt6DAhlHvHrGdVaU8qjwvt21ONQ7SXZ/9iqmxUjHp9FU6ArTjlJCSPydxX7Bd+lPf2gCuapgZdJaQANxywmLlWKpYI=,iv:aIM/ICm01IcpkFzB8fJXp0D1ajPnB1L4DJL5DN3g2ik=,tag:KR4cDUc1koL7CzgeopYyHw==,type:str] 25 | pgp: [] 26 | encrypted_regex: ^(data|stringData)$ 27 | version: 3.8.1 28 | -------------------------------------------------------------------------------- /configs/fallback/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-settings 6 | data: 7 | LB_IP_NGINX_INGRESS: 192.168.100.211 8 | LB_IP_NGINX_INGRESS_EXTERNAL: 192.168.100.210 9 | LB_IP_SYNCTHING_SVC: 192.168.100.212 10 | LB_IP_SFTPGO_SVC: 192.168.100.213 11 | LB_IP_BIND_SVC: 192.168.1.11 12 | LB_IP_BLOCKY_SVC: 192.168.1.10 13 | CLUSTER_BIND9_ROLE: slave 14 | -------------------------------------------------------------------------------- /configs/fallback/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../shared-secrets.sops.yaml 6 | - ../shared-settings.yaml 7 | - cluster-secrets.sops.yaml 8 | - cluster-settings.yaml 9 | -------------------------------------------------------------------------------- /configs/production/cluster-secrets.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cluster-secrets 5 | stringData: 6 | SECRET_DOMAIN: ENC[AES256_GCM,data:ReFgxsHYZMO0qmTv,iv:veuSRBMIxU3MwLt1uANzIPw1SU45k7LnbAgzcjkycSM=,tag:Y/qCj9g3lZpTWYllqK4uzQ==,type:str] 7 | SECRET_GATEWAY: ENC[AES256_GCM,data:3D8Jd/Y0y+2HPGCA+Ql2zuUWXYU=,iv:ARWrIDIMjHMR+e/WtRT8u8EFO+F5XEzEDZSWZBT0k+8=,tag:7rVexE4jQ/Y9J3SqkBA4mQ==,type:str] 8 | SECRET_CIFS_SHARE: ENC[AES256_GCM,data:7NvVB9R+40yvvTIUW7EtezYUgMYw+fJEAyysxUW6YmiZJy4=,iv:X4B2/CuHeOyJAfse8ISSp4hq84B3rKE+Gvvx6X58OgY=,tag:nCGJikfCOP4Q9rbP0plvdg==,type:str] 9 | SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:zJa4e29ChPnmSarHO7512tKkiP5CortG9XRWEriOR1XGwMtz,iv:75A84uKm9lBbcxUxm2UiNBJEskf1eQ8LUvDbgqYZXCg=,tag:1AN9tafUpza7WE+6fteDCw==,type:str] 10 | sops: 11 | kms: [] 12 | gcp_kms: [] 13 | azure_kv: [] 14 | hc_vault: [] 15 | age: 16 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 17 | enc: | 18 | -----BEGIN AGE ENCRYPTED FILE----- 19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QnRmSEM2ay9NdEx2L2lC 20 | c0lGK2hOcGVmU01KUWhmSThvU1dPQW9sS3pnCmNQS1VXb094NVZIcnJKOUpwTDcx 21 | Tld2MU1pa0EyeEUyNXdQUHBxNnVuNW8KLS0tIE5Hd0YzUFU4N0F6cUhyWGF5RjdV 22 | ZUtFNlhlRWtDYU9weURBZWNGTm81U3MKq3/9+SNLNtUQo4dwpd51HVWs0HL+NtWy 23 | SXIragepYIECXhndPtxlZn1Tc+ZNlA6dJX9jOibkXfvJUB+O/qQQsA== 24 | -----END AGE ENCRYPTED FILE----- 25 | lastmodified: "2025-01-30T17:58:33Z" 26 | mac: ENC[AES256_GCM,data:s0b53cGufWTEMaLF17aw7rmX9o42p715uaNvjw7kWKE/dQV5BuEUHhOqRGWlF9q7eLajaZWAyxXzgWhjRu43SA9r+QjCniif6WRnb4RSrfHCRkw1aJb9pKWu5s+qZLkKgdsU3dZFdygnXmSbGC5T2n0OxuVClWB5dzpajeo5r4A=,iv:+C98mQsWSlLpUKpxDfvHULrZ6b+eCvhY0krir0XWq/g=,tag:CtIkc9FtWu+vhzkzGLQpdw==,type:str] 27 | pgp: [] 28 | encrypted_regex: ^(data|stringData)$ 29 | version: 3.8.1 30 | -------------------------------------------------------------------------------- /configs/production/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-settings 6 | data: 7 | LB_IP_NGINX_INGRESS: 192.168.100.211 8 | LB_IP_NGINX_INGRESS_EXTERNAL: 192.168.100.210 9 | LB_IP_SYNCTHING_SVC: 192.168.100.212 10 | LB_IP_SFTPGO_SVC: 192.168.100.213 11 | LB_IP_BIND_SVC: 192.168.100.11 12 | LB_IP_BLOCKY_SVC: 192.168.100.10 13 | KUBEVIP_ADDRESS: 192.168.100.200 14 | CLUSTER_BIND9_ROLE: master 15 | -------------------------------------------------------------------------------- /configs/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../shared-secrets.sops.yaml 6 | - ../shared-settings.yaml 7 | - cluster-secrets.sops.yaml 8 | - cluster-settings.yaml 9 | -------------------------------------------------------------------------------- /configs/shared-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: shared-settings 6 | data: 7 | NETWORK_K8S_CLUSTER_CIDR: 10.42.0.0/16 8 | NETWORK_K8S_SERVICE_CIDR: 10.43.0.0/16 9 | POD_GATEWAY_VPN_VXLAN: 10.45.0 10 | PRIVATE_NETWORK: 192.168.0.0/16 11 | -------------------------------------------------------------------------------- /configs/staging/cluster-secrets.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cluster-secrets 5 | stringData: 6 | SECRET_DOMAIN: ENC[AES256_GCM,data:44RwODioj1+HCQW4MmCNfPbyNZU=,iv:4rGSFfRopofioir5sYPFVFgq6nvcx3bf2l9Q2zdRtUE=,tag:bLj9U3XFofRmQ+JLx+rsXQ==,type:str] 7 | SECRET_GATEWAY: ENC[AES256_GCM,data:YXoSfIqKN8pQwZ4UIffcenuD+Ue1ryzfgO4O9g==,iv:5lVGTtrpgY+F5nCkRooKaIbhzdgAmg3BgZROddyqWL8=,tag:IAkMn77RW7r+1M34TnGo8g==,type:str] 8 | SECRET_CIFS_SHARE: ENC[AES256_GCM,data:rVsrTYW+hCpjEn9+U1DKBp0LTD3ic7ij2VAk2Wswbh0fkZAphVjcsWD82g==,iv:f/pHpYPvVgbyeW6bxW85UAgqdKSv9qcmtn2c3pbmonk=,tag:UNyygC+M/rkeNLsq2ph+fQ==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1zzqxk3z5anq53lz9g4rd7eatczfcd7vjszgggr47927mwe7hjfhq3tlad6 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZXFLaWdvdGFwWTFENld1 19 | dG1kNTkrMnRmTEFabGl1LzVaMDhQMkN6OUNzClJzT3lYN1RSYk1MN3RGck1ESy8x 20 | M0E1dUs0NWR6VG1nMUtkb1JRQzQzUTgKLS0tIE43L0RvM1BwMUJUSVdIL25RRmlX 21 | UmpvOHZhd1d0MGtpd0RwQ1MwMCsxbGcKO5ciYsakg92KaRDZnJ1fGpIxnPf2sU0+ 22 | pXCZkhpryfmxMQ1n4loO58mp9Jhv7Pjdzs9O8Q44IHNDmAMsuv8I1g== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2023-03-18T14:45:41Z" 25 | mac: ENC[AES256_GCM,data:YNR3AjycNMPkXrXDzKBS4xnPeN7JYIILxDZpEFwotu4QFeOsnyQIb5JwkJccd+e8zQog+prvmS2l3R/kSTF4ejS1n+GxDJCKBudE1qD/MpBeewGbTb7kuw24EP6/MO3VzvYDTzOhGi0+mAdCOME8N5k7b3WYUr/IrLpus9tJKEs=,iv:UwIK+WQx/jIhJItt65P8qIgD0R+Jz3RPXqf0kxsYM7Y=,tag:6lybE27ONuyzxZPokhoChQ==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.7.1 29 | -------------------------------------------------------------------------------- /configs/staging/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-settings 6 | data: 7 | LB_IP_NGINX_INGRESS: 192.168.100.221 8 | LB_IP_NGINX_INGRESS_EXTERNAL: 192.168.100.220 9 | LB_IP_SYNCTHING_SVC: 192.168.100.224 10 | LB_IP_SFTPGO_SVC: 192.168.100.225 11 | LB_IP_BIND_SVC: 192.168.100.222 12 | LB_IP_BLOCKY_SVC: 192.168.100.223 13 | KUBEVIP_ADDRESS: 192.168.100.240 14 | CLUSTER_BIND9_ROLE: slave 15 | -------------------------------------------------------------------------------- /configs/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../shared-secrets.sops.yaml 6 | - ../shared-settings.yaml 7 | - cluster-secrets.sops.yaml 8 | - cluster-settings.yaml 9 | --------------------------------------------------------------------------------