├── .github ├── actions │ └── tools │ │ ├── Dockerfile │ │ ├── action.yml │ │ └── entrypoint.sh ├── renovate.json5 ├── renovate │ ├── disabledDatasources.json5 │ └── groups.json5 └── workflows │ ├── e2e.yaml.dissabled │ ├── flux.yaml.disabled │ ├── schedule-renovate.yaml │ └── test.yaml ├── .gitignore ├── .sops.yaml ├── .sourceignore ├── LICENSE ├── README.md ├── README_template.md ├── ansible ├── README-proxmox.md ├── README.md ├── ansible.cfg ├── flux_install.yaml ├── group_vars │ └── all.yaml ├── hosts-production ├── hosts-test ├── hw_setup.yaml ├── hw_update.yaml ├── k3s_install.yaml ├── k3s_remove.yaml ├── proxmox_install.yaml ├── proxmox_remove.yaml ├── requirements.yml └── tasks │ ├── hw │ ├── apt.yaml │ ├── network.yaml │ └── system.yaml │ ├── k8s │ ├── kubernetes_node_settle.yaml │ ├── setLabels.yaml │ ├── setTaints.yaml │ └── unsetTaints.yaml │ └── proxmox │ └── state.yaml ├── apps ├── default │ ├── README.md │ ├── apache-musicindex │ │ ├── kustomization.yaml │ │ └── release.yaml │ ├── comics │ │ ├── kustomization.yaml │ │ ├── release.yaml │ │ └── secrets.yaml │ ├── deepstack │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ ├── release.yaml │ │ └── secrets.yaml │ ├── esphome │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ └── release.yaml │ ├── forgejo │ │ ├── kustomization.yaml │ │ ├── networkpolicy.yaml │ │ ├── nfs.yaml │ │ ├── release-db.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ ├── gatus │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ └── release.yaml │ ├── gow │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ ├── hajimari │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ ├── handbrake │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ └── release.yaml │ ├── home-assistant │ │ ├── kustomization.yaml │ │ ├── networkpolicy.yaml │ │ ├── release-appdaemon.yaml │ │ ├── release-db.yaml │ │ ├── release-fs.yaml │ │ ├── release.yaml │ │ ├── secret-appdaemon.yaml │ │ └── secret.yaml │ ├── jellyfin │ │ ├── kustomization.yaml │ │ └── release.yaml │ ├── kustomization.yaml │ ├── lorawan │ │ ├── chirpstack-packet-multiplexer.yaml │ │ └── kustomization.yaml │ ├── mealie │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ └── release.yaml │ ├── music-assistant │ │ ├── kustomization.yaml │ │ └── release.yaml │ ├── nextcloud │ │ ├── README.md │ │ ├── ingress-home.yaml │ │ ├── kustomization.yaml │ │ ├── nfs.yaml │ │ ├── release-collabora.yaml │ │ ├── release-db.yaml │ │ ├── release-push.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ ├── novnc │ │ ├── helmrelease-freecad.yaml │ │ ├── helmrelease-kicad.yaml │ │ ├── helmrelease-prusaslicer.yaml │ │ └── kustomization.yaml │ ├── paperless │ │ ├── README.md │ │ ├── configmap-common.yaml │ │ ├── kustomization.yaml │ │ ├── release-casa.yaml │ │ ├── release-edu.yaml │ │ ├── release-javi.yaml │ │ ├── release-madrid.yaml │ │ ├── release-mireille-work.yaml │ │ └── release-recipes.yaml │ ├── photoprism │ │ ├── kustomization.yaml │ │ └── release.yaml │ ├── raspberrymatic │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ └── release.yaml │ ├── recipes │ │ ├── kustomization.yaml │ │ ├── release-db.yaml │ │ ├── release-media-fs.yaml │ │ ├── release-static-fs.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ ├── reverse-proxy │ │ ├── kustomization.yaml │ │ └── release.yaml │ ├── searxng │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── secret.yaml │ ├── tt-rss │ │ ├── kustomization.yaml │ │ ├── release-db.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ └── unifi │ │ ├── README.md │ │ ├── kustomization.yaml │ │ ├── release-fs.yaml │ │ └── release.yaml ├── kube-system │ ├── README.md │ ├── kured │ │ ├── kustomization.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ ├── kustomization.yaml │ └── reloader.yaml ├── kustomization.yaml └── vpn │ ├── kustomization.yaml │ ├── lidarr │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── release-fs.yaml │ ├── milar3 │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── release-fs.yaml │ ├── prowlarr │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── release-fs.yaml │ ├── qbittorrent │ ├── helmrelease.yaml │ ├── ingress-home.yaml │ ├── kustomization.yaml │ └── release-fs.yaml │ ├── radarr │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── release-fs.yaml │ ├── readarr │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── release-fs.yaml │ ├── sonarr │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── release-fs.yaml │ └── vnc │ ├── helmrelease-mega.yaml │ ├── helmrelease-ubuntu.yaml │ └── kustomization.yaml ├── base ├── 1_crds.yaml ├── 2_core.yaml ├── 3_apps.yaml ├── flux-system │ ├── gotk-components.yaml │ └── kustomization.yaml ├── kustomization.yaml ├── namespaces │ ├── authentik.yaml │ ├── ceph-rbd.yaml │ ├── ceph.yaml │ ├── cert-manager.yaml │ ├── default.yaml │ ├── kube-system.yaml │ ├── kubernetes-dashboard.yaml │ ├── kustomization.yaml │ ├── maddy.yaml │ ├── monitoring.yaml │ ├── nginx.yaml │ ├── postgres.yaml │ ├── rook-ceph.yaml │ ├── vpn-gateway.yaml │ └── vpn.yaml └── sources │ ├── README.md │ ├── angelnu-helm-charts.yaml │ ├── authentik.yaml │ ├── bjw-s-helm-charts.yaml │ ├── ceph-csi.yaml │ ├── forgejo.yaml │ ├── gitea.yaml │ ├── hajimari.yaml │ ├── infracloudio-charts.yaml │ ├── ingress-nginx.yaml │ ├── jetstack-charts.yaml │ ├── kubereboot-charts.yaml │ ├── kubernetes-dashboard.yaml │ ├── kustomization.yaml │ ├── metallb.yaml │ ├── mittwald.yaml │ ├── nextcloud.yaml │ ├── node-feature-discovery-charts.yaml │ ├── raspberrymatic.yaml │ ├── rook-ceph.yaml │ ├── searxng.yaml │ ├── stakater-charts.yaml │ ├── weaveworks.yaml │ ├── wobcom.yaml │ ├── zalando-postgres-operator.yaml │ └── zalando-postgres-ui.yaml ├── clusters ├── production │ ├── gotk-sync.yaml │ ├── kustomization.yaml │ └── settings.yaml └── staging │ ├── gotk-sync.yaml │ ├── kustomization.yaml │ └── settings.yaml ├── core ├── authentik │ ├── authentik-db.yaml │ ├── authentik-ingress.yaml │ ├── authentik-secret.yaml │ ├── authentik.yaml │ ├── kustomization.yaml │ └── ldap-service.yaml ├── ceph-rbd │ ├── kustomization.yaml │ ├── rbd.yaml │ └── secret.yaml ├── ceph │ ├── README.md │ ├── cephfs.yaml │ ├── kustomization.yaml │ └── secret.yaml ├── cert-manager │ ├── README.md │ ├── cert-manager-dnsmadeeasy.yaml │ ├── certificate.yaml │ ├── kustomization.yaml │ └── secret-dnsmadeeasy.yaml ├── flux-system │ ├── README.md │ ├── kustomization.yaml │ └── notifications │ │ ├── github_alert.yaml │ │ ├── github_provider.yaml │ │ ├── github_secret.yaml │ │ ├── kustomization.yaml │ │ ├── slack_alert.yaml │ │ └── slack_provider.yaml ├── kube-system │ ├── README.md │ ├── intel-gpu-plugin │ │ ├── kustomization.yaml │ │ └── release.yaml │ ├── kubernetes-replicator.yaml │ ├── kustomization.yaml │ ├── metallb.yaml │ ├── multus_network.yaml │ ├── node-feature-discovery │ │ ├── kustomization.yaml │ │ └── release.yaml │ └── weave-gitops-dashboard │ │ ├── kustomization.yaml │ │ └── release.yaml ├── kubernetes-dashboard │ ├── clusterRoleBinding.yaml │ ├── kustomization.yaml │ └── release.yaml ├── kustomization.yaml ├── maddy │ ├── kustomization.yaml │ ├── release-db.yaml │ ├── release-fs.yaml │ ├── release.yaml │ └── secret.yaml ├── monitoring │ ├── README.md │ ├── botkube │ │ ├── kustomization.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ └── kustomization.yaml ├── nginx │ ├── README.md │ ├── kustomization.yaml │ └── release.yaml ├── postgres │ ├── README.md │ ├── kustomization.yaml │ └── ui.yaml ├── rook-ceph │ ├── README.md │ ├── kustomization.yaml │ └── operator.yaml ├── vpn-gateway │ ├── kustomization.yaml │ └── release.yaml └── vpn │ ├── kustomization.yaml │ ├── networkPolicy.yaml │ └── terminal.yaml ├── crds ├── cert-manager │ ├── README.md │ ├── cert-manager.yaml │ └── kustomization.yaml ├── kube-system │ ├── README.md │ ├── kustomization.yaml │ ├── metallb.yaml │ └── multus.yaml ├── kustomization.yaml ├── postgres │ ├── README.md │ ├── kustomization.yaml │ └── operator.yaml └── rook-ceph │ ├── README.md │ ├── crds.yaml │ └── kustomization.yaml ├── scripts ├── find-unencrypted-secrets.sh ├── install_git_hooks.sh └── validate.sh └── settings ├── production ├── kustomization.yaml ├── secrets.yaml ├── secrets │ ├── airvpn.yaml │ ├── drone.yaml │ ├── git-ssh-key.pub │ ├── git-ssh-key.yaml │ ├── kustomization.yaml │ └── vpn.yaml └── settings.yaml ├── secrets.yaml ├── settings.yaml └── staging ├── kustomization.yaml ├── secrets.yaml ├── secrets ├── git-ssh-key.yaml ├── kustomization.yaml └── vpn.yaml └── settings.yaml /.github/actions/tools/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM stefanprodan/alpine-base:latest@sha256:be230171b01adc5e166899785e9419d90d1359d53a690bf72b8d34c05a1e3f6a 2 | 3 | COPY entrypoint.sh /entrypoint.sh 4 | RUN chmod +x /entrypoint.sh 5 | 6 | ENTRYPOINT ["/entrypoint.sh"] 7 | -------------------------------------------------------------------------------- /.github/actions/tools/action.yml: -------------------------------------------------------------------------------- 1 | name: 'kustomize' 2 | description: 'A GitHub Action with Kubernetes tools' 3 | author: 'Stefan Prodan' 4 | branding: 5 | icon: 'command' 6 | color: 'blue' 7 | runs: 8 | using: 'docker' 9 | image: 'Dockerfile' 10 | -------------------------------------------------------------------------------- /.github/actions/tools/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eu 4 | 5 | YQ_VERSION="3.4.1" 6 | KUSTOMIZE_VERSION="3.9.2" 7 | KUBEVAL_VERSION="0.15.0" 8 | 9 | mkdir -p $GITHUB_WORKSPACE/bin 10 | 11 | curl -sL https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 -o yq 12 | 13 | cp ./yq $GITHUB_WORKSPACE/bin 14 | chmod +x $GITHUB_WORKSPACE/bin/yq 15 | 16 | kustomize_url=https://github.com/kubernetes-sigs/kustomize/releases/download && \ 17 | curl -sL ${kustomize_url}/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64.tar.gz | \ 18 | tar xz 19 | 20 | cp ./kustomize $GITHUB_WORKSPACE/bin 21 | chmod +x $GITHUB_WORKSPACE/bin/kustomize 22 | 23 | curl -sL https://github.com/instrumenta/kubeval/releases/download/${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz | \ 24 | tar xz 25 | 26 | cp ./kubeval $GITHUB_WORKSPACE/bin 27 | chmod +x $GITHUB_WORKSPACE/bin/kubeval 28 | 29 | echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH 30 | echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH 31 | -------------------------------------------------------------------------------- /.github/renovate/disabledDatasources.json5: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | { 4 | "description": "Disable kubernetes-api", 5 | "matchManagers": ["kubernetes"], 6 | "matchDatasources": ["kubernetes-api"], 7 | "enabled": false 8 | } 9 | ] 10 | } -------------------------------------------------------------------------------- /.github/renovate/groups.json5: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | { 4 | "description": "Cert-Manager image (for CRDs) and chart", 5 | "groupName": "Cert-Manager", 6 | "matchPackagePatterns": ["cert-manager"], 7 | "matchDatasources": ["docker", "helm"], 8 | "group": { "commitMessageTopic": "{{{groupName}}} group" }, 9 | "separateMinorPatch": true 10 | }, 11 | { 12 | "description": "Node Feature Discovery kustomization (for CRDs) and chart", 13 | "groupName": "Node Feature Discovery", 14 | "matchPackagePatterns": ["node-feature-discovery"], 15 | "matchDatasources": ["helm", "github-tags"], 16 | "group": { "commitMessageTopic": "{{{groupName}}} group" }, 17 | "separateMinorPatch": true 18 | }, 19 | { 20 | "description": "Rook-Ceph image and chart", 21 | "groupName": "Rook-Ceph", 22 | "matchPackagePatterns": ["rook.ceph"], 23 | "matchDatasources": ["docker", "helm"], 24 | "group": { "commitMessageTopic": "{{{groupName}}} group" }, 25 | "separateMinorPatch": true 26 | } 27 | ] 28 | } -------------------------------------------------------------------------------- /.github/workflows/e2e.yaml.dissabled: -------------------------------------------------------------------------------- 1 | # name: e2e 2 | # Does not work with encrypted secrets 3 | 4 | # on: 5 | # push: 6 | # branches-ignore: 7 | # - 'main' 8 | # tags-ignore: 9 | # - '*' 10 | 11 | # jobs: 12 | # kubernetes: 13 | # runs-on: ubuntu-latest 14 | # steps: 15 | # - name: Checkout 16 | # uses: actions/checkout@v2 17 | # - name: Setup tools 18 | # uses: ./.github/actions/tools 19 | # - name: Setup Flux 20 | # uses: fluxcd/flux2/action@main 21 | # - name: Setup Kubernetes 22 | # uses: engineerd/setup-kind@v0.5.0 23 | # - name: Install Flux in Kubernetes Kind 24 | # run: flux install 25 | # - name: Setup cluster reconciliation 26 | # run: | 27 | # flux create source git flux-system \ 28 | # --url=${{ github.event.repository.html_url }} \ 29 | # --branch=${GITHUB_REF#refs/heads/} 30 | # flux create kustomization flux-system \ 31 | # --source=flux-system \ 32 | # --path=./clusters/staging 33 | # - name: Verify cluster reconciliation 34 | # run: | 35 | # kubectl -n flux-system wait kustomization/infrastructure --for=condition=ready --timeout=1m 36 | # kubectl -n flux-system wait kustomization/apps --for=condition=ready --timeout=1m 37 | # - name: Verify helm reconciliation 38 | # run: | 39 | # kubectl -n nginx wait helmrelease/nginx --for=condition=ready --timeout=1m 40 | # kubectl -n redis wait helmrelease/redis --for=condition=ready --timeout=1m 41 | # kubectl -n podinfo wait helmrelease/podinfo --for=condition=ready --timeout=1m 42 | # - name: Debug failure 43 | # if: failure() 44 | # run: | 45 | # kubectl -n flux-system get all 46 | # kubectl -n flux-system logs deploy/source-controller 47 | # kubectl -n flux-system logs deploy/kustomize-controller 48 | # kubectl -n flux-system logs deploy/helm-controller 49 | -------------------------------------------------------------------------------- /.github/workflows/flux.yaml.disabled: -------------------------------------------------------------------------------- 1 | name: update-flux 2 | 3 | # from https://github.com/billimek/k8s-gitops/blob/master/.github/workflows/flux.yaml 4 | 5 | on: 6 | workflow_dispatch: 7 | # schedule: 8 | # - cron: "0 0 * * *" 9 | 10 | jobs: 11 | components: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Check out code 15 | uses: actions/checkout@v3 16 | - name: Setup Flux CLI 17 | uses: billimek/flux2/action@isolate_flux_binary 18 | - name: Update Flux components 19 | id: update 20 | run: | 21 | UGLY_VERSION="$(bin/flux -v)" 22 | VERSION="v${UGLY_VERSION#*flux version }" 23 | bin/flux install --version="${VERSION}" \ 24 | --export > ./base/flux-system/gotk-components.yaml 25 | echo "::set-output name=flux_version::$VERSION" 26 | - name: Create pull request for Flux update 27 | uses: peter-evans/create-pull-request@v4 28 | with: 29 | token: ${{ secrets.GITHUB_TOKEN }} 30 | branch: "flux/update-${{ steps.update.outputs.flux_version }}" 31 | delete-branch: true 32 | title: "chore(deps): update flux components to ${{ steps.update.outputs.flux_version }} [ci-skip]" 33 | signoff: true 34 | committer: "${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>" 35 | author: "${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>" 36 | assignees: "angelnu" 37 | commit-message: "chore(deps): update flux components to ${{ steps.update.outputs.flux_version }} [ci-skip]" 38 | body: | 39 | Release notes: https://github.com/fluxcd/flux2/releases/tag/${{ steps.update.outputs.flux_version }} 40 | Signed-off-by: Angel Nunez Mencias 41 | labels: flux/update 42 | -------------------------------------------------------------------------------- /.github/workflows/schedule-renovate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Schedule - Renovate 3 | 4 | on: 5 | workflow_dispatch: 6 | inputs: 7 | dryRun: 8 | description: "Dry-Run" 9 | default: false 10 | required: false 11 | type: boolean 12 | logLevel: 13 | description: "Log-Level" 14 | default: "debug" 15 | required: false 16 | schedule: 17 | - cron: "0 * * * *" 18 | pull_request: 19 | merge_group: 20 | push: 21 | branches: 22 | - main 23 | paths: 24 | - ".github/renovate.json5" 25 | - ".github/renovate/**.json" 26 | - ".github/renovate/**.json5" 27 | - ".github/workflows/schedule-renovate.yaml" 28 | 29 | jobs: 30 | renovate: 31 | name: Renovate 32 | uses: angelnu/github-workflows/.github/workflows/run-renovate.yaml@main 33 | with: 34 | configurationFile: ".github/renovate.json5" 35 | dryRun: ${{ inputs.dryRun || 'false' }} 36 | renovateLogLevel: ${{ inputs.logLevel || 'debug' }} 37 | secrets: 38 | app_id: ${{ secrets.ANGELNU_APP_ID }} 39 | app_private_key: ${{ secrets.ANGELNU_APP_PRIVATE_KEY }} 40 | -------------------------------------------------------------------------------- /.github/workflows/test.yaml: -------------------------------------------------------------------------------- 1 | name: test 2 | 3 | on: 4 | pull_request: 5 | push: 6 | 7 | jobs: 8 | manifests: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Checkout 12 | uses: actions/checkout@v4 13 | - name: Setup tools 14 | uses: ./.github/actions/tools 15 | - name: Validate manifests 16 | run: ./scripts/validate.sh 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Test binary, built with `go test -c` 9 | *.test 10 | 11 | # Output of the go coverage tool, specifically when used with LiteIDE 12 | *.out 13 | 14 | bin/ 15 | .vscode/ 16 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - encrypted_regex: '((?i)(pass|secret($|[^N])|key|token|^data$|^stringData))' 3 | pgp: >- 4 | E61087FD0DC8B3AA734061498564C79FC27F08E2 -------------------------------------------------------------------------------- /.sourceignore: -------------------------------------------------------------------------------- 1 | # Flux ignore 2 | # https://toolkit.fluxcd.io/components/source/gitrepositories/#excluding-files 3 | .github/ 4 | ansible/ 5 | scripts/ 6 | *.md 7 | -------------------------------------------------------------------------------- /ansible/README-proxmox.md: -------------------------------------------------------------------------------- 1 | # Changes done in the installed Proxmox 2 | 3 | These changed have been done manually and not automated with Ansible yet. 4 | 5 | ## GPU passthrough 6 | 7 | 1. Edit `/etc/default/grub` 8 | `GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 intel_iommu=on vfio-pci.ids=8086:3ea5 video=efifb:off video=vesafb:off"` 9 | 2. `update-grub` 10 | 3. Edit `/etc/modprobe.d/blacklist.conf` 11 | ``` 12 | blacklist snd_hda_intel 13 | blacklist snd_hda_codec_hdmi 14 | blacklist i915 15 | blacklist sof_pci_dev 16 | blacklist radeon 17 | blacklist nouveau 18 | blacklist nvidia 19 | ``` 20 | 4. Reboot 21 | 5. Add GPU to PCI passthrough in the proxmox UI (VM Hardware tab) 22 | - Note needed - implemented in Ansible 23 | 24 | More info in [forum](https://forum.proxmox.com/threads/intel-nuc-igpu-passthrough-working-in-linux-guest-but-not-in-windows-10-guest.71861/) 25 | 26 | ## Mail server 27 | 28 | 1. In one node: 29 | 1. Create file `/etc/pve/postfix_google_passwd`: 30 | ```sh 31 | #Not longer using gmail 32 | [smtp.gmail.com]:587 : 33 | ``` 34 | 1. Create file `/etc/pve/postfix_smtp_headers_checks`: 35 | 2. In all nodes: 36 | 1. Add the block bellow to `/etc/postfix/main.cf`: 37 | ```sh 38 | # Instructions from https://forum.proxmox.com/threads/get-postfix-to-send-notifications-email-externally.59940/ 39 | # also do: 40 | # - apt install postfix-pcre libsasl2-modules 41 | # - systemctl restart postfix.service 42 | # echo "Test mail from postfix" | mail -s "Test Postfix from $(hostname)" test@mydomain.com 43 | 44 | #Settings for google (not longer used) 45 | #relayhost = [smtp.gmail.com]:587 46 | #smtp_use_tls = yes 47 | #smtp_sasl_auth_enable = yes 48 | #smtp_sasl_security_options = noanonymous 49 | #smtp_sasl_password_maps = hash:/etc/pve/postfix_google_passwd 50 | 51 | relayhost = :25 52 | smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt 53 | smtp_header_checks = pcre:/etc/pve/postfix_smtp_headers_checks 54 | #mydestination = $myhostname, localhost.$mydomain, localhost 55 | ``` 56 | 2. `apt install postfix-pcre libsasl2-modules` 57 | 3. `systemctl status postfix.service` 58 | -------------------------------------------------------------------------------- /ansible/README.md: -------------------------------------------------------------------------------- 1 | # Ansible setup 2 | 3 | My cluster is made of a mix of arm64 and x86_64 nodes: 4 | - [production](hosts-production) 5 | - [test](hosts) 6 | 7 | The test cluster is created with lxd 8 | 9 | ## Settings 10 | 11 | See [groups_var](groups_var/all.yaml). 12 | 13 | Secrets encrypted with [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html). Password stored at `~/.vault_pass.txt` as comfigured at [ansible.cfg](ansible.cfg). This is the only password that needs to be remembered. All other passwords are derived from this. 14 | 15 | If a password needs to be changed use the command `ansible-vault encrypt_string` from this folder - it will ask to enter the content to string and end with ctrd-d. 16 | 17 | ## Dependencies 18 | 19 | Install all required galaxies and roles with `ansible-galaxy install -r requirements.yml` 20 | 21 | ## Install 22 | 23 | 0. Create nodes 24 | ``` 25 | ansible-playbook -i hosts-production proxmox_install.yaml 26 | ``` 27 | 1. Prepare nodes 28 | ``` 29 | ansible-playbook -i hosts-production hw_setup.yaml 30 | ``` 31 | 2. Install K3S cluster 32 | ``` 33 | ansible-playbook -i hosts-production k3s_install.yaml 34 | ``` 35 | 3. Install flux2 36 | ``` 37 | ansible-playbook -i hosts-production flux_install.yaml 38 | 39 | ## Update Host OS 40 | ``` 41 | ansible-playbook -i hosts-production hw_update.yaml 42 | ``` 43 | 44 | ## Update Flux 45 | 46 | This should not be needed since there is GitHub workflow to do this automatically via PR 47 | 48 | 1. Update 49 | ``` 50 | flux install --export>clusters/staging/flux-system/gotk-components.yaml 51 | ``` 52 | 53 | ## Uninstall 54 | 55 | 1. Uninstall flux2 56 | ``` 57 | flux uninstall 58 | ``` 59 | 2. Uninstall k3s 60 | ``` 61 | ansible-playbook -i hosts-production k3s_remove.yaml 62 | ``` 63 | 2. Delete VMs 64 | ``` 65 | ansible-playbook -i hosts-production proxmox_remove.yaml 66 | ``` 67 | 68 | ## Deprecated 69 | - lxd 70 | - microk8s -------------------------------------------------------------------------------- /ansible/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | vault_password_file = ~/.vault_pass.txt 3 | -------------------------------------------------------------------------------- /ansible/flux_install.yaml: -------------------------------------------------------------------------------- 1 | - name: "Prepare nodes" 2 | hosts: nodes 3 | tasks: 4 | 5 | - name: Create flux NS 6 | shell: | 7 | {{ KUBECTL_BIN }} create ns {{ FLUX_NAMESPACE }} 8 | run_once: True 9 | register: result 10 | failed_when: 11 | - "'already exists' not in result.stderr" 12 | - result.rc != 0 13 | changed_when: 14 | - "result.stderr is not search('already exists')" 15 | 16 | - name: Download flux2 installer 17 | get_url: 18 | url: https://toolkit.fluxcd.io/install.sh 19 | dest: /tmp/flux2-installer.sh 20 | mode: u+rwx 21 | register: flux2_download 22 | 23 | - name: Execute the flux2-installer.sh 24 | shell: /tmp/flux2-installer.sh 25 | when: flux2_download.changed 26 | 27 | - name: "Check flux prerequisites" 28 | shell: flux check --pre 29 | changed_when: false 30 | when: inventory_hostname in groups["masters"] 31 | 32 | - name: Install SOPS 33 | apt: 34 | deb: https://github.com/mozilla/sops/releases/download/v{{ SOPS_VERSION }}/sops_{{ SOPS_VERSION }}_amd64.deb 35 | when: ansible_architecture == "x86_64" 36 | 37 | - name: Install SOPS GPG key 38 | shell: > 39 | echo "{{ SOPS_GPG }}"| gpg --batch 40 | --pinentry-mode loopback 41 | --import /dev/stdin 42 | register: result 43 | changed_when: 44 | - "result.stderr is not search('not changed')" 45 | 46 | - name: Create secret with SOPS GPG key 47 | shell: > 48 | {{ KUBECTL_BIN }} create -n {{ FLUX_NAMESPACE }} secret generic sops-gpg 49 | --save-config --dry-run=client 50 | --from-literal=sops.asc="{{ SOPS_GPG }}" 51 | -o yaml 52 | | {{ KUBECTL_BIN }} apply -f - 53 | run_once: True 54 | register: result 55 | changed_when: 56 | - "result.stdout is search('created')" 57 | 58 | - name: "Install (if needed) flux" 59 | hosts: nodes[0] 60 | gather_facts: false #Already queried 61 | tasks: 62 | 63 | - name: "Deploy flux to cluster if crd fluxcd.io missing" 64 | shell: > 65 | {{ KUBECTL_BIN }} apply -k ../{{ FLUX_GIT_PATH }} 66 | environment: 67 | KUBECONFIG: "{{ KUBECTL_CONFIG }}" 68 | delegate_to: localhost 69 | register: result 70 | changed_when: 71 | - "result.stdout is search('created')" 72 | until: result is succeeded 73 | retries: 60 74 | delay: 5 #due to CRDs -------------------------------------------------------------------------------- /ansible/hosts-production: -------------------------------------------------------------------------------- 1 | [masters] 2 | k3s1 hoster=pve1 hostpci="{'hostpci0': 'host=0000:00:02'}" k8s_labels="[]" #k8s_untaints="{'node-role.kubernetes.io/master':''}" 3 | k3s2 hoster=pve2 hostpci="{'hostpci0': 'host=0000:00:02'}" k8s_labels="[]" 4 | k3s3 hoster=pve3 hostpci="{'hostpci0': 'host=0000:00:02'}" k8s_labels="['HomematicHW=True']" 5 | 6 | [workers] 7 | k3s4 hoster=pve4 hostpci="{'hostpci0': 'host=0000:01:00,rombar=0'}" k8s_labels="[]" 8 | 9 | [nodes:children] 10 | masters 11 | workers 12 | 13 | [all:vars] 14 | production=True 15 | ansible_user=root 16 | ansible_python_interpreter=/usr/bin/python3 -------------------------------------------------------------------------------- /ansible/hosts-test: -------------------------------------------------------------------------------- 1 | [masters] 2 | test-k3s1 hoster=pve1 k8s_labels="[]" #k8s_untaints="{'node-role.kubernetes.io/master':''}" 3 | test-k3s2 hoster=pve2 k8s_labels="[]" 4 | test-k3s3 hoster=pve3 k8s_labels="['HomematicHW=True']" 5 | 6 | [workers] 7 | 8 | 9 | [nodes:children] 10 | masters 11 | workers 12 | 13 | [all:vars] 14 | production=False 15 | ansible_user=root 16 | ansible_python_interpreter=/usr/bin/python3 -------------------------------------------------------------------------------- /ansible/hw_setup.yaml: -------------------------------------------------------------------------------- 1 | #Install depencies before running this script 2 | #Expect that user anunez exists 3 | # - apt-get install openssh-server python vim 4 | # - ip add add 192.168.2.3 5 | # - allow ssh as root -> uncomment "PermitRootLogin prohibit-password" in "/etc/ssh/sshd_config" 6 | # - ssh-copy-id then "cp -a /home/anunez/.ssh /root;chown -R root:root /root/.ssh" 7 | - name: Setup HW to run Kubernetes 8 | hosts: all 9 | 10 | tasks: 11 | 12 | # - name: Add and update packages 13 | # import_tasks: tasks/hw/apt.yaml 14 | 15 | - name: Setup system parameters (boot, hosts, timzone) 16 | import_tasks: tasks/hw/system.yaml 17 | 18 | # - name: Setup network parameters 19 | # import_tasks: tasks/hw/network.yaml 20 | 21 | 22 | # # check if we need a reboot 23 | # - name: check if reboot needed 24 | # stat: path=/var/run/reboot-required 25 | # register: reboot_required_file 26 | 27 | # - name: Need reboot? 28 | # when: reboot_required_file.stat.exists 29 | # set_fact: need_reboot=True 30 | 31 | # #Reboot if needed at the end 32 | # - name: Reboot immediately if there was a change. 33 | # shell: "sleep 5 && reboot" 34 | # async: 1 35 | # poll: 0 36 | # when: need_reboot | default(False) 37 | 38 | # - name: Wait for the reboot to complete if there was a change. 39 | # wait_for_connection: 40 | # connect_timeout: 20 41 | # sleep: 5 42 | # delay: 5 43 | # timeout: 300 44 | # when: need_reboot | default(False) 45 | 46 | - name: "Prepare nodes for development" 47 | hosts: nodes 48 | tasks: 49 | - name: Insert/update ssh authorised_keys 50 | blockinfile: 51 | path: .ssh/authorized_keys 52 | block: | 53 | {%- for key in SSH_PUB_KEYS_2_INSTALL %} 54 | #{{ key.description }} 55 | {{ key.value }}" 56 | {% endfor %} 57 | 58 | - name: Copy ssh files 59 | copy: 60 | dest: ".ssh/{{ item.key }}" 61 | mode: 0600 62 | content: "{{ item.value }}" 63 | with_items: '{{ SSH_FILES_2_INSTALL | dict2items }}' 64 | 65 | - name: Insert/Update bash aliases 66 | blockinfile: 67 | path: .bashrc 68 | block: | 69 | {%- for alias in ALIAS_2_INSTALL %} 70 | alias {{ alias }}="{{ ALIAS_2_INSTALL[alias] }}" 71 | {% endfor %} 72 | -------------------------------------------------------------------------------- /ansible/hw_update.yaml: -------------------------------------------------------------------------------- 1 | - name: Update HW OS 2 | hosts: all 3 | 4 | tasks: 5 | 6 | - name: Update system (after refreshing caches) 7 | apt: 8 | update_cache: yes 9 | cache_valid_time: 600 10 | upgrade: yes 11 | autoremove: true 12 | register: result 13 | 14 | - name: Reboot 15 | shell: sleep 2 && reboot 16 | async: 1 17 | poll: 0 18 | ignore_errors: true 19 | when: result is changed 20 | 21 | - name: Wait for the reboot to complete if there was a change. 22 | wait_for_connection: 23 | connect_timeout: 20 24 | sleep: 5 25 | delay: 5 26 | timeout: 300 27 | when: result is changed 28 | -------------------------------------------------------------------------------- /ansible/k3s_remove.yaml: -------------------------------------------------------------------------------- 1 | - hosts: nodes 2 | tasks: 3 | - name: export TLS certs secrets 4 | shell: | 5 | {{ KUBECTL_BIN }} get -o yaml \ 6 | --all-namespaces \ 7 | secrets --field-selector type==kubernetes.io/tls > {{ K8S_TLS_SECRETS_BACKUP }}-new && \ 8 | mv {{ K8S_TLS_SECRETS_BACKUP }}-new {{ K8S_TLS_SECRETS_BACKUP }} 9 | failed_when: False #Ignore errors 10 | 11 | # - name: export TLS certs 12 | # shell: | 13 | # {{ KUBECTL_BIN }} get -o yaml \ 14 | # --all-namespaces \ 15 | # issuer,clusterissuer,certificates,certificaterequests >> cert-manager-backup.yaml 16 | # failed_when: False #Ignore errors 17 | 18 | - hosts: nodes 19 | tasks: 20 | - name: export TLS certs secrets 21 | shell: | 22 | {{ KUBECTL_BIN }} get -o yaml \ 23 | --all-namespaces \ 24 | secrets --field-selector type==kubernetes.io/tls > {{ K8S_TLS_SECRETS_BACKUP }}-new && \ 25 | mv {{ K8S_TLS_SECRETS_BACKUP }}-new {{ K8S_TLS_SECRETS_BACKUP }} 26 | failed_when: False #Ignore errors 27 | 28 | # - name: export TLS certs 29 | # shell: | 30 | # {{ KUBECTL_BIN }} get -o yaml \ 31 | # --all-namespaces \ 32 | # issuer,clusterissuer,certificates,certificaterequests >> cert-manager-backup.yaml 33 | # failed_when: False #Ignore errors 34 | 35 | - hosts: nodes 36 | vars: 37 | k3s_state: uninstalled 38 | roles: 39 | - role: xanmanning.k3s -------------------------------------------------------------------------------- /ansible/proxmox_remove.yaml: -------------------------------------------------------------------------------- 1 | - name: "Prepare nodes for development" 2 | hosts: nodes 3 | gather_facts: false 4 | tasks: 5 | 6 | - name: Delete VM 7 | delegate_to: localhost 8 | community.general.proxmox_kvm: 9 | node: "{{ hoster }}" 10 | api_host: "{{ proxmox.api.host }}" 11 | api_user: "{{ proxmox.api.user }}" 12 | api_password: "{{ proxmox.api.password }}" 13 | proxmox_default_behavior: no_defaults 14 | 15 | name: "{{ inventory_hostname }}" 16 | state: "{{ item }}" 17 | force: "yes" 18 | register: result 19 | failed_when: 20 | - ("msg" in result) 21 | - ('does not exist in cluster' not in result.msg) 22 | - ('is already stopped' not in result.msg) 23 | until: result is succeeded 24 | retries: 60 # wait until stopped 25 | delay: 1 26 | loop: 27 | - stopped 28 | - absent -------------------------------------------------------------------------------- /ansible/requirements.yml: -------------------------------------------------------------------------------- 1 | collections: 2 | - name: community.general 3 | version: 10.7.0 4 | - name: community.sops 5 | version: 2.0.5 6 | roles: 7 | - name: xanmanning.k3s 8 | src: https://github.com/PyratLabs/ansible-role-k3s.git 9 | version: v3.4.4 -------------------------------------------------------------------------------- /ansible/tasks/hw/apt.yaml: -------------------------------------------------------------------------------- 1 | - name: Install Bootstrap Packages 2 | apt: 3 | name: "{{BOOTSTRAP_PACKAGES}}" 4 | force: yes 5 | state: present 6 | 7 | - name: Update system (after refreshing caches) 8 | apt: 9 | update_cache: yes 10 | upgrade: safe 11 | 12 | - name: Install Packages 13 | apt: 14 | name: "{{PACKAGES}}" 15 | force: yes 16 | state: present 17 | 18 | - name: Prevent packages with versions from being upgraded 19 | dpkg_selections: 20 | name: "{{ item }}" 21 | selection: hold 22 | with_items: "{{ PACKAGES | map('regex_search','.*=.*') | select('string') | map('regex_replace','(.*)=.*','\\1') | list }}" 23 | 24 | - name: Remove Packages 25 | apt: 26 | name: "{{ PACKAGES2REMOVE }}" 27 | force: yes 28 | state: absent 29 | -------------------------------------------------------------------------------- /ansible/tasks/hw/network.yaml: -------------------------------------------------------------------------------- 1 | - name: "Create fix network IP" 2 | copy: 3 | dest: /etc/netplan/99fixIP.yaml 4 | content: | 5 | # This file describes the network interfaces available on your system 6 | # For more information, see netplan(5). 7 | network: 8 | version: 2 9 | renderer: networkd 10 | ethernets: 11 | eno0: 12 | match: 13 | name: en* 14 | dhcp4: false 15 | dhcp6: false 16 | bridges: 17 | br0: 18 | dhcp4: true 19 | dhcp6: true 20 | interfaces: 21 | - eno0 22 | addresses: 23 | - {{fix_ip_address}} 24 | register: result 25 | when: fix_ip_address | default(False) 26 | 27 | - name: refresh netplan 28 | shell: "netplan apply" 29 | when: result.changed 30 | 31 | # # Add Kubernetes internal DNS server to host -> needed for glusterfs client to resolve nodes 32 | # - name: Check if old resolv.conf is being used - /etc/resolvconf/resolv.conf.d/tail 33 | # stat: 34 | # path: "/etc/resolvconf/resolv.conf.d/tail" 35 | # register: isOldResolv 36 | # #Handle legacy resolv.conf 37 | # - name: "Add Kubernetes internal DNS to host resolv" 38 | # blockinfile: 39 | # path: /etc/resolvconf/resolv.conf.d/head 40 | # block: | 41 | # options rotate 42 | # options timeout:1 43 | # nameserver 10.96.0.10 44 | # register: result 45 | # when: isOldResolv.stat.exists 46 | # - name: Restart resolvconf service 47 | # systemd: 48 | # name: resolvconf 49 | # state: restarted 50 | # enabled: yes 51 | # daemon_reload: yes 52 | # when: "isOldResolv.stat.exists and result | changed" 53 | # #Handle systemd handling DNS 54 | # - name: "Create fix resolv.conf" 55 | # copy: 56 | # dest: /etc/resolv.conf 57 | # content: | 58 | # # This file was created by ansible 59 | # nameserver 10.96.0.10 60 | # nameserver 127.0.0.53 61 | # search fritz.box 62 | # when: "isOldResolv.stat.exists == False" 63 | -------------------------------------------------------------------------------- /ansible/tasks/k8s/kubernetes_node_settle.yaml: -------------------------------------------------------------------------------- 1 | - name: Wait for node to be ready 2 | shell: "{{ KUBECTL_BIN }} get nodes -o json {{inventory_hostname}}" 3 | environment: "{{KUBECTL_ENV}}" 4 | delegate_to: "{{KUBELET_PRIMARY_MASTER_HOSTNAME}}" 5 | register: result 6 | vars: 7 | queryStr: "status.conditions[?reason=='KubeletReady'].status" 8 | until: result is succeeded and (result.stdout | from_json | json_query(queryStr) == ['True']) 9 | retries: 60 10 | delay: 5 11 | changed_when: false 12 | 13 | - name: "Cache last node description as json variable" 14 | set_fact: last_k8s_node_info={{result.stdout | from_json}} 15 | -------------------------------------------------------------------------------- /ansible/tasks/k8s/setLabels.yaml: -------------------------------------------------------------------------------- 1 | - name: Set labels 2 | shell: "{{ KUBECTL_BIN }} label nodes {{inventory_hostname}} --overwrite {{ item.key }}={{ item.value }}" 3 | environment: "{{KUBECTL_ENV}}" 4 | delegate_to: "{{KUBELET_PRIMARY_MASTER_HOSTNAME}}" 5 | register: result 6 | with_dict: "{{ k8s_labels if (k8s_labels is defined) else {} }}" 7 | changed_when: 8 | - "'not labeled' not in result.stdout| join('')" 9 | -------------------------------------------------------------------------------- /ansible/tasks/k8s/setTaints.yaml: -------------------------------------------------------------------------------- 1 | - name: Set taints 2 | shell: "{{ KUBECTL_BIN }} taint nodes {{inventory_hostname}} {{ item.key }}={{ item.value }}" 3 | environment: "{{KUBECTL_ENV}}" 4 | delegate_to: "{{KUBELET_PRIMARY_MASTER_HOSTNAME}}" 5 | register: result 6 | with_dict: "{{ k8s_taints if (k8s_taints is defined) else {} }}" 7 | changed_when: 8 | - "'taint(s) with same effect(s)' not in result.stderr| join('')" 9 | failed_when: 10 | - "'taint(s) with same effect(s)' not in result.stderr| join('')" 11 | - result.rc != 0 12 | -------------------------------------------------------------------------------- /ansible/tasks/k8s/unsetTaints.yaml: -------------------------------------------------------------------------------- 1 | - name: Unset taints 2 | shell: "{{ KUBECTL_BIN }} taint nodes {{inventory_hostname}} {{ item.key }}:{{ item.value }}-" 3 | environment: "{{KUBECTL_ENV}}" 4 | delegate_to: "{{KUBELET_PRIMARY_MASTER_HOSTNAME}}" 5 | register: result 6 | with_dict: "{{ k8s_untaints if (k8s_untaints is defined) else {} }}" 7 | changed_when: 8 | - "'taint(s) with same effect(s)' not in result.stderr| join('')" 9 | failed_when: 10 | - "'taint(s) with same effect(s)' not in result.stderr| join('')" 11 | - result.rc != 0 12 | -------------------------------------------------------------------------------- /ansible/tasks/proxmox/state.yaml: -------------------------------------------------------------------------------- 1 | - delegate_to: localhost 2 | block: 3 | - name: set state to {{ target_state }} 4 | delegate_to: localhost 5 | community.general.proxmox_kvm: 6 | node: "{{ hoster }}" 7 | api_host: "{{ proxmox.api.host }}" 8 | api_user: "{{ proxmox.api.user }}" 9 | api_password: "{{ proxmox.api.password }}" 10 | proxmox_default_behavior: no_defaults 11 | 12 | name: "{{ inventory_hostname }}" 13 | state: "{{ target_state }}" 14 | force: "{{ force | default('no') }}" 15 | register: result 16 | until: (result is succeeded) and (result is not changed) 17 | retries: 60 # wait until stopped 18 | delay: 1 19 | -------------------------------------------------------------------------------- /apps/default/apache-musicindex/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /apps/default/comics/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secrets.yaml 5 | - release.yaml -------------------------------------------------------------------------------- /apps/default/deepstack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secrets.yaml 5 | - release-fs.yaml 6 | - release.yaml 7 | -------------------------------------------------------------------------------- /apps/default/deepstack/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: deepstack-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: deepstack-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: deepstack-pv 18 | spec: 19 | storageClassName: deepstack-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/deepstack 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: deepstack-pv 42 | persistentVolumeReclaimPolicy: Delete 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/deepstack/secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: deepstack-keys 5 | #Password generate with https://generate.plus/en/base64 6 | stringData: 7 | API-KEY: ENC[AES256_GCM,data:j+EIzKv5lAbV40BG7x3WoTmKDV9255kwk1ovGzqfdVttpJJguI8dKmiewA==,iv:clgqxdKOBqYqXyqrJ+Lim9zYJ08RUBF5oGi57aEJixY=,tag:u+01Mk093/76/oTreF5q4Q==,type:str] 8 | ADMIN-KEY: ENC[AES256_GCM,data:/0d6uLc4imI959tXb4GS001K35uinf2RSWf35tbLnWrMi0pP62iLpF4ryg==,iv:E3h5oY/TN/0dQesdUfDsA1E5pIUY7iJFFcw0d75Csz8=,tag:4ZlkB/spWEGgmKQAG54MUg==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: [] 15 | lastmodified: "2024-12-28T13:16:36Z" 16 | mac: ENC[AES256_GCM,data:MVVKCyFis2f48kgsFmRJDeu2wv3uwBfPf3XitHPmrQbKGCPQmQ0yj88NmZk2HsrefuAZA1LfZzNfcKhwKjUkRB3ovNlzculxMVU//TEje26Ww7UDhvvtW8V/+tKIWos2j9XcPxW4OSxLDHlHaEiKyVACOWycNqeXfAJx3m7NpgM=,iv:GkO83UKPI67qURfTrm9umgljqgyKePXJ0ygwqcgksHg=,tag:I1gDQgOdn2uuhVslz7zxAw==,type:str] 17 | pgp: 18 | - created_at: "2021-02-06T22:26:03Z" 19 | enc: | 20 | -----BEGIN PGP MESSAGE----- 21 | 22 | hQIMA2CuQNd5ml+/AQ/9GHzYbKml+FrvNKkmUiAzL874+hqzASaUtxzVvQBjhHCx 23 | g9/cQ5rhHx1vbkrTPALAIxJyvZinZE/H4MFE039X0gH5eIzS3qNCcLFczBw5QGYL 24 | vkvEmCRn5pF+JxSiQXUw5ipYF9AWLITkb2ew/l6IMkXWcwQaDbERrBvlI2Lr1Mix 25 | Rc0X/jTEUwHDhbWFKXQ9fNwoW/rNqmiyUeHPV7i/XRI/RZgcTK1kofN7wS5cy6wF 26 | 0uKBXdGrM6/U21iGFxc7S0YNYDgZwwW4FuEVbMs7H+TxK9pck9oxXws0myAdkMKW 27 | MhJUMyWBUM58PGw98sNEllOMq2MCkKr5fNjd9uDE9CQJmPbA+OvqhX1NyN7tE0A6 28 | /u0O5OZPh9PFaYLTrTQxZJuhDoE75vjWfSB1F8FXw9DMFl8a4VkZHQQXOynVPMwN 29 | krUZ8O1xoJ7YS6TaIdDMVRBRSoKAYbCBMEBRIqfMZsmnU316NW10f3I7zyiu8Zhx 30 | q+8Oh6ovVWy8a/DciLdJJjkKze28eYLRcAgFquKNtgiEOR6nA0bVA0yz6aWGFbHk 31 | gb0AHRym9WwrvI4005mIF4u1QsVReEQmv8dLwgOV3SiUDOhaMJt27XZ/c3ayWgHP 32 | OLV5izVSeeMDbEJMPpbVkHXzOd4PM02MKCrq+JVuQ4NEb4yoe1gu3XKhKNbi+IrS 33 | XAGY3d/+ImT7SBPzs8yKGZ8MnpoMTK4utFKvFJum+bXb9FMAffG7hGnoRt+5xfFe 34 | mIM6NpEKL5aW3jSdkqjKXlIr0ljnBb5wo+XUCl0QK5LX2VPBeHInYFaEszSP 35 | =Ts27 36 | -----END PGP MESSAGE----- 37 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 38 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 39 | version: 3.9.0 40 | -------------------------------------------------------------------------------- /apps/default/esphome/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /apps/default/esphome/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: esphome-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteMany 11 | - ReadOnlyMany 12 | storageClassName: esphome-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: esphome-pv 18 | spec: 19 | storageClassName: esphome-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteMany 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/esphome 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: esphome-pv 42 | persistentVolumeReclaimPolicy: Delete 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/forgejo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - networkpolicy.yaml 5 | - nfs.yaml 6 | - secret.yaml 7 | - release-db.yaml 8 | - release.yaml 9 | -------------------------------------------------------------------------------- /apps/default/forgejo/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: forgejo 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app.kubernetes.io/name: forgejo 9 | ingress: 10 | - from: 11 | # Allow ssh ingress 12 | - ipBlock: 13 | cidr: "0.0.0.0/0" 14 | ports: 15 | - protocol: TCP 16 | port: 2222 17 | endPort: 2222 18 | policyTypes: 19 | - Ingress 20 | -------------------------------------------------------------------------------- /apps/default/forgejo/nfs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: nfs-forgejo 5 | spec: 6 | storageClassName: forgejo-storageclass 7 | capacity: 8 | storage: 18T 9 | accessModes: 10 | - ReadWriteMany 11 | mountOptions: 12 | - local_lock=posix 13 | - nfsvers=4.1 14 | nfs: 15 | server: "${NFS_SERVER}" 16 | path: "${NFS_KUBERNETES}/gitea/data" 17 | --- 18 | apiVersion: v1 19 | kind: PersistentVolumeClaim 20 | metadata: 21 | name: nfs-forgejo 22 | spec: 23 | accessModes: 24 | - ReadWriteMany 25 | storageClassName: forgejo-storageclass 26 | resources: 27 | requests: 28 | storage: 1T -------------------------------------------------------------------------------- /apps/default/forgejo/release-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: forgejo-db 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: zalando-postgres-cluster 10 | version: 4.1.1 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/zalando-postgres-cluster/values.yaml 17 | values: 18 | 19 | postgresql: 20 | users: 21 | postgres: 22 | - superuser 23 | - createdb 24 | databases: 25 | gitea: postgres 26 | postgresql: 27 | version: "15" 28 | 29 | superuser: {} 30 | # password: set in secret 31 | 32 | persistentVolumes: 33 | hostPath: /media/db/gitea 34 | replicaNodes: 35 | - ${CLUSTER_DB_NODE_0} 36 | - ${CLUSTER_DB_NODE_1} 37 | - ${CLUSTER_DB_NODE_2} 38 | 39 | dumpBackup: 40 | enabled: true 41 | type: custom 42 | volumeSpec: 43 | nfs: 44 | server: "${NFS_SERVER}" 45 | path: "${NFS_KUBERNETES}/${CLUSTER_DB_BACKUP_PREFIX}/gitea" 46 | subpath: "." 47 | schedule: "@daily" 48 | 49 | valuesFrom: 50 | - kind: Secret 51 | name: "forgejo-helm-values" 52 | valuesKey: postgres.yaml 53 | optional: false 54 | -------------------------------------------------------------------------------- /apps/default/gatus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /apps/default/gatus/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: gatus-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: gatus-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: gatus-pv 18 | spec: 19 | storageClassName: gatus-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/gatus 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: gatus-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/gow/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - secret.yaml 6 | - release.yaml -------------------------------------------------------------------------------- /apps/default/gow/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: gow-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: gow-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: gow-pv 18 | spec: 19 | storageClassName: gow-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/gow 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: gow-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/gow/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: games-on-whales 5 | #Password generate with https://generate.plus/en/base64 6 | stringData: 7 | values.yaml: ENC[AES256_GCM,data:SMX+NrMIZXKgKJLfE0p0+iUccVcu2LeRr2Sm4DBHarJwvr069RCXrseVlXiYdhomSivgPwBl3M7VehqvZ/JNTOutfsFwh/Vw1ugH0OLZuAf4o2F4+jIysW+Qw+zYQnDy4tqZpn9KU3+3BgVNOTz6msuVe39dWsqxcq2anJEBvJtPuMI=,iv:UY5Bv+JlPzwXlecvTXJ7BHhu51RSaUlMsWuPdgHOciE=,tag:fXZ3UMUXgjyAWuY4jljJvg==,type:str] 8 | sops: 9 | kms: [] 10 | gcp_kms: [] 11 | azure_kv: [] 12 | hc_vault: [] 13 | age: [] 14 | lastmodified: "2021-08-24T01:35:27Z" 15 | mac: ENC[AES256_GCM,data:KGsZCz+b2NgFjmhByTw+Z7nY/L79Tv6QrUodrjiMknSiG4xQjRiESwGJ2jYHeTtvoAtYf5l4S3R99GCC4148NJiiJWY7BKTDXuUvwFgtv6XnvP59DgtsTUofgfceN0FQC5xVvDg767KggL83HG62cvvctNEoR0BOjeyWfx++E7Q=,iv:WI0fy8j8BPuhF/AW1WJZkvNr1zAXSI4nj/igs2DJ6Xg=,tag:bbXVIdKwksB0EKaxdmIwwg==,type:str] 16 | pgp: 17 | - created_at: "2021-02-06T22:26:03Z" 18 | enc: | 19 | -----BEGIN PGP MESSAGE----- 20 | 21 | hQIMA2CuQNd5ml+/AQ/9GHzYbKml+FrvNKkmUiAzL874+hqzASaUtxzVvQBjhHCx 22 | g9/cQ5rhHx1vbkrTPALAIxJyvZinZE/H4MFE039X0gH5eIzS3qNCcLFczBw5QGYL 23 | vkvEmCRn5pF+JxSiQXUw5ipYF9AWLITkb2ew/l6IMkXWcwQaDbERrBvlI2Lr1Mix 24 | Rc0X/jTEUwHDhbWFKXQ9fNwoW/rNqmiyUeHPV7i/XRI/RZgcTK1kofN7wS5cy6wF 25 | 0uKBXdGrM6/U21iGFxc7S0YNYDgZwwW4FuEVbMs7H+TxK9pck9oxXws0myAdkMKW 26 | MhJUMyWBUM58PGw98sNEllOMq2MCkKr5fNjd9uDE9CQJmPbA+OvqhX1NyN7tE0A6 27 | /u0O5OZPh9PFaYLTrTQxZJuhDoE75vjWfSB1F8FXw9DMFl8a4VkZHQQXOynVPMwN 28 | krUZ8O1xoJ7YS6TaIdDMVRBRSoKAYbCBMEBRIqfMZsmnU316NW10f3I7zyiu8Zhx 29 | q+8Oh6ovVWy8a/DciLdJJjkKze28eYLRcAgFquKNtgiEOR6nA0bVA0yz6aWGFbHk 30 | gb0AHRym9WwrvI4005mIF4u1QsVReEQmv8dLwgOV3SiUDOhaMJt27XZ/c3ayWgHP 31 | OLV5izVSeeMDbEJMPpbVkHXzOd4PM02MKCrq+JVuQ4NEb4yoe1gu3XKhKNbi+IrS 32 | XAGY3d/+ImT7SBPzs8yKGZ8MnpoMTK4utFKvFJum+bXb9FMAffG7hGnoRt+5xfFe 33 | mIM6NpEKL5aW3jSdkqjKXlIr0ljnBb5wo+XUCl0QK5LX2VPBeHInYFaEszSP 34 | =Ts27 35 | -----END PGP MESSAGE----- 36 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 37 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 38 | version: 3.7.1 39 | -------------------------------------------------------------------------------- /apps/default/hajimari/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - secret.yaml 6 | - release.yaml 7 | -------------------------------------------------------------------------------- /apps/default/hajimari/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: hajimari-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: hajimari-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: hajimari-pv 18 | spec: 19 | storageClassName: hajimari-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/hajimari 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: hajimari-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/handbrake/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /apps/default/handbrake/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: handbrake-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: handbrake-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: handbrake-pv 18 | spec: 19 | storageClassName: handbrake-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/handbrake 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: handbrake-pv 42 | persistentVolumeReclaimPolicy: Delete 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/handbrake/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: handbrake 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | image: 25 | repository: docker.io/jlesage/handbrake 26 | tag: v25.02.3@sha256:a38454f9cd97786846b21ddb7e1b5363bade4a9dedd329b9a8c18f2b76b14608 27 | env: 28 | TZ: "Europe/Berlin" 29 | 30 | persistence: 31 | config: 32 | enabled: true 33 | existingClaim: handbrake-pvc 34 | videos: 35 | enabled: true 36 | type: custom 37 | volumeSpec: 38 | nfs: 39 | server: "${NFS_SERVER}" 40 | path: "${NFS_VIDEO}" 41 | downloads: 42 | enabled: true 43 | type: custom 44 | volumeSpec: 45 | nfs: 46 | server: "${NFS_SERVER}" 47 | path: "${NFS_DOWNLOADS}" 48 | 49 | service: 50 | main: 51 | controller: main 52 | ports: 53 | http: 54 | port: 5800 55 | vnc: 56 | enabled: false 57 | port: 5900 58 | 59 | ingress: 60 | main: 61 | enabled: true 62 | annotations: 63 | hajimari.io/enable: "true" 64 | hajimari.io/icon: file-video 65 | hajimari.io/info: Video editor 66 | hajimari.io/group: media 67 | hosts: 68 | - host: handbrake.pub.${CLUSTER_DOMAIN} 69 | paths: &paths 70 | - path: / 71 | pathType: Prefix 72 | service: 73 | identifier: main 74 | port: http 75 | - host: handbrake.home.${CLUSTER_DOMAIN} 76 | paths: *paths 77 | -------------------------------------------------------------------------------- /apps/default/home-assistant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - networkpolicy.yaml 5 | - secret.yaml 6 | - secret-appdaemon.yaml 7 | - release-db.yaml 8 | - release-fs.yaml 9 | - release.yaml 10 | - release-appdaemon.yaml 11 | -------------------------------------------------------------------------------- /apps/default/home-assistant/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: home-assistant 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app.kubernetes.io/name: home-assistant 9 | ingress: 10 | - from: 11 | # Allow homematic ingress from K8S 12 | - ipBlock: 13 | cidr: "10.0.0.0/8" 14 | # Allow homematic ingress from lan 15 | - ipBlock: 16 | cidr: "192.0.0.0/8" 17 | policyTypes: 18 | - Ingress 19 | -------------------------------------------------------------------------------- /apps/default/home-assistant/release-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: home-assistant-db 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: zalando-postgres-cluster 10 | version: 4.1.1 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/zalando-postgres-cluster/values.yaml 17 | values: 18 | 19 | postgresql: 20 | volume: 21 | size: "10Gi" 22 | users: 23 | postgres: 24 | - superuser 25 | - createdb 26 | databases: 27 | postgres: postgres 28 | postgresql: 29 | version: "15" 30 | 31 | superuser: {} 32 | # password: set in secret 33 | 34 | persistentVolumes: 35 | hostPath: /media/db/home-assistant 36 | replicaNodes: 37 | - ${CLUSTER_DB_NODE_0} 38 | - ${CLUSTER_DB_NODE_1} 39 | - ${CLUSTER_DB_NODE_2} 40 | 41 | dumpBackup: 42 | enabled: true 43 | type: custom 44 | volumeSpec: 45 | nfs: 46 | server: "${NFS_SERVER}" 47 | path: "${NFS_KUBERNETES}/${CLUSTER_DB_BACKUP_PREFIX}/home-assistant" 48 | subpath: "." 49 | schedule: "@daily" 50 | 51 | valuesFrom: 52 | - kind: Secret 53 | name: "home-assistant-helm-values" 54 | valuesKey: postgres.yaml 55 | optional: false 56 | -------------------------------------------------------------------------------- /apps/default/home-assistant/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: home-assistant-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: home-assistant-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: home-assistant-pv 18 | spec: 19 | storageClassName: home-assistant-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/home-assistant 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: home-assistant-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/home-assistant/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: home-assistant-helm-values 5 | #Password generate with https://generate.plus/en/base64 6 | stringData: 7 | postgres.yaml: ENC[AES256_GCM,data:yzH7dsLhNvqdFOgnB+JyWKV+hZnI/j1kTdrrbmknzz4bOmvZR6P/m+vUPkcQtnZnaR/LhwaIDi8OGFbg5kG+VlDsQb/S5P6YAiUWV7R8tB2In8RRW85HTOF8,iv:bMYbGFu9EMquG8+9l4GfrzZNo2fwHcN7m2PNINXvdgo=,tag:Q9OyfFzqmhWLcMVvlT0IlA==,type:str] 8 | sops: 9 | kms: [] 10 | gcp_kms: [] 11 | azure_kv: [] 12 | hc_vault: [] 13 | lastmodified: '2021-03-30T21:51:14Z' 14 | mac: ENC[AES256_GCM,data:q3aDq8pWUX34LkZWvDQR0Qkr+cIruX+setjqpq/1copM8uT29FNphIVJCAQWpXUbgswyOVyVNsx+9eI8HLl3bawR4/EKlggD3OI7d0dtQnleayXznswD1yRlPM3riRlvOcNwhHEiHGoUP9OOwsDmqwx2uitp0kXf2xsz28r2K/g=,iv:t2T7L1mh99znrNwrr+Btv7mlwZ+Xw231/itHvl/Xp6c=,tag:C1wCLr0AJp0HfUNbpiuG3g==,type:str] 15 | pgp: 16 | - created_at: '2021-02-06T22:26:03Z' 17 | enc: | 18 | -----BEGIN PGP MESSAGE----- 19 | 20 | hQIMA2CuQNd5ml+/AQ/9GHzYbKml+FrvNKkmUiAzL874+hqzASaUtxzVvQBjhHCx 21 | g9/cQ5rhHx1vbkrTPALAIxJyvZinZE/H4MFE039X0gH5eIzS3qNCcLFczBw5QGYL 22 | vkvEmCRn5pF+JxSiQXUw5ipYF9AWLITkb2ew/l6IMkXWcwQaDbERrBvlI2Lr1Mix 23 | Rc0X/jTEUwHDhbWFKXQ9fNwoW/rNqmiyUeHPV7i/XRI/RZgcTK1kofN7wS5cy6wF 24 | 0uKBXdGrM6/U21iGFxc7S0YNYDgZwwW4FuEVbMs7H+TxK9pck9oxXws0myAdkMKW 25 | MhJUMyWBUM58PGw98sNEllOMq2MCkKr5fNjd9uDE9CQJmPbA+OvqhX1NyN7tE0A6 26 | /u0O5OZPh9PFaYLTrTQxZJuhDoE75vjWfSB1F8FXw9DMFl8a4VkZHQQXOynVPMwN 27 | krUZ8O1xoJ7YS6TaIdDMVRBRSoKAYbCBMEBRIqfMZsmnU316NW10f3I7zyiu8Zhx 28 | q+8Oh6ovVWy8a/DciLdJJjkKze28eYLRcAgFquKNtgiEOR6nA0bVA0yz6aWGFbHk 29 | gb0AHRym9WwrvI4005mIF4u1QsVReEQmv8dLwgOV3SiUDOhaMJt27XZ/c3ayWgHP 30 | OLV5izVSeeMDbEJMPpbVkHXzOd4PM02MKCrq+JVuQ4NEb4yoe1gu3XKhKNbi+IrS 31 | XAGY3d/+ImT7SBPzs8yKGZ8MnpoMTK4utFKvFJum+bXb9FMAffG7hGnoRt+5xfFe 32 | mIM6NpEKL5aW3jSdkqjKXlIr0ljnBb5wo+XUCl0QK5LX2VPBeHInYFaEszSP 33 | =Ts27 34 | -----END PGP MESSAGE----- 35 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 36 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 37 | version: 3.6.1 38 | -------------------------------------------------------------------------------- /apps/default/jellyfin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | -------------------------------------------------------------------------------- /apps/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: default 4 | resources: 5 | - apache-musicindex 6 | - comics 7 | - deepstack 8 | - esphome 9 | - gatus 10 | - forgejo 11 | #- gow 12 | - hajimari 13 | - handbrake 14 | - home-assistant 15 | - jellyfin 16 | - lorawan 17 | - mealie 18 | - music-assistant 19 | - nextcloud 20 | - novnc 21 | - paperless 22 | - photoprism 23 | - searxng 24 | # - raspberrymatic 25 | - recipes 26 | - reverse-proxy 27 | - tt-rss 28 | - unifi 29 | -------------------------------------------------------------------------------- /apps/default/lorawan/chirpstack-packet-multiplexer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: chirpstack-packet-multiplexer 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: chirpstack-packet-multiplexer 10 | version: 3.0.0 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/chirpstack-packet-multiplexer/values.yaml 17 | values: 18 | image: 19 | repository: ghcr.io/angelnu/chirpstack-packet-multiplexer 20 | tag: d8b5ed08c5fff375cd60d7a1af302d0a4237237c 21 | 22 | log_level: 4 23 | 24 | backend_hosts: 25 | #- "lorawan-server:1700" 26 | - "eu1.cloud.thethings.network:1700" 27 | 28 | gateway_ids: 29 | - "A840411DBD104150" #Casa96 30 | - "a840411e9d604150" #Pueblo 31 | - "a840411ecd404150" #Madrid 32 | 33 | service: 34 | main: 35 | annotations: 36 | metallb.universe.tf/loadBalancerIPs: ${CLUSTER_EXTERNAL_SUBNET_PREFIX}.${CLUSTER_LB_LORAFWD} 37 | type: LoadBalancer 38 | -------------------------------------------------------------------------------- /apps/default/lorawan/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - chirpstack-packet-multiplexer.yaml 5 | 6 | -------------------------------------------------------------------------------- /apps/default/mealie/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /apps/default/mealie/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: mealie-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: mealie-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: mealie-pv 18 | spec: 19 | storageClassName: mealie-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/mealie 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: mealie-pv 42 | persistentVolumeReclaimPolicy: Delete 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/music-assistant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | -------------------------------------------------------------------------------- /apps/default/nextcloud/README.md: -------------------------------------------------------------------------------- 1 | # Notes 2 | 3 | ## Upgrade from CLI 4 | 5 | ``` 6 | su www-data -s occ upgrade 7 | ``` 8 | 9 | ## Adding a folder manually moved to Nextcloud 10 | 11 | ``` 12 | sudo -u www-data php -d memory_limit=-1 /var/www/html/occ files:scan --path=anunez/files/Software/Devices -vv 13 | ``` -------------------------------------------------------------------------------- /apps/default/nextcloud/ingress-home.yaml: -------------------------------------------------------------------------------- 1 | kind: Ingress 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: nextcloud-home 5 | annotations: 6 | hajimari.io/enable: "false" 7 | nginx.ingress.kubernetes.io/proxy-body-size: 4G 8 | # nginx.ingress.kubernetes.io/server-snippet: |- 9 | # server_tokens off; 10 | # proxy_hide_header X-Powered-By; 11 | 12 | # rewrite ^/.well-known/webfinger /public.php?service=webfinger last; 13 | # rewrite ^/.well-known/host-meta /public.php?service=host-meta last; 14 | # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; 15 | # location = /.well-known/carddav { 16 | # return 301 $scheme://$host/remote.php/dav; 17 | # } 18 | # location = /.well-known/caldav { 19 | # return 301 $scheme://$host/remote.php/dav; 20 | # } 21 | # location = /robots.txt { 22 | # allow all; 23 | # log_not_found off; 24 | # access_log off; 25 | # } 26 | # location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { 27 | # deny all; 28 | # } 29 | # location ~ ^/(?:autotest|occ|issue|indie|db_|console) { 30 | # deny all; 31 | # } 32 | nginx.ingress.kubernetes.io/enable-global-auth: "false" 33 | spec: 34 | tls: 35 | - hosts: 36 | - nextcloud.home.${CLUSTER_DOMAIN} 37 | rules: 38 | - host: nextcloud.home.${CLUSTER_DOMAIN} 39 | http: 40 | paths: 41 | - path: / 42 | pathType: Prefix 43 | backend: 44 | service: 45 | name: nextcloud 46 | port: 47 | number: 8080 -------------------------------------------------------------------------------- /apps/default/nextcloud/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ingress-home.yaml 5 | - nfs.yaml 6 | - secret.yaml 7 | - release-db.yaml 8 | - release.yaml 9 | - release-collabora.yaml 10 | - release-push.yaml 11 | -------------------------------------------------------------------------------- /apps/default/nextcloud/nfs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: nfs-nextcloud 5 | spec: 6 | storageClassName: nextcloud-storageclass 7 | capacity: 8 | storage: 18T 9 | accessModes: 10 | - ReadWriteMany 11 | mountOptions: 12 | - local_lock=posix 13 | - nfsvers=4.1 14 | nfs: 15 | server: "${NFS_SERVER}" 16 | path: "${NFS_KUBERNETES}/nextcloud" 17 | --- 18 | apiVersion: v1 19 | kind: PersistentVolumeClaim 20 | metadata: 21 | name: nfs-nextcloud 22 | spec: 23 | accessModes: 24 | - ReadWriteMany 25 | storageClassName: nextcloud-storageclass 26 | resources: 27 | requests: 28 | storage: 1T -------------------------------------------------------------------------------- /apps/default/nextcloud/release-collabora.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: nextcloud-collabora 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | image: 25 | repository: collabora/code 26 | tag: 24.04.13.3.1 27 | env: 28 | extra_params: --o:ssl.termination=true --o:ssl.enable=false 29 | rawResources: 30 | autoscaling: 31 | enabled: true 32 | apiVersion: autoscaling/v2 33 | kind: HorizontalPodAutoscaler 34 | spec: 35 | spec: 36 | scaleTargetRef: 37 | apiVersion: apps/v1 38 | kind: Deployment 39 | name: nextcloud-collabora 40 | minReplicas: 1 41 | maxReplicas: 3 42 | metrics: 43 | - type: Resource 44 | resource: 45 | name: cpu 46 | target: 47 | type: Utilization 48 | averageUtilization: 50 49 | 50 | service: 51 | main: 52 | controller: main 53 | ports: 54 | http: 55 | port: 9980 56 | 57 | ingress: 58 | main: 59 | enabled: true 60 | annotations: 61 | hajimari.io/enable: "false" 62 | nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc" 63 | #nginx.ingress.kubernetes.io/whitelist-source-range: "${INGRESS_WHITELIST_SOURCE_RANGE}" 64 | nginx.ingress.kubernetes.io/enable-global-auth: "false" 65 | hosts: 66 | - host: collabora.pub.${CLUSTER_DOMAIN} 67 | paths: 68 | - path: / 69 | pathType: Prefix 70 | service: 71 | identifier: main 72 | port: http 73 | -------------------------------------------------------------------------------- /apps/default/nextcloud/release-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: nextcloud-db 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: zalando-postgres-cluster 10 | version: 4.1.1 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/zalando-postgres-cluster/values.yaml 17 | values: 18 | 19 | postgresql: 20 | users: 21 | postgres: 22 | - superuser 23 | - createdb 24 | databases: 25 | postgres: postgres 26 | postgresql: 27 | version: "15" 28 | 29 | superuser: {} 30 | # password: set in secret 31 | 32 | persistentVolumes: 33 | hostPath: /media/db/nextcloud 34 | replicaNodes: 35 | - ${CLUSTER_DB_NODE_0} 36 | - ${CLUSTER_DB_NODE_1} 37 | - ${CLUSTER_DB_NODE_2} 38 | 39 | dumpBackup: 40 | enabled: true 41 | type: custom 42 | volumeSpec: 43 | nfs: 44 | server: "${NFS_SERVER}" 45 | path: "${NFS_KUBERNETES}/${CLUSTER_DB_BACKUP_PREFIX}/nextcloud" 46 | subpath: "." 47 | schedule: "@daily" 48 | 49 | valuesFrom: 50 | - kind: Secret 51 | name: "nextcloud-helm-values" 52 | valuesKey: postgres.yaml 53 | optional: false 54 | -------------------------------------------------------------------------------- /apps/default/novnc/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helmrelease-freecad.yaml 5 | - helmrelease-kicad.yaml 6 | - helmrelease-prusaslicer.yaml -------------------------------------------------------------------------------- /apps/default/paperless/README.md: -------------------------------------------------------------------------------- 1 | # Setting a user as admin 2 | 3 | 1. Log into paperless container 4 | 2. `python manage.py shell` 5 | 3. ``` 6 | from django.contrib.auth.models import User 7 | user = User.objects.get(username="myname") 8 | user.is_staff = True 9 | user.is_admin = True 10 | user.is_superuser = True 11 | user.save() 12 | ``` -------------------------------------------------------------------------------- /apps/default/paperless/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - configmap-common.yaml 5 | - release-casa.yaml 6 | - release-mireille-work.yaml 7 | - release-javi.yaml 8 | - release-edu.yaml 9 | - release-madrid.yaml 10 | - release-recipes.yaml 11 | -------------------------------------------------------------------------------- /apps/default/paperless/release-casa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: paperless-casa 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | env: 25 | PAPERLESS_IGNORE_DATES: “1978-09-19,1979-06-12,2010-2-8,2011-11-15” 26 | PAPERLESS_URL: https://paperless.pub.${CLUSTER_DOMAIN} 27 | 28 | persistence: 29 | data: 30 | volumeSpec: 31 | nfs: 32 | path: "${NFS_KUBERNETES}/paperless/casa/data" 33 | media: 34 | volumeSpec: 35 | nfs: 36 | path: "${NFS_KUBERNETES}/paperless/casa/media" 37 | consume: 38 | volumeSpec: 39 | nfs: 40 | path: "${NFS_DOWNLOADS}/scanner/casa" 41 | export: 42 | volumeSpec: 43 | nfs: 44 | path: "${NFS_KUBERNETES}/paperless/casa/export" 45 | 46 | ingress: 47 | main: 48 | annotations: 49 | nginx.ingress.kubernetes.io/configuration-snippet: | 50 | auth_request_set $required_usernames 'angel|mireille'; 51 | hosts: 52 | - host: paperless.pub.${CLUSTER_DOMAIN} 53 | paths: &paths 54 | - path: / 55 | pathType: Prefix 56 | service: 57 | identifier: main 58 | port: http 59 | - host: paperless.home.${CLUSTER_DOMAIN} 60 | paths: *paths 61 | 62 | valuesFrom: 63 | - kind: ConfigMap 64 | name: "paperless-helm-values" 65 | valuesKey: commmon.yaml 66 | optional: false 67 | -------------------------------------------------------------------------------- /apps/default/paperless/release-edu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: paperless-edu 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | env: 25 | PAPERLESS_OCR_LANGUAGE: spa 26 | PAPERLESS_IGNORE_DATES: “1984-09-09” 27 | PAPERLESS_URL: https://paperless-edu.pub.${CLUSTER_DOMAIN} 28 | 29 | persistence: 30 | data: 31 | volumeSpec: 32 | nfs: 33 | path: "${NFS_KUBERNETES}/paperless/edu/data" 34 | media: 35 | volumeSpec: 36 | nfs: 37 | path: "${NFS_KUBERNETES}/paperless/edu/media" 38 | consume: 39 | volumeSpec: 40 | nfs: 41 | path: "${NFS_DOWNLOADS}/scanner/edu" 42 | export: 43 | volumeSpec: 44 | nfs: 45 | path: "${NFS_KUBERNETES}/paperless/edu/export" 46 | 47 | ingress: 48 | main: 49 | annotations: 50 | hajimari.io/group: spain 51 | nginx.ingress.kubernetes.io/configuration-snippet: | 52 | auth_request_set $required_usernames 'eduardo'; 53 | hosts: 54 | - host: paperless-edu.pub.${CLUSTER_DOMAIN} 55 | paths: &paths 56 | - path: / 57 | pathType: Prefix 58 | service: 59 | identifier: main 60 | port: http 61 | - host: paperless-edu.home.${CLUSTER_DOMAIN} 62 | paths: *paths 63 | 64 | valuesFrom: 65 | - kind: ConfigMap 66 | name: "paperless-helm-values" 67 | valuesKey: commmon.yaml 68 | optional: false 69 | -------------------------------------------------------------------------------- /apps/default/paperless/release-javi.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: paperless-javi 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | env: 25 | PAPERLESS_IGNORE_DATES: “1984-09-09” 26 | PAPERLESS_URL: https://paperless-javi.pub.${CLUSTER_DOMAIN} 27 | 28 | persistence: 29 | data: 30 | volumeSpec: 31 | nfs: 32 | path: "${NFS_KUBERNETES}/paperless/javi/data" 33 | media: 34 | volumeSpec: 35 | nfs: 36 | path: "${NFS_KUBERNETES}/paperless/javi/media" 37 | consume: 38 | volumeSpec: 39 | nfs: 40 | path: "${NFS_DOWNLOADS}/scanner/javi" 41 | export: 42 | volumeSpec: 43 | nfs: 44 | path: "${NFS_KUBERNETES}/paperless/javi/export" 45 | 46 | ingress: 47 | main: 48 | annotations: 49 | nginx.ingress.kubernetes.io/configuration-snippet: | 50 | auth_request_set $required_usernames 'javier'; 51 | hosts: 52 | - host: paperless-javi.pub.${CLUSTER_DOMAIN} 53 | paths: &paths 54 | - path: / 55 | pathType: Prefix 56 | service: 57 | identifier: main 58 | port: http 59 | - host: paperless-javi.home.${CLUSTER_DOMAIN} 60 | paths: *paths 61 | 62 | valuesFrom: 63 | - kind: ConfigMap 64 | name: "paperless-helm-values" 65 | valuesKey: commmon.yaml 66 | optional: false 67 | -------------------------------------------------------------------------------- /apps/default/paperless/release-madrid.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: paperless-madrid 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | env: 25 | PAPERLESS_OCR_LANGUAGE: spa 26 | PAPERLESS_IGNORE_DATES: “1984-09-09” 27 | PAPERLESS_URL: https://paperless-madrid.home.${CLUSTER_DOMAIN} 28 | 29 | persistence: 30 | data: 31 | volumeSpec: 32 | nfs: 33 | path: "${NFS_KUBERNETES}/paperless/madrid/data" 34 | media: 35 | volumeSpec: 36 | nfs: 37 | path: "${NFS_KUBERNETES}/paperless/madrid/media" 38 | consume: 39 | volumeSpec: 40 | nfs: 41 | path: "${NFS_DOWNLOADS}/scanner/madrid" 42 | export: 43 | volumeSpec: 44 | nfs: 45 | path: "${NFS_KUBERNETES}/paperless/madrid/export" 46 | 47 | ingress: 48 | main: 49 | annotations: 50 | hajimari.io/group: spain 51 | nginx.ingress.kubernetes.io/configuration-snippet: | 52 | auth_request_set $required_groups 'madrid'; 53 | hosts: 54 | - host: paperless-madrid.pub.${CLUSTER_DOMAIN} 55 | paths: &paths 56 | - path: / 57 | pathType: Prefix 58 | service: 59 | identifier: main 60 | port: http 61 | - host: paperless-madrid.home.${CLUSTER_DOMAIN} 62 | paths: *paths 63 | 64 | valuesFrom: 65 | - kind: ConfigMap 66 | name: "paperless-helm-values" 67 | valuesKey: commmon.yaml 68 | optional: false 69 | -------------------------------------------------------------------------------- /apps/default/paperless/release-mireille-work.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: paperless-mireille-work 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | env: 25 | PAPERLESS_OCR_LANGUAGE: eng 26 | PAPERLESS_URL: https://paperless-mireille-work.pub.${CLUSTER_DOMAIN} 27 | 28 | persistence: 29 | data: 30 | volumeSpec: 31 | nfs: 32 | path: "${NFS_KUBERNETES}/paperless/mireille-work/data" 33 | media: 34 | volumeSpec: 35 | nfs: 36 | path: "${NFS_KUBERNETES}/paperless/mireille-work/media" 37 | consume: 38 | volumeSpec: 39 | nfs: 40 | path: "${NFS_DOWNLOADS}/scanner/mireille-work" 41 | export: 42 | volumeSpec: 43 | nfs: 44 | path: "${NFS_KUBERNETES}/paperless/mireille-work/export" 45 | 46 | ingress: 47 | main: 48 | annotations: 49 | nginx.ingress.kubernetes.io/configuration-snippet: | 50 | auth_request_set $required_usernames 'mireille'; 51 | hosts: 52 | - host: paperless-mireille-work.pub.${CLUSTER_DOMAIN} 53 | paths: &paths 54 | - path: / 55 | pathType: Prefix 56 | service: 57 | identifier: main 58 | port: http 59 | - host: paperless-mireille-work.home.${CLUSTER_DOMAIN} 60 | paths: *paths 61 | 62 | valuesFrom: 63 | - kind: ConfigMap 64 | name: "paperless-helm-values" 65 | valuesKey: commmon.yaml 66 | optional: false 67 | -------------------------------------------------------------------------------- /apps/default/paperless/release-recipes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: paperless-recipes 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | env: 25 | PAPERLESS_OCR_LANGUAGE: deu 26 | PAPERLESS_URL: https://paperless-recipes.pub.${CLUSTER_DOMAIN} 27 | 28 | persistence: 29 | data: 30 | volumeSpec: 31 | nfs: 32 | path: "${NFS_KUBERNETES}/paperless/recipes/data" 33 | media: 34 | volumeSpec: 35 | nfs: 36 | path: "${NFS_KUBERNETES}/paperless/recipes/media" 37 | consume: 38 | volumeSpec: 39 | nfs: 40 | path: "${NFS_DOWNLOADS}/scanner/recipes" 41 | export: 42 | volumeSpec: 43 | nfs: 44 | path: "${NFS_KUBERNETES}/paperless/recipes/export" 45 | 46 | ingress: 47 | main: 48 | enabled: true 49 | annotations: 50 | nginx.ingress.kubernetes.io/configuration-snippet: | 51 | auth_request_set $required_usernames 'anunez|mireille'; 52 | hosts: 53 | - host: paperless-recipes.pub.${CLUSTER_DOMAIN} 54 | paths: &paths 55 | - path: / 56 | pathType: Prefix 57 | service: 58 | identifier: main 59 | port: http 60 | - host: paperless-recipes.home.${CLUSTER_DOMAIN} 61 | paths: *paths 62 | 63 | valuesFrom: 64 | - kind: ConfigMap 65 | name: "paperless-helm-values" 66 | valuesKey: commmon.yaml 67 | optional: false 68 | -------------------------------------------------------------------------------- /apps/default/photoprism/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | -------------------------------------------------------------------------------- /apps/default/raspberrymatic/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /apps/default/raspberrymatic/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: raspberrymatic-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | storageClassName: raspberrymatic-storageclass 12 | --- 13 | apiVersion: v1 14 | kind: PersistentVolume 15 | metadata: 16 | name: raspberrymatic-pv 17 | spec: 18 | storageClassName: raspberrymatic-storageclass 19 | capacity: 20 | storage: "1Gi" 21 | accessModes: 22 | - ReadWriteOnce 23 | csi: 24 | driver: rbd.csi.ceph.com 25 | fsType: ext4 26 | nodeStageSecretRef: 27 | # node stage secret name 28 | name: ceph-secret 29 | # node stage secret namespace where above secret is created 30 | namespace: ceph-rbd 31 | volumeAttributes: 32 | # Required options from storageclass parameters need to be added in volumeAttributes 33 | "clusterID": "84675d40-a0d9-11eb-b978-dbc90369c7ea" 34 | "pool": "rbd" 35 | "staticVolume": "true" 36 | # If set to rbd-nbd, use rbd-nbd on nodes that have rbd-nbd and nbd kernel modules to map rbd images 37 | # mounter: rbd-nbd 38 | # volumeHandle should be same as rbd image name 39 | volumeHandle: raspberrymatic 40 | persistentVolumeReclaimPolicy: Retain 41 | # The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block` 42 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/raspberrymatic/release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: raspberrymatic 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | # renovate: registryUrl=https://jens-maus.github.io/RaspberryMatic 10 | chart: raspberrymatic 11 | version: "3.81.5" 12 | sourceRef: 13 | kind: HelmRepository 14 | name: raspberrymatic 15 | #name: angelnu-charts 16 | namespace: flux-system 17 | interval: 5m 18 | # See https://github.com/jens-maus/RaspberryMatic/blob/master/helm/raspberrymatic/values.yaml 19 | values: 20 | #image: 21 | # pullPolicy: IfNotPresent 22 | # tag: 3.55.10.20210213 23 | 24 | persistence: 25 | enabled: true 26 | existingClaim: raspberrymatic-pvc 27 | 28 | nodeSelector: 29 | HomematicHW: "True" 30 | 31 | service: 32 | type: LoadBalancer 33 | loadBalancerIP: "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.${CLUSTER_LB_CCU}" 34 | annotations: 35 | metallb.universe.tf/allow-shared-ip: ccu 36 | 37 | ingress: 38 | enabled: true 39 | annotations: 40 | ingress.kubernetes.io/whitelist-source-range: "192.168.2.0/16" 41 | nginx.ingress.kubernetes.io/proxy-body-size: "8000m" 42 | hosts: 43 | - homematic.${CLUSTER_DOMAIN} 44 | tls: 45 | - hosts: 46 | - homematic.${CLUSTER_DOMAIN} 47 | -------------------------------------------------------------------------------- /apps/default/recipes/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secret.yaml 5 | - release-db.yaml 6 | - release-media-fs.yaml 7 | - release-static-fs.yaml 8 | - release.yaml 9 | -------------------------------------------------------------------------------- /apps/default/recipes/release-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: recipes-db 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: zalando-postgres-cluster 10 | version: 4.1.1 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/zalando-postgres-cluster/values.yaml 17 | values: 18 | 19 | postgresql: 20 | users: 21 | postgres: 22 | - superuser 23 | - createdb 24 | databases: 25 | postgres: postgres 26 | postgresql: 27 | version: "14" 28 | 29 | superuser: {} 30 | # password: set in secret 31 | 32 | persistentVolumes: 33 | hostPath: /media/db/recipes 34 | replicaNodes: 35 | - ${CLUSTER_DB_NODE_0} 36 | - ${CLUSTER_DB_NODE_1} 37 | - ${CLUSTER_DB_NODE_2} 38 | 39 | dumpBackup: 40 | enabled: true 41 | type: custom 42 | volumeSpec: 43 | nfs: 44 | server: "${NFS_SERVER}" 45 | path: "${NFS_KUBERNETES}/${CLUSTER_DB_BACKUP_PREFIX}/recipes" 46 | subpath: "." 47 | schedule: "@daily" 48 | 49 | persistent: true 50 | localPath: "/media/db/recipes" 51 | 52 | valuesFrom: 53 | - kind: Secret 54 | name: "recipes-helm-values" 55 | valuesKey: postgres.yaml 56 | optional: false 57 | -------------------------------------------------------------------------------- /apps/default/recipes/release-media-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: recipes-media-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: recipes-media-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: recipes-media-pv 18 | spec: 19 | storageClassName: recipes-media-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/recipes-media 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: recipes-media-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/recipes/release-static-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: recipes-static-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: recipes-static-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: recipes-static-pv 18 | spec: 19 | storageClassName: recipes-static-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/recipes-static 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: recipes-static-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/default/reverse-proxy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | -------------------------------------------------------------------------------- /apps/default/searxng/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: searxng 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: searxng 10 | version: 1.0.1 11 | sourceRef: 12 | kind: HelmRepository 13 | name: searxng 14 | namespace: flux-system 15 | interval: 5m 16 | values: 17 | 18 | image: 19 | repository: searxng/searxng 20 | tag: latest 21 | 22 | env: 23 | INSTANCE_NAME: "${CLUSTER_DOMAIN}" 24 | BASE_URL: "http://localhost:8080/" 25 | AUTOCOMPLETE: "duckduckgo" 26 | 27 | searxng: 28 | config: 29 | use_default_settings: true 30 | # Uncomment when using the builtin rate limiter 31 | # See https://docs.searxng.org/src/searx.plugins.limiter.html#limiter-plugin 32 | # server.limiter: true 33 | # redis.url: redis://@searxng-redis:6379/0 34 | 35 | ingress: 36 | main: 37 | enabled: true 38 | annotations: 39 | hajimari.io/enable: "true" 40 | hajimari.io/icon: cloud-search-outline 41 | hajimari.io/info: Internet Search 42 | hajimari.io/group: tools 43 | hosts: 44 | - host: &host_pub "search.pub.${CLUSTER_DOMAIN}" 45 | paths: 46 | - path: / 47 | pathType: Prefix 48 | - host: &host "search.${CLUSTER_DOMAIN}" 49 | paths: 50 | - path: / 51 | pathType: Prefix 52 | tls: 53 | - hosts: 54 | - *host_pub 55 | - *host 56 | 57 | valuesFrom: 58 | - kind: Secret 59 | name: "searxng-helm-values" 60 | valuesKey: searxng.yaml 61 | optional: false 62 | -------------------------------------------------------------------------------- /apps/default/searxng/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secret.yaml 5 | - helmrelease.yaml -------------------------------------------------------------------------------- /apps/default/searxng/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: searxng-helm-values 5 | #Password generate with https://generate.plus/en/base64 6 | stringData: 7 | searxng.yaml: ENC[AES256_GCM,data:l80hjIvBEntyGqtESJ0YLr+2vfIr6zKLekiILKWvR2zaljlyRzok9SDvSJsW39gaPcUNlYMJiQEVZSlRJMNF39cNCnGQSwr9mbHf67V6eKwoq5Cq3BL0BDEV41xr,iv:y5Bs3gp2XTvdMxdBK2fhl5RSJhEhJsp7n+s0hHNc6HQ=,tag:/f+ys6cMf55WxGpwqTN3bQ==,type:str] 8 | sops: 9 | kms: [] 10 | gcp_kms: [] 11 | azure_kv: [] 12 | hc_vault: [] 13 | age: [] 14 | lastmodified: "2022-07-31T18:23:37Z" 15 | mac: ENC[AES256_GCM,data:wbK+LivssayehURuhtEGK/1qSnZu5l1igBvtKI2s7vaC6dFW1U1LSLz567hOseUtSC2JGPiDqHp5sH3NdUTMOTtcD/J9Y8w82tp54CMuj9xi333u5Vu8gugxlnnBh0SS5cPimlSJan6p5q5F/W79YjDxh8C1R/9Vo6ZvBkQF3gQ=,iv:mz3WqgS0f6UD65flgrMecIA8TvEedbz9b0/9O4RGgE0=,tag:Ff/MfZUZ8YFfpcYVzmuXlQ==,type:str] 16 | pgp: 17 | - created_at: "2021-02-06T22:26:03Z" 18 | enc: | 19 | -----BEGIN PGP MESSAGE----- 20 | 21 | hQIMA2CuQNd5ml+/AQ/9GHzYbKml+FrvNKkmUiAzL874+hqzASaUtxzVvQBjhHCx 22 | g9/cQ5rhHx1vbkrTPALAIxJyvZinZE/H4MFE039X0gH5eIzS3qNCcLFczBw5QGYL 23 | vkvEmCRn5pF+JxSiQXUw5ipYF9AWLITkb2ew/l6IMkXWcwQaDbERrBvlI2Lr1Mix 24 | Rc0X/jTEUwHDhbWFKXQ9fNwoW/rNqmiyUeHPV7i/XRI/RZgcTK1kofN7wS5cy6wF 25 | 0uKBXdGrM6/U21iGFxc7S0YNYDgZwwW4FuEVbMs7H+TxK9pck9oxXws0myAdkMKW 26 | MhJUMyWBUM58PGw98sNEllOMq2MCkKr5fNjd9uDE9CQJmPbA+OvqhX1NyN7tE0A6 27 | /u0O5OZPh9PFaYLTrTQxZJuhDoE75vjWfSB1F8FXw9DMFl8a4VkZHQQXOynVPMwN 28 | krUZ8O1xoJ7YS6TaIdDMVRBRSoKAYbCBMEBRIqfMZsmnU316NW10f3I7zyiu8Zhx 29 | q+8Oh6ovVWy8a/DciLdJJjkKze28eYLRcAgFquKNtgiEOR6nA0bVA0yz6aWGFbHk 30 | gb0AHRym9WwrvI4005mIF4u1QsVReEQmv8dLwgOV3SiUDOhaMJt27XZ/c3ayWgHP 31 | OLV5izVSeeMDbEJMPpbVkHXzOd4PM02MKCrq+JVuQ4NEb4yoe1gu3XKhKNbi+IrS 32 | XAGY3d/+ImT7SBPzs8yKGZ8MnpoMTK4utFKvFJum+bXb9FMAffG7hGnoRt+5xfFe 33 | mIM6NpEKL5aW3jSdkqjKXlIr0ljnBb5wo+XUCl0QK5LX2VPBeHInYFaEszSP 34 | =Ts27 35 | -----END PGP MESSAGE----- 36 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 37 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 38 | version: 3.7.1 39 | -------------------------------------------------------------------------------- /apps/default/tt-rss/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secret.yaml 5 | - release-db.yaml 6 | - release.yaml 7 | -------------------------------------------------------------------------------- /apps/default/tt-rss/release-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: tt-rss-db 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: zalando-postgres-cluster 10 | version: 4.1.1 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/zalando-postgres-cluster/values.yaml 17 | values: 18 | 19 | postgresql: 20 | users: 21 | postgres: 22 | - superuser 23 | - createdb 24 | databases: 25 | tt-rss: postgres 26 | postgresql: 27 | version: "15" 28 | 29 | superuser: {} 30 | # password: set in secret 31 | 32 | persistentVolumes: 33 | hostPath: /media/db/tt-rss 34 | replicaNodes: 35 | - ${CLUSTER_DB_NODE_0} 36 | - ${CLUSTER_DB_NODE_1} 37 | - ${CLUSTER_DB_NODE_2} 38 | 39 | dumpBackup: 40 | enabled: true 41 | type: custom 42 | volumeSpec: 43 | nfs: 44 | server: "${NFS_SERVER}" 45 | path: "${NFS_KUBERNETES}/${CLUSTER_DB_BACKUP_PREFIX}/tt-rss" 46 | subpath: "." 47 | schedule: "@daily" 48 | 49 | valuesFrom: 50 | - kind: Secret 51 | name: "tt-rss-helm-values" 52 | valuesKey: postgres.yaml 53 | optional: false 54 | -------------------------------------------------------------------------------- /apps/default/tt-rss/release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: tt-rss 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: tt-rss 10 | version: 6.0.0 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: tt-rss-db 18 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/tt-rss/values.yaml 19 | values: 20 | image: 21 | repository: ghcr.io/angelnu/tt-rss 22 | tag: 2.0.9656 23 | pullPolicy: Always 24 | 25 | ingress: 26 | main: 27 | enabled: true 28 | annotations: 29 | hajimari.io/enable: "true" 30 | hajimari.io/icon: rss 31 | hajimari.io/info: Feed reader 32 | hajimari.io/group: tools 33 | nginx.ingress.kubernetes.io/enable-global-auth: "false" 34 | nginx.ingress.kubernetes.io/proxy-body-size: "8000m" 35 | hosts: 36 | - host: rss.${CLUSTER_DOMAIN} 37 | paths: 38 | - path: / 39 | # Ignored if not kubeVersion >= 1.14-0 40 | pathType: Prefix 41 | tls: 42 | - hosts: 43 | - rss.${CLUSTER_DOMAIN} 44 | 45 | env: 46 | TTRSS_SELF_URL_PATH: https://rss.${CLUSTER_DOMAIN}/ 47 | TTRSS_DB_HOST: tt-rss-db-zalando-postgres-cluster-postgres 48 | TTRSS_DB_PORT: "5432" 49 | TTRSS_DB_USER: postgres 50 | TTRSS_DB_NAME: tt-rss 51 | #TTRSS_DB_PASS: set in secret 52 | TTRSS_SESSION_COOKIE_LIFETIME: "2592000" # 30 days in seconds 53 | TTRSS_PLUGINS: auth_ldap, note # auth_remote, auth_internal 54 | 55 | # LDAP settings 56 | TTRSS_LDAP_AUTH_SERVER_URI: ldap://ldap.${CLUSTER_DOMAIN} 57 | #TTRSS_LDAP_AUTH_USETLS: true #It does not work with php8.1 58 | #TTRSS_LDAP_AUTH_ALLOW_UNTRUSTED_CERT: true 59 | #TTRSS_LDAP_AUTH_BINDDN: set in secret 60 | #TTRSS_LDAP_AUTH_BASEDN: set in secret 61 | #TTRSS_LDAP_AUTH_SEARCHFILTER: set in secret 62 | TTRSS_LDAP_AUTH_LOGIN_ATTRIB: cn 63 | 64 | postgresql: 65 | enabled: false # use own chart 66 | 67 | valuesFrom: 68 | - kind: Secret 69 | name: "tt-rss-helm-values" 70 | valuesKey: tt-rss.yaml 71 | optional: false 72 | -------------------------------------------------------------------------------- /apps/default/unifi/README.md: -------------------------------------------------------------------------------- 1 | # Unifi 2 | 3 | ## manual adopting 4 | 5 | 1. `ssh -oHostKeyAlgorithms=+ssh-dss ubnt@` 6 | - password: `ubnt` 7 | 2. `set-inform http://192.168.1.4:8080/inform` 8 | -------------------------------------------------------------------------------- /apps/default/unifi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /apps/default/unifi/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: unifi-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: unifi-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: unifi-pv 18 | spec: 19 | storageClassName: unifi-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/unifi 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: unifi-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/kube-system/README.md: -------------------------------------------------------------------------------- 1 | # kube-system namespace 2 | 3 | ## Kubernetes dashboard settings 4 | 5 | Configures the [Kubernetes dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/). 6 | 7 | ** NOTE **: this is not the dashboard but only the settings. The installation is done as part of installing the K8S cluster. 8 | 9 | [Settings](dashboard.yaml) 10 | 11 | ## Kured 12 | 13 | [Kured](https://github.com/weaveworks/kured) (KUbernetes REboot Daemon) is a Kubernetes daemonset that performs safe automatic node reboots when the need to do so is indicated by the package management system of the underlying OS. 14 | 15 | [Settings](kured) 16 | 17 | ## Mail server 18 | 19 | Mail server for application in K8S and LAN to send mail without having to store any Google settings. 20 | 21 | [Settings](mail/release.yaml) 22 | 23 | ## NFS 24 | 25 | Some [Persistant Volume Claims](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) for the NAS. 26 | 27 | [Settings](nfs) 28 | 29 | ## Others (to be moved) 30 | 31 | * [cert-manager](https://github.com/jetstack/cert-manager) - Automated letsencrypt broker -------------------------------------------------------------------------------- /apps/kube-system/kured/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secret.yaml 5 | #- release.yaml Dissable until roks is installed 6 | 7 | -------------------------------------------------------------------------------- /apps/kube-system/kured/release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: kured 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: kured 10 | version: 5.6.1 11 | sourceRef: 12 | kind: HelmRepository 13 | name: kubereboot-charts 14 | namespace: flux-system 15 | interval: 5m 16 | values: 17 | image: 18 | repository: ghcr.io/k8s-at-home/kured 19 | tag: v1.8.1 20 | configuration: 21 | startTime: "0:00" 22 | endTime: "4:00" 23 | timeZone: "Europe/Berlin" 24 | tolerations: 25 | - key: "arm" 26 | operator: "Exists" 27 | - key: "node-role.kubernetes.io/master" 28 | operator: "Exists" 29 | #metrics: 30 | # create: true 31 | valuesFrom: 32 | - kind: Secret 33 | name: "kured-helm-values" 34 | optional: false 35 | -------------------------------------------------------------------------------- /apps/kube-system/kured/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: kured-helm-values 5 | stringData: 6 | values.yaml: ENC[AES256_GCM,data:AintBamkqB2jswBduuKsnOiSNVb84NtlaNZv6LxpNHHIaJvU4NHeNnqFspN0D8fYa7tVKk/mt9eJx2rR9vr9Gjzzyym9WPMAn3tRrtEOGIQQkYheAEGV5BczJcBKYE8vXZdG7vhsmTwHcSzud7DfhGjxXX7Yyl9m6/sfW8TDYj03gfAXzxxdg0czPx88eG7ivIe/NUT0UoUsBAhQo8uDQ+PdvrobALrRPDRIV/uyrQLoK0mp1T1EeinaD1N/OC6HQc2eLVvlAyovF/5B6J2E6ck1Dg==,iv:xYu9nFqQjY5I4dhk8+BR9z7LOGO3uoWFojZ+Yjm+/uI=,tag:he84q09D+8TR9+Tw15omSA==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: [] 13 | lastmodified: "2021-07-06T08:20:55Z" 14 | mac: ENC[AES256_GCM,data:3CSj9kJozwk93/4OrtdH15fZWCMe2fI6DGCs9rjEoDkNpRQSK84pmak7rcmtD65sBss2h47TTcn0P755suIzW7gBwGJB/hD2WfZFNMnXr29dowwX2bxt0gejMp0s5UfnV0l/jreksuQppaE1rUYziK1xBlU3VMqd/jnAWmsuouw=,iv:InNEqUERWR9UlktW+N6WiK3+WzyWb0rnoRL1XUspSK0=,tag:KD4/3s0k9kwLBd3bWgdsiA==,type:str] 15 | pgp: 16 | - created_at: "2021-02-06T22:29:44Z" 17 | enc: | 18 | -----BEGIN PGP MESSAGE----- 19 | 20 | hQIMA2CuQNd5ml+/AQ/9H9/tAAZ2kAsAm36TZRm/lA6yt1QzRHL3z7pAWd3oRH2m 21 | 4Cw+HU7IgbweiPM7nZBOPg55GFMQvL/iKlz6rdbVnfuEqo+mwHC3qJZRMQQbORpj 22 | yuElxbb+DeqSWEYV/RoT2xfmFN8V5DlqbkiJlg4ZIr/YximFqQpK/dEqI2EGC9p6 23 | DdeXxHS4Ym1yONc/Ny+2cFP7UxSlUCNmYqZvnwWomjoYtZUtk/cxb3cH6qb65vbw 24 | lhVG52t3ym2J3p9KT7tV0xfebg/ePcpZWvTLF0WmT5BPm6bUocEh79E5ybdXDsvJ 25 | UFXkl5UocOiWB/wdrUGprSHcKJ5JpPSFrZ5dKqOp4FuvBxBPkL3Iiu96TOJds7fM 26 | oTvtQrKztngx57998rEgISvwOyWQXD5nfjty46zegjAx5WL9xY8TnAtKQqt+L28c 27 | ZAg4to6nRB/OjifVMLcHsVIeZtFLXValnyQchiFMCMfZxiwaAUegffdT3vgnq+U/ 28 | 3ja2fjdinMh+YjDiMR0vvTFc0CcLnyVlq6L0hPDUFjdNqWYySL6GzJnGxaJNMGIX 29 | +Eo+enFOoG8WvUL4LoIMQqHMWLvzEe7ZBmnKwHb5uYq3MEJvG5sTOrpTcIpbf/Df 30 | araOHEXwKkHCtTW7pVD259BdxeSzkJ1dlindfr57uZ1KpUD17bZIezH6PATPyijS 31 | XgHYbXEJ0TabDgzCu6otQ+FKWbYyV6GHzmTZd9m12I/Ok4mJm/eC28pmHeBdLnBX 32 | 0wtVfKhnzOuv0+N4b6ZJ29PddTyVvgIR2lIey9CKXXKikFlgIovg6FB+MXrYTnE= 33 | =E3Jr 34 | -----END PGP MESSAGE----- 35 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 36 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 37 | version: 3.7.1 38 | -------------------------------------------------------------------------------- /apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: kube-system 4 | resources: 5 | - kured 6 | - reloader.yaml 7 | -------------------------------------------------------------------------------- /apps/kube-system/reloader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | namespace: kube-tools 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: reloader 12 | version: 2.1.3 13 | sourceRef: 14 | kind: HelmRepository 15 | name: stakater-charts 16 | namespace: flux-system 17 | interval: 5m 18 | 19 | install: 20 | createNamespace: true 21 | remediation: 22 | retries: 3 23 | 24 | upgrade: 25 | remediation: 26 | retries: 3 27 | 28 | values: 29 | fullnameOverride: reloader 30 | -------------------------------------------------------------------------------- /apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - kube-system 5 | - default 6 | - vpn 7 | -------------------------------------------------------------------------------- /apps/vpn/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: vpn 4 | resources: 5 | - qbittorrent 6 | - lidarr 7 | - milar3 8 | - prowlarr 9 | - radarr 10 | - readarr 11 | - sonarr 12 | - vnc 13 | -------------------------------------------------------------------------------- /apps/vpn/lidarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - helmrelease.yaml -------------------------------------------------------------------------------- /apps/vpn/lidarr/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: lidarr-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: lidarr-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: lidarr-pv 18 | spec: 19 | storageClassName: lidarr-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/lidarr 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: lidarr-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/vpn/milar3/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - helmrelease.yaml -------------------------------------------------------------------------------- /apps/vpn/milar3/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: milar3-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: milar3-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: milar3-pv 18 | spec: 19 | storageClassName: milar3-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/milar3 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: milar3-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/vpn/prowlarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - helmrelease.yaml -------------------------------------------------------------------------------- /apps/vpn/prowlarr/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: prowlarr-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: prowlarr-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: prowlarr-pv 18 | spec: 19 | storageClassName: prowlarr-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/prowlarr 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: prowlarr-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/vpn/qbittorrent/ingress-home.yaml: -------------------------------------------------------------------------------- 1 | kind: Ingress 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: qbittorrent-home 5 | annotations: 6 | hajimari.io/enable: "false" 7 | nginx.ingress.kubernetes.io/proxy-body-size: 4M 8 | nginx.ingress.kubernetes.io/enable-global-auth: "false" 9 | nginx.ingress.kubernetes.io/whitelist-source-range: "${INGRESS_WHITELIST_SOURCE_RANGE}" 10 | spec: 11 | tls: 12 | - hosts: 13 | - torrent.home.${CLUSTER_DOMAIN} 14 | rules: 15 | - host: torrent.home.${CLUSTER_DOMAIN} 16 | http: 17 | paths: 18 | - path: / 19 | pathType: Prefix 20 | backend: 21 | service: 22 | name: qbittorrent 23 | port: 24 | number: 8080 -------------------------------------------------------------------------------- /apps/vpn/qbittorrent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - helmrelease.yaml 6 | - ingress-home.yaml -------------------------------------------------------------------------------- /apps/vpn/qbittorrent/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: qbitorrent-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: qbitorrent-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: qbitorrent-pv 18 | spec: 19 | storageClassName: qbitorrent-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/qbitorrent 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: qbitorrent-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/vpn/radarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - helmrelease.yaml -------------------------------------------------------------------------------- /apps/vpn/radarr/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: radarr-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: radarr-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: radarr-pv 18 | spec: 19 | storageClassName: radarr-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/radarr 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: radarr-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/vpn/readarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - helmrelease.yaml -------------------------------------------------------------------------------- /apps/vpn/readarr/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: readarr-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: readarr-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: readarr-pv 18 | spec: 19 | storageClassName: readarr-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/readarr 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: readarr-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/vpn/sonarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release-fs.yaml 5 | - helmrelease.yaml -------------------------------------------------------------------------------- /apps/vpn/sonarr/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: sonarr-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: sonarr-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: sonarr-pv 18 | spec: 19 | storageClassName: sonarr-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/sonarr 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: sonarr-pv 42 | persistentVolumeReclaimPolicy: Retain 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /apps/vpn/vnc/helmrelease-mega.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: mega-vnc 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | image: 25 | repository: docker.io/johnshine/mega.syno 26 | tag: latest@sha256:1625bbabd89a443677e016ec1e5bb990e16f5d53245e23631d77e44d5c901dc8 27 | 28 | service: 29 | main: 30 | controller: main 31 | ports: 32 | http: 33 | port: 6080 34 | vnc: 35 | enabled: false 36 | port: 5901 37 | 38 | persistence: 39 | mega: 40 | enabled: true 41 | type: custom 42 | globalMounts: 43 | - subPath: .local 44 | path: /home/mega/.local 45 | readOnly: false 46 | - subPath: .MEGA 47 | path: /home/mega/MEGA 48 | readOnly: false 49 | - subPath: MEGAsync Downloads 50 | path: /home/mega/MEGAsync Downloads 51 | readOnly: false 52 | volumeSpec: 53 | nfs: 54 | server: "${NFS_SERVER}" 55 | path: "${NFS_DOWNLOADS}/downloaders/mega" 56 | 57 | ingress: 58 | main: 59 | enabled: true 60 | annotations: 61 | hajimari.io/enable: "true" 62 | hajimari.io/icon: simple-icons:mega 63 | hajimari.io/info: MEGA Downloader 64 | hajimari.io/group: media 65 | hosts: 66 | - host: mega.pub.${CLUSTER_DOMAIN} 67 | paths: 68 | - path: / 69 | pathType: Prefix 70 | service: 71 | identifier: main 72 | port: http -------------------------------------------------------------------------------- /apps/vpn/vnc/helmrelease-ubuntu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: ubuntu-vnc 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | containers: 23 | app: 24 | image: 25 | repository: docker.io/dorowu/ubuntu-desktop-lxde-vnc 26 | tag: latest@sha256:775184eaa5bbc01bc4261a6c9596a642b3b43a433c1508637567bc724575964b 27 | pod: 28 | securityContext: 29 | runAsUser: 0 30 | runAsGroup: 0 31 | fsGroup: 0 32 | 33 | service: 34 | main: 35 | controller: main 36 | ports: 37 | http: 38 | port: 80 39 | vnc: 40 | enabled: false 41 | port: 5900 42 | 43 | ingress: 44 | main: 45 | enabled: true 46 | annotations: 47 | hajimari.io/enable: "true" 48 | hajimari.io/icon: logos:ubuntu 49 | hajimari.io/info: Ubuntu 50 | hajimari.io/group: tools 51 | hosts: 52 | - host: ubuntu.pub.${CLUSTER_DOMAIN} 53 | paths: 54 | - path: / 55 | pathType: Prefix 56 | service: 57 | identifier: main 58 | port: http -------------------------------------------------------------------------------- /apps/vpn/vnc/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helmrelease-mega.yaml 5 | - helmrelease-ubuntu.yaml -------------------------------------------------------------------------------- /base/1_crds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: operators 5 | namespace: flux-system 6 | spec: 7 | interval: 10m5s 8 | dependsOn: 9 | - name: settings 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | path: ./crds 14 | prune: true 15 | #validation: client 16 | decryption: 17 | provider: sops 18 | secretRef: 19 | name: sops-gpg 20 | postBuild: 21 | substitute: {} 22 | substituteFrom: 23 | - kind: ConfigMap 24 | name: global-settings 25 | - kind: Secret 26 | name: global-secrets 27 | - kind: ConfigMap 28 | name: cluster-settings 29 | - kind: Secret 30 | name: cluster-secrets 31 | -------------------------------------------------------------------------------- /base/2_core.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: core 5 | namespace: flux-system 6 | spec: 7 | interval: 10m5s 8 | dependsOn: 9 | - name: operators 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | path: ./core 14 | prune: true 15 | #validation: client 16 | decryption: 17 | provider: sops 18 | secretRef: 19 | name: sops-gpg 20 | postBuild: 21 | substitute: {} 22 | substituteFrom: 23 | - kind: ConfigMap 24 | name: global-settings 25 | - kind: Secret 26 | name: global-secrets 27 | - kind: ConfigMap 28 | name: cluster-settings 29 | - kind: Secret 30 | name: cluster-secrets 31 | -------------------------------------------------------------------------------- /base/3_apps.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: apps 5 | namespace: flux-system 6 | spec: 7 | interval: 10m0s 8 | dependsOn: 9 | - name: core 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | path: ./apps 14 | prune: true 15 | #validation: client 16 | # healthChecks: 17 | # - apiVersion: helm.toolkit.fluxcd.io/v1beta1 18 | # kind: HelmRelease 19 | # name: podinfo 20 | # namespace: podinfo 21 | decryption: 22 | provider: sops 23 | secretRef: 24 | name: sops-gpg 25 | postBuild: 26 | substitute: {} 27 | substituteFrom: 28 | - kind: ConfigMap 29 | name: global-settings 30 | - kind: Secret 31 | name: global-secrets 32 | - kind: ConfigMap 33 | name: cluster-settings 34 | - kind: Secret 35 | name: cluster-secrets 36 | -------------------------------------------------------------------------------- /base/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | -------------------------------------------------------------------------------- /base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - flux-system 5 | - sources 6 | - namespaces 7 | - 1_crds.yaml 8 | - 2_core.yaml 9 | - 3_apps.yaml -------------------------------------------------------------------------------- /base/namespaces/authentik.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: authentik 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: authentik 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from nginx 17 | - namespaceSelector: 18 | matchLabels: 19 | kubernetes.io/metadata.name: nginx 20 | - from: 21 | # Allow local and operator ingress to PostgreSQL 22 | - namespaceSelector: 23 | matchLabels: 24 | kubernetes.io/metadata.name: authentik 25 | - namespaceSelector: 26 | matchLabels: 27 | kubernetes.io/metadata.name: postgres 28 | ports: 29 | - protocol: TCP 30 | port: 5432 31 | endPort: 5432 32 | - protocol: TCP 33 | port: 8008 #Patroni 34 | endPort: 8008 35 | - from: 36 | # Allow local ingress to Redis 37 | - namespaceSelector: 38 | matchLabels: 39 | kubernetes.io/metadata.name: authentik 40 | ports: 41 | - protocol: TCP 42 | port: 6379 43 | endPort: 6379 44 | - from: 45 | # Allow LDAP ingress 46 | - ipBlock: 47 | cidr: "10.0.0.0/8" 48 | - ipBlock: 49 | cidr: "192.0.0.0/8" 50 | ports: 51 | - protocol: TCP 52 | port: 3389 53 | endPort: 3389 54 | - protocol: TCP 55 | port: 6636 56 | endPort: 6636 57 | policyTypes: 58 | - Ingress 59 | 60 | --- 61 | kind: NetworkPolicy 62 | apiVersion: networking.k8s.io/v1 63 | metadata: 64 | name: default-egress 65 | namespace: authentik 66 | spec: 67 | podSelector: {} 68 | egress: 69 | - to: 70 | # Allow all egress 71 | - ipBlock: 72 | cidr: "0.0.0.0/0" 73 | 74 | policyTypes: 75 | - Egress 76 | -------------------------------------------------------------------------------- /base/namespaces/ceph-rbd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ceph-rbd 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: ceph-rbd 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from K8S (admission controller) 17 | - ipBlock: 18 | cidr: "10.0.0.0/8" 19 | policyTypes: 20 | - Ingress 21 | 22 | --- 23 | kind: NetworkPolicy 24 | apiVersion: networking.k8s.io/v1 25 | metadata: 26 | name: default-egress 27 | namespace: ceph-rbd 28 | spec: 29 | podSelector: {} 30 | egress: 31 | - to: 32 | # Only allow egress to K8S and local lan 33 | - ipBlock: 34 | cidr: "10.0.0.0/8" 35 | - ipBlock: 36 | cidr: "192.168.0.0/16" 37 | policyTypes: 38 | - Egress 39 | -------------------------------------------------------------------------------- /base/namespaces/ceph.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ceph 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: ceph 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from K8S (admission controller) 17 | - ipBlock: 18 | cidr: "10.0.0.0/8" 19 | policyTypes: 20 | - Ingress 21 | 22 | --- 23 | kind: NetworkPolicy 24 | apiVersion: networking.k8s.io/v1 25 | metadata: 26 | name: default-egress 27 | namespace: ceph 28 | spec: 29 | podSelector: {} 30 | egress: 31 | - to: 32 | # Only allow egress to K8S and local lan 33 | - ipBlock: 34 | cidr: "10.0.0.0/8" 35 | - ipBlock: 36 | cidr: "192.168.0.0/16" 37 | policyTypes: 38 | - Egress 39 | 40 | -------------------------------------------------------------------------------- /base/namespaces/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: cert-manager 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: cert-manager 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from K8S (admission controller) 17 | - ipBlock: 18 | cidr: "10.0.0.0/8" 19 | policyTypes: 20 | - Ingress 21 | 22 | --- 23 | kind: NetworkPolicy 24 | apiVersion: networking.k8s.io/v1 25 | metadata: 26 | name: default-egress 27 | namespace: cert-manager 28 | spec: 29 | podSelector: {} 30 | egress: 31 | - to: 32 | # Allow all egress (lets encrypt) 33 | - ipBlock: 34 | cidr: "0.0.0.0/0" 35 | policyTypes: 36 | - Egress 37 | -------------------------------------------------------------------------------- /base/namespaces/default.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: v1 2 | # kind: Namespace 3 | # metadata: 4 | # name: default 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: default 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from nginx 17 | - namespaceSelector: 18 | matchLabels: 19 | kubernetes.io/metadata.name: nginx 20 | - from: 21 | # Allow local and operator ingress to PostgreSQL 22 | - namespaceSelector: 23 | matchLabels: 24 | kubernetes.io/metadata.name: default 25 | - namespaceSelector: 26 | matchLabels: 27 | kubernetes.io/metadata.name: postgres 28 | ports: 29 | - protocol: TCP 30 | port: 5432 31 | endPort: 5432 32 | - protocol: TCP 33 | port: 8008 #Patroni 34 | endPort: 8008 35 | - from: 36 | # Allow local ingress to Redis 37 | - namespaceSelector: 38 | matchLabels: 39 | kubernetes.io/metadata.name: default 40 | ports: 41 | - protocol: TCP 42 | port: 6379 43 | endPort: 6379 44 | - from: 45 | # Allow from any IP 46 | - ipBlock: 47 | cidr: "0.0.0.0/0" 48 | # Allow access to Lora multiplyer 49 | ports: 50 | - protocol: UDP 51 | port: 1700 52 | endPort: 1700 53 | - from: 54 | # Allow from any IP 55 | - ipBlock: 56 | cidr: "0.0.0.0/0" 57 | # Allow access to Daiking 58 | ports: 59 | - protocol: UDP 60 | port: 30000 61 | endPort: 30000 62 | policyTypes: 63 | - Ingress 64 | 65 | --- 66 | kind: NetworkPolicy 67 | apiVersion: networking.k8s.io/v1 68 | metadata: 69 | name: default-egress 70 | namespace: default 71 | spec: 72 | podSelector: {} 73 | egress: 74 | - to: 75 | # Allow all egress 76 | - ipBlock: 77 | cidr: "0.0.0.0/0" 78 | 79 | policyTypes: 80 | - Egress 81 | -------------------------------------------------------------------------------- /base/namespaces/kube-system.yaml: -------------------------------------------------------------------------------- 1 | # apiVersion: v1 2 | # kind: Namespace 3 | # metadata: 4 | # name: kube-system 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: kube-system 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from K8S (DNS server) 17 | - ipBlock: 18 | cidr: "10.0.0.0/8" 19 | policyTypes: 20 | - Ingress 21 | 22 | --- 23 | kind: NetworkPolicy 24 | apiVersion: networking.k8s.io/v1 25 | metadata: 26 | name: default-egress 27 | namespace: kube-system 28 | spec: 29 | podSelector: {} 30 | egress: 31 | - to: 32 | # Allow all egress (multus has to pull CNI plugins, DNS server) 33 | - ipBlock: 34 | cidr: "0.0.0.0/0" 35 | policyTypes: 36 | - Egress 37 | -------------------------------------------------------------------------------- /base/namespaces/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kubernetes-dashboard 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: kubernetes-dashboard 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from nginx 17 | - namespaceSelector: 18 | matchLabels: 19 | kubernetes.io/metadata.name: nginx 20 | policyTypes: 21 | - Ingress 22 | 23 | --- 24 | kind: NetworkPolicy 25 | apiVersion: networking.k8s.io/v1 26 | metadata: 27 | name: default-egress 28 | namespace: kubernetes-dashboard 29 | spec: 30 | podSelector: {} 31 | egress: 32 | - to: 33 | # Only allow egress to K8S and local network 34 | - ipBlock: 35 | cidr: "10.0.0.0/8" 36 | - ipBlock: 37 | cidr: "192.0.0.0/8" 38 | policyTypes: 39 | - Egress 40 | -------------------------------------------------------------------------------- /base/namespaces/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - authentik.yaml 5 | - ceph.yaml 6 | - ceph-rbd.yaml 7 | - cert-manager.yaml 8 | - default.yaml 9 | - kubernetes-dashboard.yaml 10 | - kube-system.yaml 11 | - maddy.yaml 12 | - monitoring.yaml 13 | - nginx.yaml 14 | - postgres.yaml 15 | - rook-ceph.yaml 16 | - vpn-gateway.yaml 17 | - vpn.yaml 18 | -------------------------------------------------------------------------------- /base/namespaces/maddy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: maddy 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: maddy 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Allow ingress from nginx 17 | - namespaceSelector: 18 | matchLabels: 19 | kubernetes.io/metadata.name: nginx 20 | - from: 21 | # Allow local ingress to PostgreSQL 22 | - namespaceSelector: 23 | matchLabels: 24 | kubernetes.io/metadata.name: maddy 25 | - namespaceSelector: 26 | matchLabels: 27 | kubernetes.io/metadata.name: postgres 28 | ports: 29 | - protocol: TCP 30 | port: 5432 31 | endPort: 5432 32 | - protocol: TCP 33 | port: 8008 #Patroni 34 | endPort: 8008 35 | - from: 36 | # Allow Internet access to mail server 37 | - ipBlock: 38 | cidr: 0.0.0.0/0 39 | ports: 40 | - protocol: TCP 41 | port: 25 42 | endPort: 25 43 | - protocol: TCP 44 | port: 2525 45 | endPort: 2525 46 | - protocol: TCP 47 | port: 143 48 | endPort: 143 49 | - protocol: TCP 50 | port: 993 51 | endPort: 993 52 | - protocol: TCP 53 | port: 587 54 | endPort: 587 55 | - protocol: TCP 56 | port: 465 57 | endPort: 465 58 | policyTypes: 59 | - Ingress 60 | 61 | --- 62 | kind: NetworkPolicy 63 | apiVersion: networking.k8s.io/v1 64 | metadata: 65 | name: default-egress 66 | namespace: maddy 67 | spec: 68 | podSelector: {} 69 | egress: 70 | - to: 71 | # allow outbound email 72 | - ipBlock: 73 | cidr: "0.0.0.0/0" 74 | policyTypes: 75 | - Egress 76 | -------------------------------------------------------------------------------- /base/namespaces/monitoring.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: monitoring 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: monitoring 12 | spec: 13 | podSelector: {} 14 | ingress: [] 15 | policyTypes: 16 | - Ingress 17 | 18 | --- 19 | kind: NetworkPolicy 20 | apiVersion: networking.k8s.io/v1 21 | metadata: 22 | name: default-egress 23 | namespace: monitoring 24 | spec: 25 | podSelector: {} 26 | egress: 27 | - to: 28 | # Only allow egress to K8S 29 | - ipBlock: 30 | cidr: "10.0.0.0/8" 31 | policyTypes: 32 | - Egress 33 | -------------------------------------------------------------------------------- /base/namespaces/nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: nginx 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: nginx 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Allow all ingress (K8S ingress) 17 | - ipBlock: 18 | cidr: "0.0.0.0/0" 19 | policyTypes: 20 | - Ingress 21 | 22 | --- 23 | kind: NetworkPolicy 24 | apiVersion: networking.k8s.io/v1 25 | metadata: 26 | name: default-egress 27 | namespace: nginx 28 | spec: 29 | podSelector: {} 30 | egress: 31 | - to: 32 | # Allow egress to Internet (oauth) 33 | - ipBlock: 34 | cidr: "0.0.0.0/0" 35 | policyTypes: 36 | - Egress 37 | -------------------------------------------------------------------------------- /base/namespaces/postgres.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: postgres 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: postgres 12 | spec: 13 | podSelector: {} 14 | ingress: 15 | - from: 16 | # Only allow ingress from nginx and local 17 | - namespaceSelector: 18 | matchLabels: 19 | kubernetes.io/metadata.name: nginx 20 | - namespaceSelector: 21 | matchLabels: 22 | kubernetes.io/metadata.name: postgres 23 | policyTypes: 24 | - Ingress 25 | 26 | --- 27 | kind: NetworkPolicy 28 | apiVersion: networking.k8s.io/v1 29 | metadata: 30 | name: default-egress 31 | namespace: postgres 32 | spec: 33 | podSelector: {} 34 | egress: 35 | - to: 36 | # Only allow egress to K8S 37 | - ipBlock: 38 | cidr: "10.0.0.0/0" 39 | policyTypes: 40 | - Egress 41 | -------------------------------------------------------------------------------- /base/namespaces/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: rook-ceph 5 | 6 | --- 7 | kind: NetworkPolicy 8 | apiVersion: networking.k8s.io/v1 9 | metadata: 10 | name: default-ingress 11 | namespace: rook-ceph 12 | spec: 13 | podSelector: {} 14 | ingress: [] 15 | policyTypes: 16 | - Ingress 17 | 18 | --- 19 | kind: NetworkPolicy 20 | apiVersion: networking.k8s.io/v1 21 | metadata: 22 | name: default-egress 23 | namespace: rook-ceph 24 | spec: 25 | podSelector: {} 26 | egress: 27 | - to: 28 | # Only allow egress to K8S 29 | - ipBlock: 30 | cidr: "10.0.0.0/8" 31 | policyTypes: 32 | - Egress 33 | -------------------------------------------------------------------------------- /base/namespaces/vpn-gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: vpn-gateway 5 | labels: 6 | gateway: "true" 7 | -------------------------------------------------------------------------------- /base/namespaces/vpn.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: vpn 5 | labels: 6 | routed-gateway: "true" 7 | -------------------------------------------------------------------------------- /base/sources/README.md: -------------------------------------------------------------------------------- 1 | # Helm repositories 2 | 3 | These are the Helm repositories used by the infrastructure and applications in the git repository. -------------------------------------------------------------------------------- /base/sources/angelnu-helm-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: angelnu-helm-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 1h 8 | url: https://angelnu.github.io/helm-charts 9 | timeout: 15m -------------------------------------------------------------------------------- /base/sources/authentik.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: authentik 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://charts.goauthentik.io 9 | -------------------------------------------------------------------------------- /base/sources/bjw-s-helm-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: bjw-s-helm-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 1h 8 | url: https://bjw-s-labs.github.io/helm-charts 9 | timeout: 15m -------------------------------------------------------------------------------- /base/sources/ceph-csi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: ceph-csi 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://ceph.github.io/csi-charts -------------------------------------------------------------------------------- /base/sources/forgejo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: forgejo 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 1h 11 | url: oci://code.forgejo.org/forgejo-helm -------------------------------------------------------------------------------- /base/sources/gitea.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: gitea 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://dl.gitea.io/charts/ -------------------------------------------------------------------------------- /base/sources/hajimari.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: hajimari 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://hajimari.io -------------------------------------------------------------------------------- /base/sources/infracloudio-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: infracloudio-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://infracloudio.github.io/charts 9 | timeout: 3m -------------------------------------------------------------------------------- /base/sources/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: ingress-nginx 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://kubernetes.github.io/ingress-nginx 9 | -------------------------------------------------------------------------------- /base/sources/jetstack-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: jetstack-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://charts.jetstack.io/ 9 | timeout: 3m -------------------------------------------------------------------------------- /base/sources/kubereboot-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: kubereboot-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://kubereboot.github.io/charts 9 | timeout: 3m -------------------------------------------------------------------------------- /base/sources/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: kubernetes-dashboard 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://kubernetes.github.io/dashboard 9 | -------------------------------------------------------------------------------- /base/sources/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: flux-system 4 | resources: 5 | - angelnu-helm-charts.yaml 6 | - authentik.yaml 7 | - bjw-s-helm-charts.yaml 8 | - ceph-csi.yaml 9 | - forgejo.yaml 10 | - gitea.yaml 11 | - hajimari.yaml 12 | - infracloudio-charts.yaml 13 | - ingress-nginx.yaml 14 | - jetstack-charts.yaml 15 | - kubernetes-dashboard.yaml 16 | - kubereboot-charts.yaml 17 | - metallb.yaml 18 | - mittwald.yaml 19 | - nextcloud.yaml 20 | - node-feature-discovery-charts.yaml 21 | - raspberrymatic.yaml 22 | - rook-ceph.yaml 23 | - searxng.yaml 24 | - stakater-charts.yaml 25 | - weaveworks.yaml 26 | - wobcom.yaml 27 | - zalando-postgres-operator.yaml 28 | - zalando-postgres-ui.yaml 29 | -------------------------------------------------------------------------------- /base/sources/metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metallb-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://metallb.github.io/metallb 10 | timeout: 3m -------------------------------------------------------------------------------- /base/sources/mittwald.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: mittwald 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://helm.mittwald.de 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /base/sources/nextcloud.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: nextcloud 5 | namespace: flux-system 6 | spec: 7 | interval: 60m 8 | url: https://nextcloud.github.io/helm/ 9 | timeout: 3m -------------------------------------------------------------------------------- /base/sources/node-feature-discovery-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: node-feature-discovery-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 60m 8 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 9 | timeout: 3m -------------------------------------------------------------------------------- /base/sources/raspberrymatic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: raspberrymatic 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://jens-maus.github.io/RaspberryMatic 9 | 10 | --- 11 | apiVersion: source.toolkit.fluxcd.io/v1 12 | kind: HelmRepository 13 | metadata: 14 | name: raspberrymatic-angelnu 15 | spec: 16 | interval: 30m 17 | url: https://angelnu.github.io/RaspberryMatic -------------------------------------------------------------------------------- /base/sources/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: rook-ceph 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://charts.rook.io/release -------------------------------------------------------------------------------- /base/sources/searxng.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: searxng 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://charts.searxng.org 9 | timeout: 10m -------------------------------------------------------------------------------- /base/sources/stakater-charts.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: stakater-charts 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://stakater.github.io/stakater-charts 9 | -------------------------------------------------------------------------------- /base/sources/weaveworks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | annotations: 5 | metadata.weave.works/description: This is the source location for the Weave GitOps 6 | Dashboard's helm chart. 7 | labels: 8 | app.kubernetes.io/component: ui 9 | app.kubernetes.io/created-by: weave-gitops-cli 10 | app.kubernetes.io/name: weave-gitops-dashboard 11 | app.kubernetes.io/part-of: weave-gitops 12 | name: ww-gitops 13 | namespace: flux-system 14 | spec: 15 | interval: 1h0m0s 16 | type: oci 17 | url: oci://ghcr.io/weaveworks/charts -------------------------------------------------------------------------------- /base/sources/wobcom.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: wobcom 5 | namespace: flux-system 6 | spec: 7 | interval: 30m 8 | url: https://harbor.service.wobcom.de/chartrepo/public 9 | -------------------------------------------------------------------------------- /base/sources/zalando-postgres-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: zalando-postgres-operator 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://raw.githubusercontent.com/zalando/postgres-operator/master/charts/postgres-operator/ 9 | timeout: 3m -------------------------------------------------------------------------------- /base/sources/zalando-postgres-ui.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: HelmRepository 3 | metadata: 4 | name: zalando-postgres-ui 5 | namespace: flux-system 6 | spec: 7 | interval: 10m 8 | url: https://raw.githubusercontent.com/zalando/postgres-operator/master/charts/postgres-operator-ui/ 9 | timeout: 3m -------------------------------------------------------------------------------- /clusters/production/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | interval: 1m0s 9 | ref: 10 | branch: main 11 | #secretRef: 12 | # name: flux-system 13 | url: https://github.com/angelnu/k8s-gitops.git 14 | #url: ssh://git@github.com/angelnu/k8s-gitops 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./clusters/production 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | #validation: client 29 | -------------------------------------------------------------------------------- /clusters/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../../base 5 | - gotk-sync.yaml 6 | - settings.yaml 7 | -------------------------------------------------------------------------------- /clusters/production/settings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: settings 5 | namespace: flux-system 6 | spec: 7 | interval: 10m5s 8 | sourceRef: 9 | kind: GitRepository 10 | name: flux-system 11 | path: ./settings/production 12 | prune: true 13 | #validation: client 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-gpg -------------------------------------------------------------------------------- /clusters/staging/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | interval: 1m0s 9 | ref: 10 | branch: staging 11 | #secretRef: 12 | # name: flux-system 13 | url: https://github.com/angelnu/k8s-gitops.git 14 | #url: ssh://git@github.com/angelnu/k8s-gitops 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./clusters/staging 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | #validation: client 29 | -------------------------------------------------------------------------------- /clusters/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../../base 5 | - gotk-sync.yaml 6 | - settings.yaml 7 | -------------------------------------------------------------------------------- /clusters/staging/settings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.toolkit.fluxcd.io/v1 2 | kind: Kustomization 3 | metadata: 4 | name: settings 5 | namespace: flux-system 6 | spec: 7 | interval: 10m5s 8 | sourceRef: 9 | kind: GitRepository 10 | name: flux-system 11 | path: ./settings/staging 12 | prune: true 13 | #validation: client 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-gpg -------------------------------------------------------------------------------- /core/authentik/authentik-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: authentik-db 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: zalando-postgres-cluster 10 | version: 4.1.1 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/zalando-postgres-cluster/values.yaml 17 | values: 18 | 19 | postgresql: 20 | users: 21 | postgres: 22 | - superuser 23 | - createdb 24 | databases: 25 | postgres: postgres 26 | postgresql: 27 | version: "15" 28 | 29 | superuser: {} 30 | # password: set in secret 31 | 32 | persistentVolumes: 33 | hostPath: /media/db/authentik 34 | replicaNodes: 35 | - ${CLUSTER_DB_NODE_0} 36 | - ${CLUSTER_DB_NODE_1} 37 | - ${CLUSTER_DB_NODE_2} 38 | 39 | dumpBackup: 40 | enabled: true 41 | type: custom 42 | volumeSpec: 43 | nfs: 44 | server: "${NFS_SERVER}" 45 | path: "${NFS_KUBERNETES}/${CLUSTER_DB_BACKUP_PREFIX}/authentik" 46 | subpath: "." 47 | schedule: "@daily" 48 | 49 | valuesFrom: 50 | - kind: Secret 51 | name: "authentik-config" 52 | valuesKey: postgres.yaml 53 | optional: false 54 | -------------------------------------------------------------------------------- /core/authentik/authentik-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: authentik-outpost 5 | annotations: 6 | hajimari.io/enable: "false" 7 | nginx.ingress.kubernetes.io/enable-global-auth: "false" 8 | spec: 9 | rules: 10 | - host: authentik.pub.${CLUSTER_DOMAIN} 11 | http: 12 | paths: 13 | - path: /outpost.goauthentik.io 14 | pathType: ImplementationSpecific 15 | backend: 16 | # Or, to use an external Outpost, create an ExternalName service and reference that here. 17 | # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname 18 | service: 19 | name: ak-outpost-ingress 20 | port: 21 | number: 9000 22 | 23 | tls: 24 | - hosts: 25 | - authentik.pub.${CLUSTER_DOMAIN} -------------------------------------------------------------------------------- /core/authentik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: authentik 4 | resources: 5 | - authentik-secret.yaml 6 | - authentik-db.yaml 7 | - authentik.yaml 8 | - authentik-ingress.yaml 9 | - ldap-service.yaml -------------------------------------------------------------------------------- /core/authentik/ldap-service.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: authentik-ldap-outpost 5 | annotations: 6 | metallb.universe.tf/loadBalancerIPs: "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.${CLUSTER_LB_LDAP}" 7 | spec: 8 | type: LoadBalancer 9 | externalTrafficPolicy: Local 10 | ports: 11 | - name: ldap 12 | protocol: TCP 13 | port: 389 14 | targetPort: 3389 15 | - name: ldaps 16 | protocol: TCP 17 | port: 636 18 | targetPort: 6636 19 | # - name: http-metrics 20 | # protocol: TCP 21 | # port: 9300 22 | # targetPort: 9300 23 | selector: 24 | app.kubernetes.io/name: authentik-outpost-ldap 25 | goauthentik.io/outpost-name: ldap-outpost 26 | goauthentik.io/outpost-type: ldap -------------------------------------------------------------------------------- /core/ceph-rbd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ceph-rbd 4 | resources: 5 | - rbd.yaml 6 | - secret.yaml -------------------------------------------------------------------------------- /core/ceph-rbd/rbd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: ceph-csi-rbd 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | # renovate: registryUrl=https://ceph.github.io/csi-charts 10 | chart: ceph-csi-rbd 11 | version: 3.14.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: ceph-csi 15 | namespace: flux-system 16 | interval: 5m 17 | #See https://github.com/ceph/ceph-csi/blob/devel/charts/ceph-csi-cephfs/values.yaml 18 | values: 19 | csiConfig: 20 | - clusterID: "84675d40-a0d9-11eb-b978-dbc90369c7ea" #just a UUID 21 | monitors: 22 | - ${CEPH_MONITOR_HOST_1} 23 | - ${CEPH_MONITOR_HOST_2} 24 | - ${CEPH_MONITOR_HOST_3} 25 | -------------------------------------------------------------------------------- /core/ceph/README.md: -------------------------------------------------------------------------------- 1 | Usefull links: 2 | - https://docs.ceph.com/en/latest/rados/operations/add-or-rm-mons/ 3 | - https://docs.ceph.com/en/latest/rados/troubleshooting/troubleshooting-mon/ -------------------------------------------------------------------------------- /core/ceph/cephfs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: ceph-csi-cephfs 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | # renovate: registryUrl=https://ceph.github.io/csi-charts 10 | chart: ceph-csi-cephfs 11 | version: 3.14.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: ceph-csi 15 | namespace: flux-system 16 | interval: 5m 17 | #See https://github.com/ceph/ceph-csi/blob/devel/charts/ceph-csi-cephfs/values.yaml 18 | values: 19 | csiConfig: 20 | - clusterID: "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" #just a UUID 21 | monitors: 22 | - ${CEPH_MONITOR_HOST_1} 23 | - ${CEPH_MONITOR_HOST_2} 24 | - ${CEPH_MONITOR_HOST_3} 25 | cephFS: 26 | subvolumeGroup: "" 27 | -------------------------------------------------------------------------------- /core/ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: ceph 4 | resources: 5 | - cephfs.yaml 6 | - secret.yaml -------------------------------------------------------------------------------- /core/cert-manager/README.md: -------------------------------------------------------------------------------- 1 | # cert-manager namespace 2 | 3 | [cert-manager](https://github.com/jetstack/cert-manager) for natively automatically obtaining and renewing LetsEncrypt certificates 4 | 5 | [DNS webhook for Dnsmadeeasy](https://github.com/angelnu/cert-manager-webhook-dnsmadeeasy) is used. 6 | 7 | * [operator](../../../operators/cert-manager/cert-manager.yaml) 8 | * [dnsmadeeasy webhook chart settings](cert-manager-dnsmadeeasy.yaml) 9 | * [certificate settings](certificate.yaml) -------------------------------------------------------------------------------- /core/cert-manager/cert-manager-dnsmadeeasy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: dnsmadeeasy-webhook 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: dnsmadeeasy-webhook 10 | version: 5.0.0 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: cert-manager 18 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/dnsmadeeasy-webhook/values.yaml 19 | values: 20 | groupName: "${CLUSTER_DOMAIN}" 21 | 22 | image: 23 | repository: ghcr.io/angelnu/dnsmadeeasy-webhook 24 | # I am using dev version for testing - others should be using latest 25 | tag: dev@sha256:1b0045ba1849496842d414a9a6b1a4bcf9aa467c3f9df56d5b64a23b0624b3c9 26 | 27 | cert-manager: 28 | # -- Install cert-manager chart as dependency. 29 | # Usually this is already installed in the cluster and not needed. 30 | enabled: false 31 | -------------------------------------------------------------------------------- /core/cert-manager/certificate.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: letsencrypt-test 5 | spec: 6 | acme: 7 | email: acme@${CLUSTER_DOMAIN} 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | privateKeySecretRef: 10 | name: letsencrypt-test 11 | solvers: 12 | # An empty 'selector' means that this solver matches all domains 13 | - selector: {} 14 | dns01: 15 | webhook: 16 | groupName: "${CLUSTER_DOMAIN}" 17 | solverName: dnsmadeeasy 18 | config: 19 | apiKeyRef: 20 | name: dnsmadeeasy 21 | key: key 22 | apiSecretRef: 23 | name: dnsmadeeasy 24 | key: secret 25 | --- 26 | apiVersion: cert-manager.io/v1 27 | kind: ClusterIssuer 28 | metadata: 29 | name: letsencrypt-prod 30 | spec: 31 | acme: 32 | email: "acme@${CLUSTER_DOMAIN}" 33 | server: https://acme-v02.api.letsencrypt.org/directory 34 | privateKeySecretRef: 35 | name: letsencrypt-prod 36 | solvers: 37 | # An empty 'selector' means that this solver matches all domains 38 | - selector: {} 39 | dns01: 40 | webhook: 41 | groupName: "${CLUSTER_DOMAIN}" 42 | solverName: dnsmadeeasy 43 | config: 44 | apiKeyRef: 45 | name: dnsmadeeasy 46 | key: key 47 | apiSecretRef: 48 | name: dnsmadeeasy 49 | key: secret 50 | --- 51 | apiVersion: cert-manager.io/v1 52 | kind: Certificate 53 | metadata: 54 | name: acme-crt 55 | namespace: cert-manager 56 | spec: 57 | secretName: "${CLUSTER_DOMAIN_CERT}" 58 | issuerRef: 59 | #name: letsencrypt-test 60 | name: letsencrypt-prod 61 | kind: ClusterIssuer 62 | dnsNames: 63 | - '${CLUSTER_DOMAIN}' 64 | - '*.${CLUSTER_DOMAIN}' 65 | - '*.home.${CLUSTER_DOMAIN}' 66 | - '*.pub.${CLUSTER_DOMAIN}' 67 | # This dummy can be changed to circumvent Letsencrypt check for duplicated certs 68 | # The right fix is to backup certificates correctly 69 | - '*.${CLUSTER_DOMAIN_DUMMY}.${CLUSTER_DOMAIN}' 70 | secretTemplate: 71 | annotations: 72 | replicator.v1.mittwald.de/replicate-to: "authentik,maddy" -------------------------------------------------------------------------------- /core/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: cert-manager 4 | #crds: 5 | # - https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.crds.yaml 6 | resources: 7 | - cert-manager-dnsmadeeasy.yaml 8 | - secret-dnsmadeeasy.yaml 9 | - certificate.yaml 10 | 11 | -------------------------------------------------------------------------------- /core/cert-manager/secret-dnsmadeeasy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: dnsmadeeasy 5 | namespace: cert-manager 6 | stringData: 7 | key: ENC[AES256_GCM,data:iBbQb412r7qc7qmKtzmYYQpMjv/Qr9pdFKtdgooevWhuWF4v,iv:qzYkULLBecx1C4klzZHZdyO+FIpPC/jx/8Dt92xJwXM=,tag:aHgqfGRJgHUHvVsewe/drw==,type:str] 8 | secret: ENC[AES256_GCM,data:Vt/zxobJiXc1MR95VbeFzjmZWuqihHW5e99CU5XS5iz/qmvL,iv:GSDMuX7DefZViFyvmfPYFLh7BHV3WadKQLfD6n2jdLg=,tag:Wc76Ic8iRfKHJWlHv7Jk/w==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | lastmodified: '2021-02-14T00:35:45Z' 15 | mac: ENC[AES256_GCM,data:T7E03Lq3zWu10aZV31xbDYFcNbbe24rhooiUP/3Ir1t3lbzh0VC1Yj1R/Fk1mIpNt7rPrkOPjEZMO86ek0cQI+zOc6o9mZSE9OlVa4KaVpxxFr5qvWe3Yyvqqczuwkx9eD03msQlyBIxFBK08OYfdTOzDUZSHI2AJwErxIN2sd4=,iv:gQMgpYuIiwU3UyYeBBdslXsG4Tq8jDvfEdhS891aokU=,tag:0bIxdzxojcixJLBR3z772Q==,type:str] 16 | pgp: 17 | - created_at: '2021-02-06T22:29:44Z' 18 | enc: | 19 | -----BEGIN PGP MESSAGE----- 20 | 21 | hQIMA2CuQNd5ml+/AQ/9H9/tAAZ2kAsAm36TZRm/lA6yt1QzRHL3z7pAWd3oRH2m 22 | 4Cw+HU7IgbweiPM7nZBOPg55GFMQvL/iKlz6rdbVnfuEqo+mwHC3qJZRMQQbORpj 23 | yuElxbb+DeqSWEYV/RoT2xfmFN8V5DlqbkiJlg4ZIr/YximFqQpK/dEqI2EGC9p6 24 | DdeXxHS4Ym1yONc/Ny+2cFP7UxSlUCNmYqZvnwWomjoYtZUtk/cxb3cH6qb65vbw 25 | lhVG52t3ym2J3p9KT7tV0xfebg/ePcpZWvTLF0WmT5BPm6bUocEh79E5ybdXDsvJ 26 | UFXkl5UocOiWB/wdrUGprSHcKJ5JpPSFrZ5dKqOp4FuvBxBPkL3Iiu96TOJds7fM 27 | oTvtQrKztngx57998rEgISvwOyWQXD5nfjty46zegjAx5WL9xY8TnAtKQqt+L28c 28 | ZAg4to6nRB/OjifVMLcHsVIeZtFLXValnyQchiFMCMfZxiwaAUegffdT3vgnq+U/ 29 | 3ja2fjdinMh+YjDiMR0vvTFc0CcLnyVlq6L0hPDUFjdNqWYySL6GzJnGxaJNMGIX 30 | +Eo+enFOoG8WvUL4LoIMQqHMWLvzEe7ZBmnKwHb5uYq3MEJvG5sTOrpTcIpbf/Df 31 | araOHEXwKkHCtTW7pVD259BdxeSzkJ1dlindfr57uZ1KpUD17bZIezH6PATPyijS 32 | XgHYbXEJ0TabDgzCu6otQ+FKWbYyV6GHzmTZd9m12I/Ok4mJm/eC28pmHeBdLnBX 33 | 0wtVfKhnzOuv0+N4b6ZJ29PddTyVvgIR2lIey9CKXXKikFlgIovg6FB+MXrYTnE= 34 | =E3Jr 35 | -----END PGP MESSAGE----- 36 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 37 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 38 | version: 3.6.1 39 | -------------------------------------------------------------------------------- /core/flux-system/README.md: -------------------------------------------------------------------------------- 1 | # flux-system namespace 2 | 3 | ## notifications 4 | 5 | Send notifications / alerts when Flux2 applies changes. 6 | 7 | Based on [this](https://toolkit.fluxcd.io/guides/notifications/) guide. 8 | 9 | [Settings](notifications) -------------------------------------------------------------------------------- /core/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: flux-system 4 | resources: 5 | - notifications 6 | -------------------------------------------------------------------------------- /core/flux-system/notifications/github_alert.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: notification.toolkit.fluxcd.io/v1beta1 2 | kind: Alert 3 | metadata: 4 | name: cluster 5 | namespace: flux-system 6 | spec: 7 | providerRef: 8 | name: flux-system 9 | eventSeverity: info 10 | eventSources: 11 | # Adds status to git commit 12 | - kind: Kustomization 13 | name: settings 14 | namespace: flux-system 15 | - kind: Kustomization 16 | name: flux-system 17 | namespace: flux-system 18 | - kind: Kustomization 19 | name: operators 20 | namespace: flux-system 21 | - kind: Kustomization 22 | name: infrastructure 23 | namespace: flux-system 24 | - kind: Kustomization 25 | name: apps 26 | namespace: flux-system -------------------------------------------------------------------------------- /core/flux-system/notifications/github_provider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: notification.toolkit.fluxcd.io/v1beta1 2 | kind: Provider 3 | metadata: 4 | name: flux-system 5 | namespace: flux-system 6 | spec: 7 | type: github 8 | address: https://github.com/angelnu/k8s-gitops 9 | secretRef: 10 | name: github -------------------------------------------------------------------------------- /core/flux-system/notifications/github_secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: github 5 | namespace: flux-system 6 | stringData: 7 | #ENC[AES256_GCM,data:UwwpSKute8UAYq+sqizF/zUvB0ri625FBw==,iv:RsHTCMY45r5WPpywg4DFGn+ZiuS5AXGZE1sQgUYgE7c=,tag:4oHnwGRXbkjZIcr+hZBfLQ==,type:comment] 8 | token: ENC[AES256_GCM,data:94ZQKfGL9REWmj1o24bLputCUcoxGDr14e16cgOIHFAlVTJgAHB8jA==,iv:VTCrjCMW9kDReuDIdybfOkZCes3J0nqxT0ujC1WodAY=,tag:X6G3AuNqrAcmCIDnm2U3eQ==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: [] 15 | lastmodified: "2021-05-16T01:56:49Z" 16 | mac: ENC[AES256_GCM,data:ezj7I1jZmXk/gwxIzYH1hdsDA3Ph4kxwkBXWpzBGkQ1YOP+BSmMVewkxpweyxd+6GIEPePhZyEmxBpbClR3lAEX+VWAu0e2mYz7ryyAC2WMN2V/xUzdnMPGS0I1KhRpoIrehB50qq7/F5wobdARiIIV7LjYcRLQg+/DIi2xrwd8=,iv:dpgOpnkEDz417NQAbUJdKHS+6dY6hZgSWMbbkAkDqu4=,tag:yYNY6NCxn0h1PkyKHs7qGw==,type:str] 17 | pgp: 18 | - created_at: "2021-02-06T22:19:41Z" 19 | enc: | 20 | -----BEGIN PGP MESSAGE----- 21 | 22 | hQIMA2CuQNd5ml+/AQ/8C9XUcea9/KWIdpX24KB5y7OpYPA1F0F/zKAoXpPejUS8 23 | FNYXUUaDohzBXD/E40iEUMR/WoLWS+brRsp1bJkq7ihPVwXr8o/p1AceDZY211vi 24 | odFZ50zDOuFxKWja4HXqEVW8sPW5THNiJprsVIJVe4BRxc1eVD/7cm76S/M+urXO 25 | 8L7K+N2IbZtLxyR9boWeDZj6aJI06skcZMqC6WBCrV+oGOTbVqLNwUXpa++fefkm 26 | d/tv2hLajX784s918tbzGrC6/HVdReAc5BNp5/L3RnCR4rXLPdOfy2cq6MEmSHeh 27 | SMI7Scpw/O6a1qFkfVyKPjY5f+05PsoOrt3cvbe4uPHFU4U8QNeKiLfeViQAd+va 28 | DmAjcrjxKEs9Xw+Hx34G0rtAqy/VeNRLGhQz3AAbzjqXVO8gNh2fGr5MFkKgQDj+ 29 | Y6J1d0ksNhwGRu0gol/LT7ti/uyV11rsCmeycJq9CUm0aAed59a+aENPqA5hPRTp 30 | fuqDuuNVzCFz+4jTcBm4QK0kCcQBGHaTueAj45+FDnBzN1DRbjK/9o4fA3ncGs06 31 | F+dig6UqFF22u8vCKpYwuhdwo7Kb4Fza+pAAcH42Npe0CNaUYna1Oy6+LO2fMrsm 32 | iDnSIY85UOhxeiLFNQ9gu2YsFXQ7wHrgZCGECvAypU/nJLqHdYTrEXVD8mpX/KPS 33 | XgGS2XUYd7DnNiJbQ1KAULc0mkapvX6M7dv4q2ZPfg5QOBy7jNLPKOa1Wr78o+8R 34 | /DAP//v2+I/+9M9inAxbWUyH7FqvgH22AugsmIrsAUhuIr+cmSG8LlYMxSWQzEg= 35 | =rVWE 36 | -----END PGP MESSAGE----- 37 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 38 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 39 | version: 3.7.1 40 | -------------------------------------------------------------------------------- /core/flux-system/notifications/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - slack_provider.yaml 5 | - slack_alert.yaml 6 | - github_secret.yaml 7 | - github_provider.yaml 8 | - github_alert.yaml 9 | -------------------------------------------------------------------------------- /core/flux-system/notifications/slack_alert.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: notification.toolkit.fluxcd.io/v1beta1 2 | kind: Alert 3 | metadata: 4 | name: on-call-webapp 5 | spec: 6 | providerRef: 7 | name: slack 8 | eventSeverity: info 9 | eventSources: 10 | - kind: GitRepository 11 | name: '*' 12 | - kind: Kustomization 13 | name: '*' 14 | 15 | - kind: HelmRepository 16 | name: '*' 17 | #namespace: '*' 18 | - kind: HelmChart 19 | name: '*' 20 | #namespace: '*' 21 | 22 | - kind: HelmRelease 23 | name: '*' 24 | namespace: 'default' 25 | - kind: HelmRelease 26 | name: '*' 27 | namespace: 'kube-system' 28 | - kind: HelmRelease 29 | name: '*' 30 | namespace: 'nginx' 31 | - kind: HelmRelease 32 | name: '*' 33 | namespace: 'cert-manager' 34 | - kind: HelmRelease 35 | name: '*' 36 | namespace: 'postgres' 37 | - kind: HelmRelease 38 | name: '*' 39 | namespace: 'podinfo' 40 | exclusionList: 41 | - "error.*lookup github\\.com" 42 | - "waiting.*socket" -------------------------------------------------------------------------------- /core/flux-system/notifications/slack_provider.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: notification.toolkit.fluxcd.io/v1beta1 2 | kind: Provider 3 | metadata: 4 | name: slack 5 | spec: 6 | type: slack 7 | channel: ${FLUX_NOTIFICATIONS_CHANNEL} 8 | address: ${FLUX_SLACK_URL} -------------------------------------------------------------------------------- /core/kube-system/README.md: -------------------------------------------------------------------------------- 1 | # flux-system namespace 2 | 3 | ## Authentication 4 | 5 | Proxy for the Kubenernetes nginx so I can authenticate users with Open ID. 6 | 7 | [Settings](authentication) 8 | 9 | ## intel-gpu-plugin 10 | 11 | Allow accessing the Interl GPU from containers such as plex. 12 | 13 | [Settings](intel-gpu-plugin) 14 | 15 | ## Metallb - Load Balancer 16 | 17 | [Load balancers](https://metallb.universe.tf/) for K8S services. 18 | 19 | [Settings](metallb.yaml) 20 | 21 | ## node feature discovery 22 | 23 | Allow detecting HW and set labels accordently. 24 | 25 | [Settings](node-feature-discovery) -------------------------------------------------------------------------------- /core/kube-system/intel-gpu-plugin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | -------------------------------------------------------------------------------- /core/kube-system/intel-gpu-plugin/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: intel-gpu-plugin 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-helm-charts 17 | namespace: flux-system 18 | # See https://github.com/bjw-s/helm-charts/blob/main/charts/library/common/values.yaml 19 | values: 20 | controllers: 21 | main: 22 | type: daemonset 23 | strategy: RollingUpdate 24 | containers: 25 | app: 26 | image: 27 | repository: docker.io/intel/intel-gpu-plugin 28 | tag: 0.32.1 29 | args: 30 | - -shared-dev-num 31 | - "5" 32 | resources: 33 | requests: 34 | cpu: 15m 35 | memory: 64M 36 | limits: 37 | memory: 64M 38 | pod: 39 | affinity: 40 | nodeAffinity: 41 | requiredDuringSchedulingIgnoredDuringExecution: 42 | nodeSelectorTerms: 43 | - matchExpressions: 44 | - key: feature.node.kubernetes.io/custom-intel-gpu 45 | operator: In 46 | values: 47 | - "true" 48 | 49 | persistence: 50 | devfs: 51 | enabled: true 52 | type: hostPath 53 | hostPath: /dev/dri 54 | hostPathType: Directory 55 | sysfs: 56 | enabled: true 57 | type: hostPath 58 | hostPath: /sys/class/drm 59 | hostPathType: Directory 60 | kubeletsockets: 61 | enabled: true 62 | type: hostPath 63 | hostPathType: Directory 64 | hostPath: /var/lib/kubelet/device-plugins 65 | -------------------------------------------------------------------------------- /core/kube-system/kubernetes-replicator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2beta2 4 | kind: HelmRelease 5 | metadata: 6 | name: kubernetes-replicator 7 | namespace: system-controllers 8 | spec: 9 | interval: 30m 10 | chart: 11 | spec: 12 | # renovate: registryUrl=https://windmill-labs.github.io/windmill-helm-charts/ 13 | chart: kubernetes-replicator 14 | version: 2.11.1 15 | sourceRef: 16 | kind: HelmRepository 17 | name: mittwald 18 | namespace: flux-system 19 | maxHistory: 2 20 | install: 21 | crds: CreateReplace 22 | remediation: 23 | retries: 3 24 | upgrade: 25 | cleanupOnFail: true 26 | crds: CreateReplace 27 | remediation: 28 | retries: 3 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | image: 33 | repository: quay.io/mittwald/kubernetes-replicator 34 | tag: v2.11.1 35 | grantClusterAdmin: false 36 | args: 37 | - -resync-period=5m 38 | securityContext: 39 | capabilities: 40 | drop: 41 | - ALL 42 | readOnlyRootFilesystem: true 43 | runAsNonRoot: true 44 | runAsUser: 1000 -------------------------------------------------------------------------------- /core/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: kube-system 4 | resources: 5 | - intel-gpu-plugin 6 | - kubernetes-replicator.yaml 7 | - metallb.yaml 8 | - multus_network.yaml 9 | - node-feature-discovery 10 | - weave-gitops-dashboard 11 | -------------------------------------------------------------------------------- /core/kube-system/metallb.yaml: -------------------------------------------------------------------------------- 1 | # The address-pools lists the IP addresses that MetalLB is 2 | # allowed to allocate. You can have as many 3 | # address pools as you want. 4 | apiVersion: metallb.io/v1beta1 5 | kind: IPAddressPool 6 | metadata: 7 | # A name for the address pool. Services can request allocation 8 | # from a specific address pool using this name. 9 | name: first-pool 10 | #namespace: metallb-system 11 | spec: 12 | # A list of IP address ranges over which MetalLB has 13 | # authority. You can list multiple ranges in a single pool, they 14 | # will all share the same settings. Each range can be either a 15 | # CIDR prefix, or an explicit start-end range of IPs. 16 | addresses: 17 | - "${CLUSTER_LB_RANGE}" 18 | #- 192.168.9.1-192.168.9.5 19 | #- fc00:f853:0ccd:e799::/124 20 | 21 | --- 22 | 23 | apiVersion: metallb.io/v1beta1 24 | kind: L2Advertisement 25 | metadata: 26 | name: default 27 | #namespace: metallb-system -------------------------------------------------------------------------------- /core/kube-system/multus_network.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "k8s.cni.cncf.io/v1" 2 | kind: NetworkAttachmentDefinition 3 | metadata: 4 | name: macvlan-static 5 | spec: 6 | config: '{ 7 | "cniVersion": "0.3.1", 8 | "name": "macvlan-static", 9 | "type": "macvlan", 10 | "master": "eth0", 11 | "capabilities": { "ips": true }, 12 | "ipam": { 13 | "type": "host-local", 14 | "subnet": "192.168.0.0/19", 15 | "rangeStart": "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.0", 16 | "rangeEnd": "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.63", 17 | "routes": [ 18 | { "dst": "192.168.0.0/16" } 19 | ], 20 | "gateway": "192.168.2.1" 21 | } 22 | }' 23 | 24 | # '{ 25 | # "cniVersion": "0.3.1", 26 | # "name": "macvlan-static", 27 | # "type": "macvlan", 28 | # "master": "eno2", 29 | # "capabilities": { "ips": true }, 30 | # "ipam": { 31 | # "type": "host-local", 32 | # "subnet": "192.168.0.0/19", 33 | # "rangeStart": "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.0", 34 | # "rangeEnd": "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.63", 35 | # "gateway": "192.168.2.1" 36 | # } 37 | # }' 38 | --- 39 | apiVersion: "k8s.cni.cncf.io/v1" 40 | kind: NetworkAttachmentDefinition 41 | metadata: 42 | name: ipvlan-static 43 | spec: 44 | config: '{ 45 | "cniVersion": "0.3.1", 46 | "name": "macvlan-static", 47 | "type": "ipvlan", 48 | "master": "eth0", 49 | "capabilities": { "ips": true }, 50 | "ipam": { 51 | "type": "host-local", 52 | "subnet": "192.168.0.0/19", 53 | "rangeStart": "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.0", 54 | "rangeEnd": "${CLUSTER_EXTERNAL_SUBNET_PREFIX}.63" 55 | } 56 | }' -------------------------------------------------------------------------------- /core/kube-system/node-feature-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | -------------------------------------------------------------------------------- /core/kube-system/weave-gitops-dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - release.yaml 5 | -------------------------------------------------------------------------------- /core/kube-system/weave-gitops-dashboard/release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | annotations: 5 | metadata.weave.works/description: This is the Weave GitOps Dashboard. It provides 6 | a simple way to get insights into your GitOps workloads. 7 | name: ww-gitops 8 | spec: 9 | chart: 10 | spec: 11 | chart: weave-gitops 12 | sourceRef: 13 | kind: HelmRepository 14 | name: ww-gitops 15 | interval: 1h0m0s 16 | values: 17 | adminUser: 18 | create: true 19 | passwordHash: $2a$10$JGB7DI.zbtjM3RyKFhhj..04Ncz7n2XJGk.Zr17FxYgvnmyo0w0/C 20 | username: admin 21 | 22 | -------------------------------------------------------------------------------- /core/kubernetes-dashboard/clusterRoleBinding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: system-kubernetes-dashboard 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: cluster-admin 9 | subjects: 10 | - kind: ServiceAccount 11 | name: kubernetes-dashboard 12 | namespace: kubernetes-dashboard -------------------------------------------------------------------------------- /core/kubernetes-dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: kubernetes-dashboard 4 | resources: 5 | - release.yaml 6 | - clusterRoleBinding.yaml 7 | -------------------------------------------------------------------------------- /core/kubernetes-dashboard/release.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: kubernetes-dashboard 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | # renovate: registryUrl=https://kubernetes.github.io/dashboard 10 | chart: kubernetes-dashboard 11 | version: 7.13.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: kubernetes-dashboard 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | app: 19 | image: 20 | pullPolicy: IfNotPresent 21 | 22 | ingress: 23 | enabled: true 24 | useDefaultIngressClass: true 25 | annotations: 26 | hajimari.io/enable: "true" 27 | hajimari.io/icon: logos:kubernetes 28 | hajimari.io/info: Kubernetes dashboard 29 | hajimari.io/group: admin 30 | nginx.ingress.kubernetes.io/proxy-body-size: "100m" 31 | nginx.ingress.kubernetes.io/configuration-snippet: | 32 | auth_request_set $required_groups 'kubernetes_dashboard'; 33 | hosts: 34 | - dashboard.${CLUSTER_DOMAIN} 35 | - dashboard.home.${CLUSTER_DOMAIN} 36 | tls: 37 | secretName: null 38 | hosts: 39 | - dashboard.${CLUSTER_DOMAIN} 40 | - dashboard.home.${CLUSTER_DOMAIN} 41 | # protocolHttp: true 42 | # api: 43 | # containers: 44 | # # https://github.com/kubernetes/dashboard/blob/master/docs/common/arguments.md 45 | # args: 46 | # # When enabled, the skip button on the login page will be shown. 47 | # - --enable-skip-login 48 | # # When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page. 49 | # - --disable-settings-authorizer 50 | # # When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. 51 | # - --enable-insecure-login 52 | metricsScraper: 53 | enabled: true 54 | nginx: 55 | enabled: false 56 | cert-manager: 57 | enabled: false 58 | metrics-server: 59 | enabled: false 60 | -------------------------------------------------------------------------------- /core/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - authentik 5 | - cert-manager 6 | - ceph 7 | - ceph-rbd 8 | - flux-system 9 | - kube-system 10 | - kubernetes-dashboard 11 | - maddy 12 | - monitoring 13 | - nginx 14 | - postgres 15 | - rook-ceph 16 | - vpn 17 | - vpn-gateway 18 | -------------------------------------------------------------------------------- /core/maddy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: maddy 4 | resources: 5 | - secret.yaml 6 | - release-fs.yaml 7 | - release-db.yaml 8 | - release.yaml 9 | -------------------------------------------------------------------------------- /core/maddy/release-db.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: maddy-db 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | chart: zalando-postgres-cluster 10 | version: 4.1.1 11 | interval: 15m 12 | sourceRef: 13 | kind: HelmRepository 14 | name: angelnu-helm-charts 15 | namespace: flux-system 16 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/zalando-postgres-cluster/values.yaml 17 | values: 18 | 19 | postgresql: 20 | users: 21 | postgres: 22 | - superuser 23 | - createdb 24 | databases: 25 | maddy: postgres 26 | postgresql: 27 | version: "15" 28 | 29 | superuser: {} 30 | # password: set in secret 31 | 32 | persistentVolumes: 33 | hostPath: /media/db/maddy 34 | replicaNodes: 35 | - ${CLUSTER_DB_NODE_0} 36 | - ${CLUSTER_DB_NODE_1} 37 | - ${CLUSTER_DB_NODE_2} 38 | 39 | dumpBackup: 40 | enabled: true 41 | type: custom 42 | volumeSpec: 43 | nfs: 44 | server: "${NFS_SERVER}" 45 | path: "${NFS_KUBERNETES}/${CLUSTER_DB_BACKUP_PREFIX}/maddy" 46 | subpath: "." 47 | schedule: "@daily" 48 | 49 | valuesFrom: 50 | - kind: Secret 51 | name: "maddy-helm-values" 52 | valuesKey: postgres.yaml 53 | optional: false 54 | -------------------------------------------------------------------------------- /core/maddy/release-fs.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: maddy-pvc 5 | spec: 6 | resources: 7 | requests: 8 | storage: "1Gi" 9 | accessModes: 10 | - ReadWriteOnce 11 | - ReadOnlyMany 12 | storageClassName: maddy-storageclass 13 | --- 14 | apiVersion: v1 15 | kind: PersistentVolume 16 | metadata: 17 | name: maddy-pv 18 | spec: 19 | storageClassName: maddy-storageclass 20 | capacity: 21 | storage: "1Gi" 22 | accessModes: 23 | - ReadWriteOnce 24 | - ReadOnlyMany 25 | csi: 26 | driver: cephfs.csi.ceph.com 27 | nodeStageSecretRef: 28 | # node stage secret name 29 | name: ceph-secret 30 | # node stage secret namespace where above secret is created 31 | namespace: ceph 32 | volumeAttributes: 33 | # Required options from storageclass parameters need to be added in volumeAttributes 34 | "clusterID": "2ec73f92-a0c8-11eb-b84d-eb70282a4edf" 35 | # (required) CephFS filesystem name into which the volume shall be created 36 | "fsName": "cephfs" 37 | "staticVolume": "true" 38 | "rootPath": /k8s/${CLUSTER_ENV}/maddy 39 | # volumeHandle can be anything, need not to be same 40 | # as PV name or volume name. keeping same for brevity 41 | volumeHandle: maddy-pv 42 | persistentVolumeReclaimPolicy: Delete 43 | volumeMode: Filesystem -------------------------------------------------------------------------------- /core/monitoring/README.md: -------------------------------------------------------------------------------- 1 | # monitoring namespace 2 | 3 | ## BotKube 4 | 5 | [BotKube](https://www.botkube.io/) is a messaging bot for monitoring and debugging Kubernetes clusters 6 | 7 | It sends event in the cluster to slack. 8 | 9 | [Settings](botkube) -------------------------------------------------------------------------------- /core/monitoring/botkube/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: monitoring 4 | resources: 5 | - secret.yaml 6 | - release.yaml -------------------------------------------------------------------------------- /core/monitoring/botkube/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: botkube-helm-values 5 | # Slack token received after installing BotKube Slack app to a workplace 6 | stringData: 7 | values.yaml: ENC[AES256_GCM,data:Z8pAp5WIkQnunFeFNnqQXIzjgvQaZswYVvyKA7vyv2BgUq9YvRbIg30U9Dd3F4QTLUBkQ+/e47SupzOu63hRFLvb1WK2A1+Iul248zDPAng31U8UM02L8wSY6xpB5y7LbVE=,iv:Qb9kddI5vk25zKcL1Svh0nrehAoxkDtpLeVmv9pMOp8=,tag:fhe/mQdEmzlvWfeEGJ6Omg==,type:str] 8 | sops: 9 | kms: [] 10 | gcp_kms: [] 11 | azure_kv: [] 12 | hc_vault: [] 13 | lastmodified: '2021-02-21T12:14:06Z' 14 | mac: ENC[AES256_GCM,data:5m7B1YvoaNEe+RPgfJ2wYyhf8WNU026PzXS7lSzgCRRGz54aPRXxalRC6OA2j9C0vMgDbZllv0VP6OaKd26351XMG2njhDuhjK97BO4OrCUqONFOwnNrfMwMaxTov62w+jReJ7HLf76YKegnoD4y/4QhVE9Zu+sE9jdQUwQ6Qn0=,iv:63KwyD4vF97OWegIWG5HByYqIuAwUEvfNpKdIYBCD2c=,tag:X+tMMk7NqxVUukSRjPNzOw==,type:str] 15 | pgp: 16 | - created_at: '2021-02-06T22:19:41Z' 17 | enc: | 18 | -----BEGIN PGP MESSAGE----- 19 | 20 | hQIMA2CuQNd5ml+/AQ/8C9XUcea9/KWIdpX24KB5y7OpYPA1F0F/zKAoXpPejUS8 21 | FNYXUUaDohzBXD/E40iEUMR/WoLWS+brRsp1bJkq7ihPVwXr8o/p1AceDZY211vi 22 | odFZ50zDOuFxKWja4HXqEVW8sPW5THNiJprsVIJVe4BRxc1eVD/7cm76S/M+urXO 23 | 8L7K+N2IbZtLxyR9boWeDZj6aJI06skcZMqC6WBCrV+oGOTbVqLNwUXpa++fefkm 24 | d/tv2hLajX784s918tbzGrC6/HVdReAc5BNp5/L3RnCR4rXLPdOfy2cq6MEmSHeh 25 | SMI7Scpw/O6a1qFkfVyKPjY5f+05PsoOrt3cvbe4uPHFU4U8QNeKiLfeViQAd+va 26 | DmAjcrjxKEs9Xw+Hx34G0rtAqy/VeNRLGhQz3AAbzjqXVO8gNh2fGr5MFkKgQDj+ 27 | Y6J1d0ksNhwGRu0gol/LT7ti/uyV11rsCmeycJq9CUm0aAed59a+aENPqA5hPRTp 28 | fuqDuuNVzCFz+4jTcBm4QK0kCcQBGHaTueAj45+FDnBzN1DRbjK/9o4fA3ncGs06 29 | F+dig6UqFF22u8vCKpYwuhdwo7Kb4Fza+pAAcH42Npe0CNaUYna1Oy6+LO2fMrsm 30 | iDnSIY85UOhxeiLFNQ9gu2YsFXQ7wHrgZCGECvAypU/nJLqHdYTrEXVD8mpX/KPS 31 | XgGS2XUYd7DnNiJbQ1KAULc0mkapvX6M7dv4q2ZPfg5QOBy7jNLPKOa1Wr78o+8R 32 | /DAP//v2+I/+9M9inAxbWUyH7FqvgH22AugsmIrsAUhuIr+cmSG8LlYMxSWQzEg= 33 | =rVWE 34 | -----END PGP MESSAGE----- 35 | fp: E61087FD0DC8B3AA734061498564C79FC27F08E2 36 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 37 | version: 3.6.1 38 | -------------------------------------------------------------------------------- /core/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: monitoring 4 | resources: 5 | - botkube -------------------------------------------------------------------------------- /core/nginx/README.md: -------------------------------------------------------------------------------- 1 | # ngingx 2 | 3 | ## Nginx ingress 4 | 5 | [Nginx ingress controler](https://github.com/kubernetes/ingress-nginx) used to provide HTTP access to the cluster applications. 6 | 7 | [Settings](release.yaml) -------------------------------------------------------------------------------- /core/nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: nginx 4 | resources: 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /core/postgres/README.md: -------------------------------------------------------------------------------- 1 | # postgres namespace 2 | 3 | ## Zalando postgres operator 4 | 5 | [Zalando operator](https://github.com/zalando/postgres-operator) to create highly available databases 6 | 7 | [UI settings](ui.yaml) -------------------------------------------------------------------------------- /core/postgres/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: postgres 4 | resources: 5 | - ui.yaml 6 | -------------------------------------------------------------------------------- /core/postgres/ui.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: postgres-operator-ui 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | # renovate: registryUrl=https://raw.githubusercontent.com/zalando/postgres-operator/master/charts/postgres-operator-ui/ 10 | chart: postgres-operator-ui 11 | version: 1.14.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: zalando-postgres-ui 15 | namespace: flux-system 16 | interval: 5m 17 | # https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator-ui/values.yaml 18 | values: 19 | envs: 20 | resourcesVisible: "True" 21 | targetNamespace: # Show all namespaces 22 | ingress: 23 | enabled: true 24 | annotations: 25 | hajimari.io/enable: "true" 26 | hajimari.io/icon: logos:postgresql 27 | hajimari.io/info: PostgreSQL cluster editor 28 | hajimari.io/group: admin 29 | nginx.ingress.kubernetes.io/configuration-snippet: | 30 | auth_request_set $required_groups 'admin'; 31 | hosts: 32 | - host: "postgres-operator.pub.${CLUSTER_DOMAIN}" 33 | paths: ["/"] 34 | - host: "postgres-operator.home.${CLUSTER_DOMAIN}" 35 | paths: ["/"] 36 | tls: 37 | - hosts: 38 | - "postgres-operator.pub.${CLUSTER_DOMAIN}" 39 | - "postgres-operator.home.${CLUSTER_DOMAIN}" 40 | -------------------------------------------------------------------------------- /core/rook-ceph/README.md: -------------------------------------------------------------------------------- 1 | # rook-ceph 2 | 3 | ## Rook 4 | 5 | [Rook](https://rook.io/) turns distributed storage systems into self-managing, self-scaling, self-healing storage services. 6 | It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, 7 | -------------------------------------------------------------------------------- /core/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: rook-ceph 4 | resources: 5 | - operator.yaml 6 | -------------------------------------------------------------------------------- /core/rook-ceph/operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 2 | kind: HelmRelease 3 | metadata: 4 | name: rook-ceph 5 | spec: 6 | interval: 5m 7 | chart: 8 | spec: 9 | # renovate: registryUrl=https://charts.rook.io/release 10 | chart: rook-ceph 11 | version: v1.17.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: rook-ceph 15 | namespace: flux-system 16 | values: 17 | crds: 18 | enabled: false 19 | resources: 20 | requests: 21 | cpu: 100m 22 | memory: 128Mi 23 | limits: 24 | cpu: 1000m 25 | memory: 256Mi 26 | -------------------------------------------------------------------------------- /core/vpn-gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: vpn-gateway 4 | resources: 5 | - release.yaml 6 | -------------------------------------------------------------------------------- /core/vpn/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: vpn 4 | resources: 5 | - networkPolicy.yaml 6 | - terminal.yaml -------------------------------------------------------------------------------- /core/vpn/networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: vpn-namespace 5 | spec: 6 | podSelector: {} 7 | ingress: 8 | - from: 9 | # Only allow ingress from K8S 10 | - ipBlock: 11 | cidr: 10.0.0.0/8 12 | egress: 13 | - to: 14 | # Only allow egress to K8S 15 | - ipBlock: 16 | cidr: 10.0.0.0/8 17 | policyTypes: 18 | - Ingress 19 | - Egress 20 | -------------------------------------------------------------------------------- /core/vpn/terminal.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: terminal 5 | labels: 6 | app: terminal 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: terminal 12 | template: 13 | metadata: 14 | labels: 15 | app: terminal 16 | spec: 17 | containers: 18 | - name: alpine 19 | image: alpine@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715 20 | command: 21 | - /bin/sh 22 | - -c 23 | - while true; do 24 | sleep 600 & 25 | wait $!; 26 | done -------------------------------------------------------------------------------- /crds/cert-manager/README.md: -------------------------------------------------------------------------------- 1 | # cert-manager namespace 2 | 3 | [cert-manager](https://github.com/jetstack/cert-manager) for natively automatically obtaining and renewing LetsEncrypt certificates 4 | 5 | * [operator](cert-manager.yaml) -------------------------------------------------------------------------------- /crds/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | namespace: cert-manager 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.jetstack.io/ 12 | chart: cert-manager 13 | version: v1.17.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: jetstack-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | installCRDs: true 21 | extraArgs: 22 | - --dns01-recursive-nameservers-only 23 | - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53 24 | cainjector: 25 | replicaCount: 1 26 | # extraArgs: 27 | # - --leader-elect=false 28 | # prometheus: 29 | # enabled: true 30 | # servicemonitor: 31 | # enabled: true 32 | # prometheusInstance: monitoring 33 | -------------------------------------------------------------------------------- /crds/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: cert-manager 5 | #crds: 6 | # - https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.crds.yaml 7 | resources: 8 | - cert-manager.yaml 9 | 10 | -------------------------------------------------------------------------------- /crds/kube-system/README.md: -------------------------------------------------------------------------------- 1 | # kube-system 2 | 3 | ## Multus 4 | 5 | [Multus](https://github.com/k8snetworkplumbingwg/multus-cni) allows adding 6 | multiple NICs to a pod. This is needed by home-assistant and other PODs 7 | using protocols that do not pass a router, such a discovery for Google 8 | home. 9 | 10 | * [Multus](multus.yaml) 11 | 12 | **NOTE**: this only installs the CRD. The network definition is 13 | created in the infrastructure category. 14 | 15 | 16 | -------------------------------------------------------------------------------- /crds/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - metallb.yaml 7 | - multus.yaml 8 | -------------------------------------------------------------------------------- /crds/kube-system/metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: metallb 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://metallb.github.io/metallb 12 | chart: metallb 13 | version: 0.14.9 14 | sourceRef: 15 | kind: HelmRepository 16 | name: metallb-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | crds: 21 | enabled: true 22 | -------------------------------------------------------------------------------- /crds/kube-system/multus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: multus 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: multus 11 | version: 5.0.7 12 | interval: 15m 13 | sourceRef: 14 | kind: HelmRepository 15 | name: angelnu-helm-charts 16 | namespace: flux-system 17 | #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/multus/values.yaml 18 | values: 19 | image: 20 | repository: ghcr.io/k8snetworkplumbingwg/multus-cni 21 | tag: v4.2.0-thick 22 | cni: 23 | image: 24 | repository: ghcr.io/angelnu/cni-plugins 25 | tag: 1.7.1 26 | -------------------------------------------------------------------------------- /crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - cert-manager 6 | - kube-system 7 | - postgres 8 | - rook-ceph 9 | -------------------------------------------------------------------------------- /crds/postgres/README.md: -------------------------------------------------------------------------------- 1 | # postgres namespace 2 | 3 | ## Zalando postgres operator 4 | 5 | [Zalando operator](https://github.com/zalando/postgres-operator) to create highly available databases 6 | 7 | * [Operator settings](operator.yaml) 8 | 9 | ## Status of all clusters 10 | 11 | ``` 12 | kubectl get pods -o go-template='{{range .items}} kubectl -n {{.metadata.namespace}} exec {{.metadata.name}} -- patronictl list{{"\n"}}{{end}}' -A|grep postgres-0|bash -C 13 | ``` 14 | 15 | ## Repair HowTo 16 | 17 | - patroni manages the cluster 18 | - `patronictl list` - list member and status 19 | - `patronictl reinit ` - reinit broken node 20 | - in-place upgrade: `su postgres -c "python3 /scripts/inplace_upgrade.py 2"` 21 | - cannot re-create DB cluster: `kubectl delete poddisruptionbudgets postgres--zalando-postgres-cluster-postgres-pdb` 22 | - apply backup: 23 | 1. get into LEADER postgres node 24 | 2. delete old DB: 25 | ``` 26 | psql -U postgres -c 'drop database "tt-rss"' 27 | ``` 28 | 2. `apt update && apt install -y openssh-client` 29 | 3. `rsync anunez@nas:/volume1/kubernetes/backup/db/tt-rss/backup .` 30 | 4. `psql -U postgres -f backup` 31 | - list status of all clusters: 32 | - `kubectl get pods -o go-template='{{range .items}} kubectl -n {{.metadata.namespace}} exec {{.metadata.name}} -- patronictl list{{"\n"}}{{end}}' -A|grep postgres-0|bash -C` 33 | - reinit member of cluster: 34 | - kubectl exec -ti recipes-db-zalando-postgres-cluster-postgres-0 -- patronictl reinit 35 | 36 | ## Usefull commands for psql 37 | 38 | Enter psql with `psql -U postgres` 39 | 40 | ### Query hash from user password 41 | 42 | SELECT rolpassword FROM pg_authid; 43 | 44 | ### Change password 45 | 46 | ALTER USER postgres WITH PASSWORD 'new_password'; -------------------------------------------------------------------------------- /crds/postgres/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: postgres 5 | resources: 6 | - operator.yaml 7 | -------------------------------------------------------------------------------- /crds/postgres/operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: postgres-operator 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | # renovate: registryUrl=https://raw.githubusercontent.com/zalando/postgres-operator/master/charts/postgres-operator/ 11 | chart: postgres-operator 12 | version: 1.14.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: zalando-postgres-operator 16 | namespace: flux-system 17 | interval: 5m 18 | # https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator/values.yaml 19 | values: 20 | configUsers: 21 | # postgres username used for replication between instances 22 | # replication_username: standby 23 | configMajorVersionUpgrade: 24 | # "off": no upgrade, "manual": manifest triggers action, "full": minimal version violation triggers too 25 | major_version_upgrade_mode: full 26 | configKubernetes: 27 | #enable_pod_antiaffinity: true 28 | enable_cross_namespace_secret: false 29 | #pod_environment_configmap: "postgres-pod-config" 30 | watched_namespace: "*" 31 | #list of labels that can be inherited from the cluster manifest 32 | inherited_labels: 33 | - application 34 | - environment 35 | # Disable PDB since they prevent the drain 36 | # https://github.com/zalando/postgres-operator/issues/547 37 | enable_pod_disruption_budget: false 38 | # configure resource requests for the Postgres pods 39 | configPostgresPodResources: 40 | # CPU limits for the postgres containers 41 | default_cpu_limit: "2" 42 | # memory limits for the postgres containers 43 | default_memory_limit: 2000Mi 44 | -------------------------------------------------------------------------------- /crds/rook-ceph/README.md: -------------------------------------------------------------------------------- 1 | # rook-ceph 2 | 3 | ## Rook 4 | 5 | [Rook](https://rook.io/) turns distributed storage systems into self-managing, self-scaling, self-healing storage services. 6 | It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, 7 | -------------------------------------------------------------------------------- /crds/rook-ceph/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: rook-ceph-source 6 | spec: 7 | interval: 30m 8 | url: https://github.com/rook/rook.git 9 | ref: 10 | # renovate: registryUrl=https://charts.rook.io/release chart=rook-ceph 11 | tag: v1.17.3 12 | ignore: | 13 | # exclude all 14 | /* 15 | # path to crds 16 | !/cluster/examples/kubernetes/ceph/crds.yaml 17 | --- 18 | apiVersion: kustomize.toolkit.fluxcd.io/v1 19 | kind: Kustomization 20 | metadata: 21 | name: rook-ceph-crds 22 | spec: 23 | interval: 15m 24 | prune: false 25 | sourceRef: 26 | kind: GitRepository 27 | name: rook-ceph-source -------------------------------------------------------------------------------- /crds/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: rook-ceph 5 | resources: 6 | - crds.yaml 7 | -------------------------------------------------------------------------------- /scripts/find-unencrypted-secrets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | FILE_WITH_SECRETS=$(grep -lZRPi '^kind:\s+secret' . | xargs -r0 grep -L 'ENC.AES256') 3 | if [ -z "$FILE_WITH_SECRETS" ]; then 4 | exit 0 5 | else 6 | echo "$FILE_WITH_SECRETS has unencrypted secrets! (or at least not encrypted with AES256)" 7 | exit 1 8 | fi 9 | -------------------------------------------------------------------------------- /scripts/install_git_hooks.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Installs git hooks. 4 | 5 | ln -sf ../../scripts/find-unencrypted-secrets.sh ../.git/hooks/pre-commit -------------------------------------------------------------------------------- /scripts/validate.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Copyright 2020 The Flux authors. All rights reserved. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | set -o errexit 18 | 19 | # mirror kustomize-controller build options 20 | kustomize_flags="--enable_kyaml=false --allow_id_changes=false --load_restrictor=LoadRestrictionsNone" 21 | kustomize_config="kustomization.yaml" 22 | 23 | find . -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; 24 | do 25 | echo "INFO - Validating $file" 26 | yq validate -d'*' "$file" 27 | done 28 | 29 | find . -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; 30 | do 31 | echo "INFO - Validating kustomization ${file/%$kustomize_config}" 32 | kustomize build "${file/%$kustomize_config}" $kustomize_flags | kubeval --ignore-missing-schemas 33 | if [[ ${PIPESTATUS[0]} != 0 ]]; then 34 | exit 1 35 | fi 36 | done 37 | -------------------------------------------------------------------------------- /settings/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../settings.yaml 5 | - ../secrets.yaml 6 | - settings.yaml 7 | - secrets 8 | - secrets.yaml 9 | -------------------------------------------------------------------------------- /settings/production/secrets/git-ssh-key.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClRAwVgWa+meuyWOFb2VfSag/jabZH4MwB0J9tFfvWIJj+Bwp4/Qvd6aQKv8Nebf4Q9F58tH8xtJ1PJAwpoj+QBiaD32JFeBVZ/KFaImCaDaMHjMb7Wk6s72JW4GvZ5Hve2TXxikh3PP4iTnlQZ6TrBFvVJ1W4oEA0C7uI24ixRacbrKoBYlWW7fY9oE7anHCMD33EFbJunO50V5DNSP5aBwGhOcmhNvuR1QcTXCvuQMbuBPnKXKH9/0dREAy1ldbp47g/6ZVKGejJhtiA8VEZA4uayFu5FsjmMqhcaC3AoRZyar5E8rk1NCCx0zQPpwt6IysqoyTWdqBgIPa8V6SZ root@cloud-manual-test-0 2 | -------------------------------------------------------------------------------- /settings/production/secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | # - drone.yaml 5 | - airvpn.yaml 6 | - git-ssh-key.yaml 7 | - vpn.yaml 8 | -------------------------------------------------------------------------------- /settings/production/settings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | namespace: flux-system 5 | name: cluster-settings 6 | data: 7 | #VALUES DIFFERENT PROD - STAGING 8 | CLUSTER_ENV: "production" 9 | CLUSTER_DOMAIN_DUMMY: dummy1 10 | CLUSTER_EXTERNAL_SUBNET_PREFIX: "192.168.1" 11 | CLUSTER_LB_RANGE: "192.168.1.128-192.168.1.192" 12 | 13 | CLUSTER_DB_VERSION: "13" 14 | CLUSTER_DB_NODE_0: k3s1 15 | CLUSTER_DB_NODE_1: k3s2 16 | CLUSTER_DB_NODE_2: k3s3 17 | CLUSTER_DB_BACKUP_PREFIX: "backup/db" 18 | 19 | FLUX_NOTIFICATIONS_CHANNEL: k8s 20 | BOTKUBE_NOTIFICATIONS_CHANNEL: k8s 21 | 22 | NFS_KUBERNETES: /volume1/kubernetes 23 | NFS_DOWNLOADS: /volume1/downloads 24 | NFS_SOFTWARE: /volume1/software 25 | NFS_VIDEO: /volume1/video 26 | NFS_MUSIC: /volume1/music 27 | 28 | ONE_PROD_REPLICA: "1" 29 | ONE_STAGING_REPLICA: "0" -------------------------------------------------------------------------------- /settings/settings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | namespace: flux-system 5 | name: global-settings 6 | data: 7 | CLUSTER_MAIL_SERVER_PORT: "25" 8 | # mcvlan_static_range: &anchor_ip_mcvlan_static_range 9 | # 192.168.1.0-192.168.1.63 10 | CLUSTER_MACVLAN_HA: "1" 11 | #CLUSTER_MACVLAN_PLEX: "2" 12 | #CLUSTER_MACVLAN_CCU: "3" 13 | CLUSTER_MACVLAN_UNIFI: "4" 14 | CLUSTER_MACVLAN_MA: "5" 15 | 16 | # lb_static_range: &anchor_ip_lb_static_range 17 | # 192.168.1.128-192.168.1.192 18 | CLUSTER_LB_INGRESS: "128" 19 | CLUSTER_LB_GOW: "129" 20 | CLUSTER_LB_HA: "130" 21 | CLUSTER_LB_CCU: "131" 22 | CLUSTER_LB_FORGEJO: "132" 23 | CLUSTER_LB_PLEX: "133" 24 | #CLUSTER_LB_OPENVPN: "134" 25 | CLUSTER_LB_LORAFWD: "135" 26 | CLUSTER_LB_MOSQUITTO: "136" 27 | #CLUSTER_LB_UNIFI: "137" 28 | #CLUSTER_LB_MAIL: "138" 29 | CLUSTER_LB_JELLYFIN: "140" 30 | CLUSTER_LB_MADDY: "141" 31 | CLUSTER_LB_LDAP: "142" 32 | CLUSTER_LB_UNIFI: "143" 33 | 34 | NETWORK_K8S_CLUSTER_CIDR: "10.0.0.0/8" 35 | INGRESS_WHITELIST_SOURCE_RANGE: "10.0.0.0/8,192.168.0.0/19,192.168.128.0/17" # Test with: curl https://ma.home... --resolve ma.home....:443: 36 | 37 | CEPH_MONITOR_HOST_1: 192.168.4.11:6789 38 | CEPH_MONITOR_HOST_2: 192.168.4.12:6789 39 | CEPH_MONITOR_HOST_3: 192.168.4.13:6789 -------------------------------------------------------------------------------- /settings/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../settings.yaml 5 | - ../secrets.yaml 6 | - settings.yaml 7 | - secrets 8 | - secrets.yaml 9 | -------------------------------------------------------------------------------- /settings/staging/secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - git-ssh-key.yaml 5 | - vpn.yaml 6 | -------------------------------------------------------------------------------- /settings/staging/settings.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | namespace: flux-system 5 | name: cluster-settings 6 | data: 7 | #VALUES DIFFERENT PROD - STAGING 8 | CLUSTER_ENV: "staging" 9 | CLUSTER_DOMAIN_DUMMY: dummy1 10 | CLUSTER_EXTERNAL_SUBNET_PREFIX: 192.168.11 11 | CLUSTER_LB_RANGE: 192.168.11.128-192.168.11.192 12 | 13 | CLUSTER_DB_VERSION: "13" 14 | CLUSTER_DB_NODE_0: test-k3s1 15 | CLUSTER_DB_NODE_1: test-k3s2 16 | CLUSTER_DB_NODE_2: test-k3s3 17 | CLUSTER_DB_BACKUP_PREFIX: "backup/staging_db" 18 | 19 | FLUX_NOTIFICATIONS_CHANNEL: k8s-staging 20 | BOTKUBE_NOTIFICATIONS_CHANNEL: k8s-staging 21 | 22 | NFS_KUBERNETES: /volume1/test/kubernetes 23 | NFS_DOWNLOADS: /volume1/test/downloads 24 | NFS_SOFTWARE: /volume1/test/software 25 | NFS_VIDEO: /volume1/test/video 26 | NFS_MUSIC: /volume1/test/music 27 | 28 | ONE_PROD_REPLICA: "0" 29 | ONE_STAGING_REPLICA: "1" --------------------------------------------------------------------------------