├── .editorconfig ├── .envrc ├── .gitattributes ├── .github ├── PULL_REQUEST_TEMPLATE.md ├── labeler.yaml ├── labels.yaml ├── linters │ ├── .ansible-lint │ ├── .markdownlint.yaml │ ├── .prettierignore │ ├── .prettierrc.yaml │ ├── .tflint.hcl │ └── .yamllint.yaml ├── release.yaml ├── renovate.json5 ├── scripts │ ├── container-parser.sh │ └── lib │ │ └── functions.sh ├── workflows │ ├── block_merge.yml │ ├── bulk-merge-prs.yaml │ ├── devcontainer.yaml.disabled │ ├── flux-local.yaml │ ├── invalid-template.yaml │ ├── kubeconform.yaml │ ├── label-sync.yaml │ ├── labeler.yaml │ ├── link-check.yaml │ ├── lychee.yaml │ ├── megalinter.yaml │ ├── pluto.yml │ ├── pr-check.yml │ ├── renovate.yaml │ ├── scan-containers.yaml │ └── support.yaml └── yamllint.config.yaml ├── .gitignore ├── .lycheeignore ├── .markdownlintignore ├── .pre-commit-config.yaml ├── .renovate ├── allowedVersions.json5 ├── autoMerge.json5 ├── commitMessage.json5 ├── customManagers.json5 ├── grafanaDashboards.json5 ├── groups.json5 ├── labels.json5 └── semanticCommits.json5 ├── .secretlintignore ├── .sops.yaml ├── .taskfiles ├── AnsibleTasks.yml ├── ClusterTasks.yml ├── KubernetesTasks.yml ├── PreCommitTasks.yml ├── TerraformTasks.yml ├── bootstrap │ ├── Taskfile.yaml │ └── resources │ │ └── wipe-rook.yaml.j2 ├── kubernetes │ └── Taskfile.yaml ├── scripts │ └── kubeconform.sh ├── talos │ └── Taskfile.yaml ├── volsync │ ├── Taskfile.yaml │ └── resources │ │ ├── replicationdestination.yaml.j2 │ │ └── unlock.yaml.j2 └── workstation │ ├── Archfile │ ├── Brewfile │ └── Taskfile.yaml ├── .vscode ├── extensions.json └── settings.json ├── LICENCE ├── README.md ├── Taskfile.yaml ├── kubernetes ├── apps │ ├── cert-manager │ │ ├── cert-manager │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── issuers │ │ │ │ ├── issuers.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── secret.sops.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── database │ │ ├── dragonfly │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── rbac.yaml │ │ │ ├── cluster │ │ │ │ ├── cluster.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── podmonitor.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── default │ │ ├── affine │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── atuin │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── docmost │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── glance │ │ │ ├── app │ │ │ │ ├── config │ │ │ │ │ └── glance.yml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── hajimari │ │ │ ├── app │ │ │ │ ├── config-pvc.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── karakeep │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── external │ │ ├── database │ │ │ ├── app │ │ │ │ ├── ingress.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── service.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── minio │ │ │ ├── app │ │ │ │ ├── ingress.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── service.yaml │ │ │ └── ks.yaml │ │ ├── namespace.yaml │ │ ├── proxmox │ │ │ ├── app │ │ │ │ ├── ingress.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── service.yaml │ │ │ └── ks.yaml │ │ └── truenas │ │ │ ├── app │ │ │ ├── ingress.yaml │ │ │ ├── kustomization.yaml │ │ │ └── service.yaml │ │ │ └── ks.yaml │ ├── flux-system │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── webhooks │ │ │ ├── app │ │ │ ├── github │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── ingress.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── receiver.yaml │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ ├── kube-system │ │ ├── cilium │ │ │ ├── app │ │ │ │ ├── helm-values.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── kustomizeconfig.yaml │ │ │ ├── config │ │ │ │ ├── cilium-l2.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── coredns │ │ │ ├── app │ │ │ │ ├── helm-values.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── kustomizeconfig.yaml │ │ │ └── ks.yaml │ │ ├── external-secrets │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ks.yaml │ │ │ └── stores │ │ │ │ ├── kustomization.yaml │ │ │ │ └── onepassword │ │ │ │ ├── clustersecretstore.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── secret.sops.yaml │ │ ├── kubelet-csr-approver │ │ │ ├── app │ │ │ │ ├── helm-values.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── kustomizeconfig.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── local-path-provisioner │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── metrics-server │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── namespace.yaml │ │ ├── nvidia-device-plugin │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── runtimeclass.yaml │ │ │ └── ks.yaml │ │ ├── reloader │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ └── spegel │ │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ │ └── ks.yaml │ ├── kyverno │ │ ├── kustomization.yaml │ │ ├── kyverno │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── rbac.yaml │ │ │ ├── ks.yaml │ │ │ └── policies │ │ │ │ ├── gatus.yaml │ │ │ │ ├── ingress.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── limits.yaml │ │ └── namespace.yaml │ ├── media │ │ ├── flaresolverr │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── komga │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── volsync.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ ├── overseerr │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── ks.yaml │ │ ├── plex │ │ │ ├── app │ │ │ │ ├── config-pvc.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── prowlarr │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── radarr │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── ks.yaml │ │ ├── recyclarr │ │ │ ├── app │ │ │ │ ├── config │ │ │ │ │ └── recyclarr.yml │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── ks.yaml │ │ ├── sabnzbd │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── resources │ │ │ │ │ └── post-process.sh │ │ │ │ └── volsync.yaml │ │ │ └── ks.yaml │ │ ├── sonarr │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── ks.yaml │ │ ├── tautulli │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── ks.yaml │ │ └── unpackerr │ │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ ├── network │ │ ├── cloudflared │ │ │ ├── app │ │ │ │ ├── configs │ │ │ │ │ └── config.yaml │ │ │ │ ├── dnsendpoint.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── e1000e-fix │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── echo-server │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── external-dns │ │ │ ├── cloudflare │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ks.yaml │ │ │ └── unifi │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ ├── ingress-nginx │ │ │ ├── certificates │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── production.yaml │ │ │ │ └── staging.yaml │ │ │ ├── external │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── internal │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ ├── observability │ │ ├── gatus │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── rbac.yaml │ │ │ │ └── resources │ │ │ │ │ └── config.yaml │ │ │ └── ks.yaml │ │ ├── grafana │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── karma │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── resources │ │ │ │ │ └── config.yaml │ │ │ └── ks.yaml │ │ ├── kromgo │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── resources │ │ │ │ │ └── config.yaml │ │ │ └── ks.yaml │ │ ├── kube-prometheus-stack │ │ │ ├── app │ │ │ │ ├── alertmanagerconfig.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── prometheusrule.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── loki │ │ │ ├── app │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── namespace.yaml │ │ └── prometheus-operator-crds │ │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ ├── rook-ceph │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── rook-ceph │ │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ ├── cluster │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ ├── dashboard │ │ │ ├── ceph-cluster-dashboard.json │ │ │ ├── ceph-osd-dashboard.json │ │ │ ├── ceph-pools-dashboard.json │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ ├── security │ │ ├── authentik │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ └── volsync-system │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ ├── snapshot-controller │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ │ └── volsync │ │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── prometheusrule.yaml │ │ └── ks.yaml ├── bootstrap │ ├── flux │ │ └── kustomization.yaml │ ├── helmfile.yaml │ └── talos │ │ ├── clusterconfig │ │ └── .gitignore │ │ ├── patches │ │ ├── README.md │ │ ├── controller │ │ │ ├── api-access.yaml │ │ │ ├── cluster.yaml │ │ │ ├── disable-admission-controller.yaml │ │ │ ├── etcd.yaml │ │ │ └── gpu-controller-patch.yaml │ │ └── global │ │ │ ├── cluster-discovery.yaml │ │ │ ├── containerd.yaml │ │ │ ├── disable-search-domain.yaml │ │ │ ├── dns.yaml │ │ │ ├── hostdns.yaml │ │ │ ├── kubelet.yaml │ │ │ ├── ntp.yaml │ │ │ ├── openebs-local.yaml │ │ │ └── sysctl.yaml │ │ ├── talconfig.yaml │ │ └── talsecret.sops.yaml ├── components │ └── volsync │ │ ├── kustomization.yaml │ │ ├── pvc.yaml │ │ └── r2 │ │ ├── externalsecret.yaml │ │ ├── kustomization.yaml │ │ ├── replicationdestination.yaml │ │ └── replicationsource.yaml └── flux │ ├── apps.yaml │ ├── config │ ├── cluster.yaml │ ├── flux.yaml │ └── kustomization.yaml │ ├── repositories │ ├── git │ │ └── kustomization.yaml │ ├── helm │ │ ├── authentik.yaml │ │ ├── backube.yaml │ │ ├── bjw-s.yaml │ │ ├── cilium.yaml │ │ ├── coredns.yaml │ │ ├── democratic-csi.yaml │ │ ├── external-dns.yaml │ │ ├── external-secrets.yaml │ │ ├── grafana.yaml │ │ ├── hajimari.yaml │ │ ├── ingress-nginx.yaml │ │ ├── jetstack.yaml │ │ ├── k8s-gateway.yaml │ │ ├── kustomization.yaml │ │ ├── metrics-server.yaml │ │ ├── nvidia.yaml │ │ ├── openebs.yaml │ │ ├── piraeus.yaml │ │ ├── postfinance.yaml │ │ ├── prometheus-community.yaml │ │ ├── rook-ceph.yaml │ │ ├── spegel.yaml │ │ └── stakater.yaml │ ├── kustomization.yaml │ └── oci │ │ ├── app-template.yaml │ │ ├── kustomization.yaml │ │ └── kyverno.yaml │ └── vars │ ├── cluster-secrets.sops.yaml │ ├── cluster-settings.yaml │ └── kustomization.yaml └── scripts ├── backup-docker-volume.sh ├── busybox.yaml ├── database-manager.sh ├── delete-stuck.containers.sh ├── delete-stuck.ns.sh ├── dns-test.yaml ├── find_mistakes.py ├── generate_dns_records.py ├── healthcheck-ping.sh ├── kubeconform.sh └── ssh_gen.py /.editorconfig: -------------------------------------------------------------------------------- 1 | # editorconfig.org 2 | root = true 3 | 4 | [*] 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | charset = utf-8 9 | trim_trailing_whitespace = true 10 | insert_final_newline = true 11 | 12 | [Makefile] 13 | indent_style = space 14 | indent_size = 4 15 | 16 | [*.{bash,sh}] 17 | indent_style = space 18 | indent_size = 4 19 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | #shellcheck disable=SC2148,SC2155 2 | export KUBECONFIG="$(expand_path ./kubeconfig)" 3 | export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)" 4 | # Venv 5 | PATH_add "$(expand_path ./.venv/bin)" 6 | export VIRTUAL_ENV="$(expand_path ./.venv)" 7 | export PYTHONDONTWRITEBYTECODE="1" 8 | # Talos 9 | export TALOSCONFIG="$(expand_path ./kubernetes/bootstrap/talos/clusterconfig/talosconfig)" 10 | # Bin 11 | PATH_add "$(expand_path ./.bin)" 12 | # Taskfile 13 | export TASK_X_ENV_PRECEDENCE=1 14 | export TASK_X_MAP_VARIABLES=0 15 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | *.yml.j2 linguist-language=YAML 3 | *.yaml.j2 linguist-language=YAML 4 | *.sops.* diff=sopsdiffer 5 | *.sops.toml linguist-language=JSON 6 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | **Description of the change** 2 | 3 | 4 | 5 | **Benefits or applicable issues** 6 | 7 | 8 | - fixes # 9 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | area/ansible: 3 | - changed-files: 4 | - any-glob-to-any-file: ansible/**/* 5 | area/bootstrap: 6 | - changed-files: 7 | - any-glob-to-any-file: bootstrap/**/* 8 | area/github: 9 | - changed-files: 10 | - any-glob-to-any-file: .github/**/* 11 | area/kubernetes: 12 | - changed-files: 13 | - any-glob-to-any-file: kubernetes/**/* 14 | area/taskfile: 15 | - changed-files: 16 | - any-glob-to-any-file: .taskfiles/**/* 17 | - any-glob-to-any-file: Taskfile* 18 | -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Areas 3 | - { name: "area/ansible", color: "0e8a16" } 4 | - { name: "area/bootstrap", color: "0e8a16" } 5 | - { name: "area/github", color: "0e8a16" } 6 | - { name: "area/kubernetes", color: "0e8a16" } 7 | - { name: "area/terraform", color: "0e8a16" } 8 | # Renovate Types 9 | - { name: "renovate/ansible", color: "027fa0" } 10 | - { name: "renovate/container", color: "027fa0" } 11 | - { name: "renovate/github-action", color: "027fa0" } 12 | - { name: "renovate/grafana-dashboard", color: "027fa0" } 13 | - { name: "renovate/github-release", color: "027fa0" } 14 | - { name: "renovate/helm", color: "027fa0" } 15 | - { name: "renovate/terraform", color: "027fa0" } 16 | - { name: "renovate/pip", color: "027fa0" } 17 | # Semantic Type 18 | - { name: "type/patch", color: "ffec19" } 19 | - { name: "type/minor", color: "ff9800" } 20 | - { name: "type/major", color: "f14183" } 21 | - { name: "type/break", color: "f6412d" } 22 | - { name: "type/digest", color: "ffeC19" } 23 | # Uncategorized 24 | - { name: "hold", color: "ee0701" } 25 | # Status 26 | - { name: "status/priority", color: "519fd0" } 27 | -------------------------------------------------------------------------------- /.github/linters/.ansible-lint: -------------------------------------------------------------------------------- 1 | # .ansible-lint 2 | warn_list: 3 | - unnamed-task 4 | -------------------------------------------------------------------------------- /.github/linters/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default: true 3 | 4 | # MD013/line-length - Line length 5 | MD013: 6 | # Number of characters 7 | line_length: 240 8 | # Number of characters for headings 9 | heading_line_length: 80 10 | # Number of characters for code blocks 11 | code_block_line_length: 80 12 | # Include code blocks 13 | code_blocks: true 14 | # Include tables 15 | tables: true 16 | # Include headings 17 | headings: true 18 | # Include headings 19 | headers: true 20 | # Strict length checking 21 | strict: false 22 | # Stern length checking 23 | stern: false 24 | -------------------------------------------------------------------------------- /.github/linters/.prettierignore: -------------------------------------------------------------------------------- 1 | *.sops.* 2 | gotk-components.yaml 3 | -------------------------------------------------------------------------------- /.github/linters/.prettierrc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | trailingComma: "es5" 3 | tabWidth: 2 4 | semi: false 5 | singleQuote: false 6 | -------------------------------------------------------------------------------- /.github/linters/.tflint.hcl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/axeII/home-ops/b9a41ef0c1379dd535aa67bd3a578c2cd37402ee/.github/linters/.tflint.hcl -------------------------------------------------------------------------------- /.github/linters/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ignore: | 3 | *.sops.* 4 | gotk-components.yaml 5 | extends: default 6 | rules: 7 | truthy: 8 | allowed-values: ["true", "false", "on"] 9 | comments: 10 | min-spaces-from-content: 1 11 | line-length: disable 12 | braces: 13 | min-spaces-inside: 0 14 | max-spaces-inside: 1 15 | brackets: 16 | min-spaces-inside: 0 17 | max-spaces-inside: 0 18 | indentation: enable 19 | -------------------------------------------------------------------------------- /.github/release.yaml: -------------------------------------------------------------------------------- 1 | changelog: 2 | exclude: 3 | authors: 4 | - renovate 5 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | extends: [ 4 | "config:recommended", 5 | "docker:enableMajor", 6 | "helpers:pinGitHubActionDigests", 7 | ":timezone(Europe/Berlin)", 8 | "github>axeII/home-ops//.renovate/allowedVersions.json5", 9 | "github>axeII/home-ops//.renovate/autoMerge.json5", 10 | "github>axeII/home-ops//.renovate/customManagers.json5", 11 | "github>axeII/home-ops//.renovate/grafanaDashboards.json5", 12 | "github>axeII/home-ops//.renovate/groups.json5", 13 | "github>axeII/home-ops//.renovate/labels.json5", 14 | "github>axeII/home-ops//.renovate/semanticCommits.json5", 15 | ":automergeBranch", 16 | ":dependencyDashboard", 17 | ":disableRateLimiting", 18 | ":gitSignOff", 19 | ":semanticCommits", 20 | ], 21 | dependencyDashboardTitle: "Renovate Dashboard 🤖", 22 | suppressNotifications: ["prEditedNotification", "prIgnoreNotification"], 23 | ignorePaths: ["**/resources/**"], 24 | flux: { 25 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 26 | }, 27 | "helm-values": { 28 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 29 | }, 30 | kubernetes: { 31 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 32 | }, 33 | } 34 | -------------------------------------------------------------------------------- /.github/scripts/lib/functions.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o nounset 5 | set -o pipefail 6 | shopt -s lastpipe 7 | 8 | check() { 9 | command -v "${1}" >/dev/null 2>&1 || { 10 | echo >&2 "ERROR: ${1} is not installed or not found in \$PATH" >&2 11 | exit 1 12 | } 13 | } 14 | 15 | chart_registry_url() { 16 | local helm_release= 17 | local chart_id= 18 | helm_release="${1}" 19 | chart_id=$(yq eval .spec.chart.spec.sourceRef.name "${helm_release}" 2>/dev/null) 20 | # Discover all HelmRepository 21 | find . -iname '*-charts.yaml' -type f -print0 | while IFS= read -r -d '' file; do 22 | # Skip non HelmRepository 23 | [[ $(yq eval .kind "${file}" 2>/dev/null) != "HelmRepository" ]] && continue 24 | # Skip unrelated HelmRepository 25 | [[ "${chart_id}" != $(yq eval .metadata.name "${file}" 2>/dev/null) ]] && continue 26 | yq eval .spec.url "${file}" 27 | break 28 | done 29 | } 30 | 31 | chart_name() { 32 | local helm_release= 33 | helm_release="${1}" 34 | yq eval .spec.chart.spec.chart "${helm_release}" 2>/dev/null 35 | } 36 | 37 | chart_version() { 38 | local helm_release= 39 | helm_release="${1}" 40 | yq eval .spec.chart.spec.version "${helm_release}" 2>/dev/null 41 | } 42 | 43 | chart_values() { 44 | local helm_release= 45 | helm_release="${1}" 46 | yq eval .spec.values "${helm_release}" 2>/dev/null 47 | } 48 | -------------------------------------------------------------------------------- /.github/workflows/block_merge.yml: -------------------------------------------------------------------------------- 1 | name: Block Merge on "hold" Tag 2 | 3 | on: 4 | pull_request: 5 | types: 6 | - synchronize 7 | - labeled 8 | - unlabeled 9 | 10 | jobs: 11 | block_merge: 12 | runs-on: ubuntu-latest 13 | 14 | steps: 15 | - name: Checkout code 16 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 17 | with: 18 | fetch-depth: 0 19 | 20 | - name: Check PR for "hold" tag 21 | id: check_tag 22 | env: 23 | GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 24 | run: | 25 | if [[ $(git diff --name-only HEAD^ HEAD) =~ .github/workflows/block_merge.yml ]]; then 26 | echo "has_hold_tag=false" >> $GITHUB_ENV 27 | else 28 | pr_tags=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name') 29 | if [[ $pr_tags =~ hold ]]; then 30 | echo "has_hold_tag=true" >> $GITHUB_ENV 31 | else 32 | echo "has_hold_tag=false" >> $GITHUB_ENV 33 | fi 34 | fi 35 | 36 | - name: Block Merge 37 | if: env.has_hold_tag == 'true' 38 | run: | 39 | echo "This pull request has a 'hold' tag. Merging is blocked." 40 | exit 1 41 | -------------------------------------------------------------------------------- /.github/workflows/devcontainer.yaml.disabled: -------------------------------------------------------------------------------- 1 | --- 2 | name: "devcontainer" 3 | 4 | on: 5 | workflow_dispatch: 6 | push: 7 | branches: ["main"] 8 | paths: [".devcontainer/ci/**"] 9 | pull_request: 10 | branches: ["main"] 11 | paths: [".devcontainer/ci/**"] 12 | schedule: 13 | - cron: "0 0 * * 1" 14 | 15 | concurrency: 16 | group: ${{ github.workflow }}-${{ github.event.number || github.ref }} 17 | cancel-in-progress: true 18 | 19 | jobs: 20 | devcontainer: 21 | name: publish 22 | runs-on: ubuntu-latest 23 | permissions: 24 | contents: read 25 | packages: write 26 | steps: 27 | - name: Checkout 28 | uses: actions/checkout@v4 29 | 30 | - name: Set up QEMU 31 | uses: docker/setup-qemu-action@v3 32 | 33 | - name: Set up Docker Buildx 34 | uses: docker/setup-buildx-action@v3 35 | with: 36 | platforms: linux/amd64,linux/arm64 37 | 38 | - if: ${{ github.event_name != 'pull_request' }} 39 | name: Login to GitHub Container Registry 40 | uses: docker/login-action@v3 41 | with: 42 | registry: ghcr.io 43 | username: ${{ github.actor }} 44 | password: ${{ secrets.GITHUB_TOKEN }} 45 | 46 | - name: Build and push 47 | uses: devcontainers/ci@v0.3 48 | env: 49 | BUILDX_NO_DEFAULT_ATTESTATIONS: true 50 | with: 51 | imageName: ghcr.io/${{ github.repository }}/devcontainer 52 | cacheFrom: ghcr.io/${{ github.repository }}/devcontainer 53 | imageTag: base,latest 54 | platform: linux/amd64,linux/arm64 55 | configFile: .devcontainer/ci/devcontainer.json 56 | push: ${{ github.event_name == 'pull_request' && 'never' || 'always' }} 57 | -------------------------------------------------------------------------------- /.github/workflows/invalid-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Invalid Template 3 | 4 | on: 5 | issues: 6 | types: 7 | - labeled 8 | - unlabeled 9 | - reopened 10 | 11 | jobs: 12 | support: 13 | runs-on: ubuntu-24.04 14 | steps: 15 | - uses: dessant/support-requests@47d5ea12f6c9e4a081637de9626b7319b415a3bf # v4 16 | with: 17 | github-token: ${{ github.token }} 18 | support-label: "template-incomplete" 19 | issue-comment: > 20 | :wave: @{issue-author}, please follow the template provided. 21 | close-issue: true 22 | lock-issue: true 23 | issue-lock-reason: "resolved" 24 | -------------------------------------------------------------------------------- /.github/workflows/kubeconform.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Kubeconform" 3 | 4 | on: 5 | pull_request: 6 | branches: ["main"] 7 | paths: ["kubernetes/**"] 8 | 9 | env: 10 | KUBERNETES_DIR: ./kubernetes 11 | 12 | jobs: 13 | kubeconform: 14 | name: Kubeconform 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 19 | 20 | - name: Setup Homebrew 21 | uses: Homebrew/actions/setup-homebrew@master 22 | 23 | - name: Setup Workflow Tools 24 | run: brew install fluxcd/tap/flux kubeconform kustomize 25 | 26 | - name: Run kubeconform 27 | shell: bash 28 | run: .taskfiles/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} 29 | -------------------------------------------------------------------------------- /.github/workflows/label-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Label Sync" 3 | 4 | on: 5 | workflow_dispatch: 6 | push: 7 | branches: ["main"] 8 | paths: [".github/labels.yaml"] 9 | 10 | jobs: 11 | label-sync: 12 | name: Label Sync 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Checkout 16 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 17 | 18 | - name: Sync Labels 19 | uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2 20 | with: 21 | config-file: .github/labels.yaml 22 | delete-other-labels: true 23 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Labeler" 3 | 4 | on: 5 | workflow_dispatch: 6 | pull_request_target: 7 | branches: ["main"] 8 | 9 | jobs: 10 | labeler: 11 | name: Labeler 12 | runs-on: ubuntu-latest 13 | permissions: 14 | contents: read 15 | pull-requests: write 16 | steps: 17 | - name: Labeler 18 | uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5 19 | with: 20 | configuration-path: .github/labeler.yaml 21 | -------------------------------------------------------------------------------- /.github/workflows/link-check.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Link Check" 3 | 4 | on: 5 | workflow_dispatch: 6 | schedule: 7 | - cron: "0 0 * * 0" 8 | 9 | jobs: 10 | link-check: 11 | name: Link Check 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Checkout 15 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 16 | 17 | - name: Link Checker 18 | uses: lycheeverse/lychee-action@82202e5e9c2f4ef1a55a3d02563e1cb6041e5332 # v2.4.1 19 | id: lychee 20 | env: 21 | GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 22 | 23 | - name: Find Link Checker Issue 24 | id: link-checker-issue 25 | uses: micalevisk/last-issue-action@0d40124cc99ac8601c2516007f0c98ef3d27537b # v2.3.0 26 | with: 27 | state: open 28 | labels: | 29 | broken-links 30 | - name: Update Issue 31 | uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1 32 | with: 33 | title: Broken links detected 🔗 34 | issue-number: "${{ steps.link-checker-issue.outputs.issue-number }}" 35 | content-filepath: ./lychee/out.md 36 | token: "${{ secrets.GITHUB_TOKEN }}" 37 | labels: | 38 | broken-links 39 | -------------------------------------------------------------------------------- /.github/workflows/megalinter.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: MegaLinter 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | pull_request: 7 | branches: 8 | - main 9 | paths-ignore: 10 | - '.github/**' 11 | 12 | 13 | concurrency: 14 | group: ${{ github.ref }}-${{ github.workflow }} 15 | cancel-in-progress: true 16 | 17 | jobs: 18 | build: 19 | name: MegaLinter 20 | runs-on: ubuntu-latest 21 | steps: 22 | - name: Checkout 23 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 24 | with: 25 | fetch-depth: 0 26 | 27 | - name: MegaLinter 28 | uses: megalinter/megalinter/flavors/terraform@5a91fb06c83d0e69fbd23756d47438aa723b4a5a # v8 29 | env: 30 | VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'workflow_dispatch' }} 31 | PRINT_ALPACA: false 32 | GITHUB_TOKEN: "${{ secrets.TOKEN }}" 33 | ENABLE_LINTERS: ACTION_ACTIONLINT, ANSIBLE_ANSIBLE_LINT, BASH_SHELLCHECK, DOCKERFILE_HADOLINT, ENV_DOTENV_LINTER, GIT_GIT_DIFF, JSON_JSONLINT, KUBERNETES_KUBEVAL, MARKDOWN_MARKDOWNLINT, TERRAFORM_TFLINT, YAML_YAMLLINT 34 | ANSIBLE_DIRECTORY: ansible 35 | ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: .ansible-lint 36 | KUBERNETES_DIRECTORY: cluster 37 | KUBERNETES_KUBEVAL_ARGUMENTS: --ignore-missing-schemas 38 | MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yaml 39 | TERRAFORM_TFLINT_CONFIG_FILE: .tflint.hcl 40 | YAML_YAMLLINT_CONFIG_FILE: .yamllint.yaml 41 | SHELLCHECK_OPTS: "-e SC2086" 42 | 43 | - name: Archive production artifacts 44 | uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 45 | with: 46 | name: MegaLinter reports 47 | path: | 48 | report 49 | mega-linter.log 50 | -------------------------------------------------------------------------------- /.github/workflows/pluto.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Pluto 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | pull_request: 7 | 8 | jobs: 9 | yaml: 10 | runs-on: ubuntu-24.04 11 | steps: 12 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 13 | - name: Download Pluto 14 | uses: FairwindsOps/pluto/github-action@master 15 | 16 | - name: Use pluto 17 | run: | 18 | pluto detect-files -d ./kubernetes 19 | -------------------------------------------------------------------------------- /.github/workflows/pr-check.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: PR Check 3 | 4 | on: 5 | pull_request: 6 | branches: ["main"] 7 | 8 | jobs: 9 | scan: 10 | name: checks 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 14 | with: 15 | fetch-depth: 0 16 | - uses: harupy/find-trailing-whitespace@master 17 | - name: "Gitleaks checks" 18 | uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 19 | env: 20 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 21 | - name: "Copy changes files" 22 | run: | 23 | mkdir testfiles 24 | gh pr view ${{ github.event.number }} --json files -q '.files[].path' | grep -v .github | xargs -I {} cp {} testfiles/ 25 | env: 26 | GH_TOKEN: ${{ github.token }} 27 | - name: "Yamllint checks" 28 | uses: karancode/yamllint-github-action@master 29 | with: 30 | yamllint_config_filepath: .github/linters/.yamllint.yaml 31 | yamllint_file_or_dir: "testfiles" 32 | yamllint_strict: false 33 | yamllint_comment: true 34 | env: 35 | GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} 36 | -------------------------------------------------------------------------------- /.github/workflows/support.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Support requests" 3 | 4 | on: 5 | issues: 6 | types: 7 | - labeled 8 | - unlabeled 9 | - reopened 10 | 11 | jobs: 12 | support: 13 | runs-on: ubuntu-24.04 14 | steps: 15 | - uses: dessant/support-requests@47d5ea12f6c9e4a081637de9626b7319b415a3bf # v4 16 | with: 17 | github-token: ${{ secrets.GITHUB_TOKEN }} 18 | support-label: "support" 19 | issue-comment: > 20 | :wave: @{issue-author}, we use the issue tracker exclusively 21 | for bug reports and feature requests. However, this issue appears 22 | to be a support request. Please use our support channels 23 | to get help with. 24 | - [Discord](https://discord.gg/sTMX7Vh) 25 | close-issue: true 26 | lock-issue: false 27 | issue-lock-reason: "off-topic" 28 | -------------------------------------------------------------------------------- /.github/yamllint.config.yaml: -------------------------------------------------------------------------------- 1 | ignore: | 2 | .github/ 3 | crds.yaml 4 | extends: default 5 | rules: 6 | truthy: 7 | allowed-values: ["true", "false", "on", "yes"] 8 | comments: 9 | min-spaces-from-content: 1 10 | line-length: disable 11 | braces: 12 | min-spaces-inside: 0 13 | max-spaces-inside: 1 14 | brackets: 15 | min-spaces-inside: 0 16 | max-spaces-inside: 0 17 | indentation: 18 | spaces: 2 19 | indent-sequences: consistent 20 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Trash 2 | .DS_Store 3 | *.swp 4 | megalinter-reports 5 | Thumbs.db 6 | 7 | # k8s 8 | kubeconfig 9 | talosconfig 10 | .decrypted~*.yaml 11 | .config.env 12 | *.agekey 13 | *.pub 14 | *.key 15 | 16 | # Private 17 | .private 18 | .bin 19 | 20 | # Ansible 21 | .venv* 22 | 23 | # Taskfile 24 | .task 25 | 26 | # Brew 27 | Brewfile.lock.json 28 | 29 | # intellij 30 | .idea 31 | 32 | # wiki 33 | wiki 34 | 35 | # Bootstrap 36 | /config.yaml 37 | 38 | # Terraform 39 | .terraform 40 | -------------------------------------------------------------------------------- /.lycheeignore: -------------------------------------------------------------------------------- 1 | https://dash.cloudflare.com/profile/api-tokens 2 | https://www.mend.io/free-developer-tools/renovate/ 3 | -------------------------------------------------------------------------------- /.markdownlintignore: -------------------------------------------------------------------------------- 1 | README.md 2 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fail_fast: false 3 | repos: 4 | - repo: https://github.com/adrienverge/yamllint 5 | rev: v1.35.1 6 | hooks: 7 | - args: 8 | - --config-file 9 | - .github/linters/.yamllint.yaml 10 | id: yamllint 11 | - repo: https://github.com/pre-commit/pre-commit-hooks 12 | rev: v4.6.0 13 | hooks: 14 | - id: check-merge-conflict 15 | - id: end-of-file-fixer 16 | - id: mixed-line-ending 17 | - id: trailing-whitespace 18 | args: [--markdown-linebreak-ext=md] 19 | - repo: https://github.com/Lucas-C/pre-commit-hooks 20 | rev: v1.5.5 21 | hooks: 22 | - id: remove-crlf 23 | - id: remove-tabs 24 | - repo: https://github.com/sirosen/texthooks 25 | rev: 0.6.6 26 | hooks: 27 | - id: fix-smartquotes 28 | # - repo: https://github.com/k8s-at-home/sops-pre-commit 29 | # rev: v2.1.1 30 | # hooks: 31 | # - id: forbid-secrets 32 | # - repo: https://github.com/gruntwork-io/pre-commit 33 | # rev: v0.1.23 34 | # hooks: 35 | # - id: terraform-fmt 36 | # - id: terraform-validate 37 | # - id: tflint 38 | - repo: https://github.com/zricethezav/gitleaks 39 | rev: v8.18.3 40 | hooks: 41 | - id: gitleaks 42 | -------------------------------------------------------------------------------- /.renovate/allowedVersions.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchDatasources: ["docker"], 6 | matchPackageNames: ["/postgresql/"], 7 | allowedVersions: "<=17", 8 | }, 9 | ], 10 | } -------------------------------------------------------------------------------- /.renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "Auto-merge trusted container digests", 6 | matchDatasources: ["docker"], 7 | automerge: true, 8 | automergeType: "pr", 9 | matchUpdateTypes: ["digest"], 10 | matchPackageNames: ["/home-operations/"], 11 | ignoreTests: false, 12 | }, 13 | { 14 | description: "Auto-merge OCI Charts", 15 | matchDatasources: ["docker"], 16 | automerge: true, 17 | automergeType: "pr", 18 | matchUpdateTypes: ["minor", "patch"], 19 | matchPackageNames: ["/kube-prometheus-stack/"], 20 | ignoreTests: false, 21 | }, 22 | { 23 | description: "Auto-merge GitHub Actions", 24 | matchManagers: ["github-actions"], 25 | automerge: true, 26 | automergeType: "branch", 27 | matchUpdateTypes: ["minor", "patch", "digest"], 28 | minimumReleaseAge: "3 days", 29 | ignoreTests: true, 30 | }, 31 | { 32 | description: "Auto-merge GitHub Releases", 33 | matchDatasources: ["github-releases"], 34 | automerge: true, 35 | automergeType: "branch", 36 | matchUpdateTypes: ["minor", "patch"], 37 | matchPackageNames: [ 38 | "/external-dns/", 39 | "/gateway-api/", 40 | "/prometheus-operator/", 41 | ], 42 | ignoreTests: true, 43 | }, 44 | ], 45 | } 46 | -------------------------------------------------------------------------------- /.renovate/commitMessage.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "commitMessageTopic": "{{depName}}", 4 | "commitMessageExtra": "to {{newVersion}}", 5 | "commitMessageSuffix": "", 6 | "packageRules": [ 7 | { 8 | "matchDatasources": ["helm"], 9 | "commitMessageTopic": "chart {{depName}}" 10 | }, 11 | { 12 | "matchDatasources": ["docker"], 13 | "commitMessageTopic": "image {{depName}}" 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /.renovate/customManagers.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customManagers: [ 4 | { 5 | customType: "regex", 6 | description: "Process annotated dependencies", 7 | fileMatch: ["(^|/).+\\.ya?ml(?:\\.j2)?$"], 8 | matchStrings: [ 9 | // # renovate: datasource=github-releases depName=kubernetes/kubernetes 10 | // version: 1.29.1 11 | "datasource=(?\\S+) depName=(?\\S+)\\n.+ (?[v|\\d]\\S+)", 12 | // # renovate: datasource=github-releases depName=rancher/system-upgrade-controller 13 | // https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.2/crd.yaml 14 | "datasource=(?\\S+) depName=(?\\S+)\\n.+/(?[v|\\d][^/]+)", 15 | ], 16 | datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}", 17 | }, 18 | ], 19 | } -------------------------------------------------------------------------------- /.renovate/grafanaDashboards.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customDatasources: { 4 | "grafana-dashboards": { 5 | defaultRegistryUrlTemplate: "https://grafana.com/api/dashboards/{{packageName}}", 6 | format: "json", 7 | transformTemplates: ['{"releases":[{"version": $string(revision)}]}'], 8 | }, 9 | }, 10 | customManagers: [ 11 | { 12 | customType: "regex", 13 | description: "Process Grafana dashboards", 14 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 15 | matchStrings: [ 16 | 'depName="(?.*)"\\n(?\\s+)gnetId: (?\\d+)\\n.+revision: (?\\d+)', 17 | ], 18 | autoReplaceStringTemplate: 'depName="{{{depName}}}"\n{{{indentation}}}gnetId: {{{packageName}}}\n{{{indentation}}}revision: {{{newValue}}}', 19 | datasourceTemplate: "custom.grafana-dashboards", 20 | versioningTemplate: "regex:^(?\\d+)$", 21 | }, 22 | ], 23 | packageRules: [ 24 | { 25 | addLabels: ["renovate/grafana-dashboard"], 26 | automerge: true, 27 | automergeType: "branch", 28 | matchDatasources: ["custom.grafana-dashboards"], 29 | matchUpdateTypes: ["major"], 30 | semanticCommitType: "chore", 31 | semanticCommitScope: "grafana-dashboards", 32 | commitMessageTopic: "dashboard {{depName}}", 33 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 34 | }, 35 | ], 36 | } 37 | -------------------------------------------------------------------------------- /.renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | labels: ["type/major"], 7 | }, 8 | { 9 | matchUpdateTypes: ["minor"], 10 | labels: ["type/minor"], 11 | }, 12 | { 13 | matchUpdateTypes: ["patch"], 14 | labels: ["type/patch"], 15 | }, 16 | { 17 | matchUpdateTypes: ["digest"], 18 | labels: ["type/digest"], 19 | }, 20 | { 21 | matchDatasources: ["docker"], 22 | addLabels: ["renovate/container"], 23 | }, 24 | { 25 | matchDatasources: ["helm"], 26 | addLabels: ["renovate/helm"], 27 | }, 28 | { 29 | matchManagers: ["github-actions"], 30 | addLabels: ["renovate/github-action"], 31 | }, 32 | { 33 | matchDatasources: ["github-releases"], 34 | addLabels: ["renovate/github-release"], 35 | }, 36 | ], 37 | } 38 | -------------------------------------------------------------------------------- /.renovate/semanticCommits.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | semanticCommitType: "feat", 7 | commitMessagePrefix: "{{semanticCommitType}}({{semanticCommitScope}})!:", 8 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 9 | }, 10 | { 11 | matchUpdateTypes: ["minor"], 12 | semanticCommitType: "feat", 13 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 14 | }, 15 | { 16 | matchUpdateTypes: ["patch"], 17 | semanticCommitType: "fix", 18 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 19 | }, 20 | { 21 | matchUpdateTypes: ["digest"], 22 | semanticCommitType: "chore", 23 | commitMessageExtra: "({{currentDigestShort}} → {{newDigestShort}})", 24 | }, 25 | { 26 | matchDatasources: ["docker"], 27 | semanticCommitScope: "container", 28 | commitMessageTopic: "image {{depName}}", 29 | }, 30 | { 31 | matchDatasources: ["helm"], 32 | semanticCommitScope: "helm", 33 | commitMessageTopic: "chart {{depName}}", 34 | }, 35 | { 36 | matchManagers: ["github-actions"], 37 | semanticCommitType: "ci", 38 | semanticCommitScope: "github-action", 39 | commitMessageTopic: "action {{depName}}", 40 | }, 41 | { 42 | matchDatasources: ["github-releases"], 43 | semanticCommitScope: "github-release", 44 | commitMessageTopic: "release {{depName}}", 45 | }, 46 | ], 47 | } 48 | -------------------------------------------------------------------------------- /.secretlintignore: -------------------------------------------------------------------------------- 1 | megalinter-reports 2 | README.md 3 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - # IMPORTANT: This rule MUST be above the others 4 | path_regex: talos/.*\.sops\.ya?ml 5 | key_groups: 6 | - age: 7 | - "age12evtyez2gz3w209lld8r6nw0v0572v468v0hl05m5259v0zrn5eq3cct4h" 8 | - path_regex: kubernetes/.*\.sops\.ya?ml 9 | encrypted_regex: "^(data|stringData)$" 10 | key_groups: 11 | - age: 12 | - "age12evtyez2gz3w209lld8r6nw0v0572v468v0hl05m5259v0zrn5eq3cct4h" 13 | -------------------------------------------------------------------------------- /.taskfiles/KubernetesTasks.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | vars: 6 | KUBECONFORM_SCRIPT: "{{.ROOT_DIR}}/.taskfiles/scripts/kubeconform.sh" 7 | 8 | tasks: 9 | 10 | resources: 11 | desc: Gather common resources in your cluster, useful when asking for support 12 | cmds: 13 | - for: { var: resource } 14 | cmd: kubectl get {{.ITEM}} {{.CLI_ARGS | default "-A"}} 15 | vars: 16 | resource: >- 17 | nodes 18 | gitrepositories 19 | kustomizations 20 | helmrepositories 21 | helmreleases 22 | certificates 23 | certificaterequests 24 | ingresses 25 | pods 26 | 27 | kubeconform: 28 | desc: Validate Kubernetes manifests with kubeconform 29 | cmd: bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}} 30 | preconditions: 31 | - { msg: "Missing kubeconform script", sh: "test -f {{.KUBECONFORM_SCRIPT}}" } 32 | - { msg: "Missing kubernetes directory", sh: "test -d {{.KUBERNETES_DIR}}" } 33 | -------------------------------------------------------------------------------- /.taskfiles/PreCommitTasks.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | tasks: 6 | init: 7 | desc: Initialize pre-commit hooks 8 | cmds: 9 | - pre-commit install-hooks 10 | run: 11 | desc: Run pre-commit 12 | cmds: 13 | - pre-commit run --all-files 14 | update: 15 | desc: Updates pre-commit 16 | cmds: 17 | - pre-commit autoupdate 18 | -------------------------------------------------------------------------------- /.taskfiles/TerraformTasks.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | tasks: 6 | 7 | cloudflare:init: 8 | desc: Initialize terraform 9 | dir: provision/terraform/cloudflare 10 | cmds: 11 | - "terraform init" 12 | 13 | cloudflare:plan: 14 | desc: Prepare all the k8s nodes for running k3s 15 | dir: provision/terraform/cloudflare 16 | cmds: 17 | - "terraform plan" 18 | 19 | cloudflare:apply: 20 | desc: Prepare all the k8s nodes for running k3s 21 | dir: provision/terraform/cloudflare 22 | cmds: 23 | - "terraform apply" 24 | 25 | pihole:init: 26 | desc: Initialize terraform 27 | dir: provision/terraform/pihole 28 | cmds: 29 | - "terraform init" 30 | 31 | pihole:plan: 32 | desc: Prepare all the k8s nodes for running k3s 33 | dir: provision/terraform/pihole 34 | cmds: 35 | - "terraform plan" 36 | 37 | pihole:apply: 38 | desc: Prepare all the k8s nodes for running k3s 39 | dir: provision/terraform/pihole 40 | cmds: 41 | - "terraform apply -auto-approve" 42 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/replicationdestination.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: {{ ENV.APP }}-manual 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | trigger: 9 | manual: restore-once 10 | restic: 11 | repository: {{ ENV.APP }}-volsync-secret 12 | destinationPVC: {{ ENV.CLAIM }} 13 | copyMethod: Direct 14 | storageClassName: {{ ENV.STORAGE_CLASS_NAME }} 15 | accessModes: {{ ENV.ACCESS_MODES }} 16 | previous: {{ ENV.PREVIOUS }} 17 | moverSecurityContext: 18 | runAsUser: {{ ENV.PUID }} 19 | runAsGroup: {{ ENV.PGID }} 20 | fsGroup: {{ ENV.PGID }} 21 | enableFileDeletion: true 22 | cleanupCachePVC: true 23 | cleanupTempPVC: true 24 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/unlock.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: volsync-unlock-{{ ENV.APP }} 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: minio 15 | image: docker.io/restic/restic:latest 16 | args: ["unlock", "--remove-all"] 17 | envFrom: 18 | - secretRef: 19 | name: {{ ENV.APP }}-volsync-secret 20 | volumeMounts: 21 | - name: repository 22 | mountPath: /repository 23 | resources: {} 24 | - name: r2 25 | image: docker.io/restic/restic:latest 26 | args: ["unlock", "--remove-all"] 27 | envFrom: 28 | - secretRef: 29 | name: {{ ENV.APP }}-volsync-r2-secret 30 | resources: {} 31 | volumes: 32 | - name: repository 33 | nfs: 34 | server: expanse.internal 35 | path: /mnt/eros/Volsync 36 | -------------------------------------------------------------------------------- /.taskfiles/workstation/Archfile: -------------------------------------------------------------------------------- 1 | age 2 | cloudflared-bin 3 | direnv 4 | flux-bin 5 | go-task 6 | go-yq 7 | helm 8 | helmfile 9 | jq 10 | kubeconform 11 | kubectl-bin 12 | kustomize 13 | minijinja-cli-bin 14 | moreutils 15 | sops 16 | stern-bin 17 | talhelper-bin 18 | talosctl 19 | -------------------------------------------------------------------------------- /.taskfiles/workstation/Brewfile: -------------------------------------------------------------------------------- 1 | tap "fluxcd/tap" 2 | tap "go-task/tap" 3 | tap "siderolabs/tap" 4 | brew "age" 5 | brew "cloudflared" 6 | brew "direnv" 7 | brew "fluxcd/tap/flux" 8 | brew "go-task/tap/go-task" 9 | brew "helm" 10 | brew "helmfile" 11 | brew "jq" 12 | brew "kubeconform" 13 | brew "kubernetes-cli" 14 | brew "kustomize" 15 | brew "minijinja-cli" 16 | brew "moreutils" 17 | brew "siderolabs/tap/talosctl" 18 | brew "sops" 19 | brew "stern" 20 | brew "talhelper" 21 | brew "yq" 22 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "albert.TabOut", 4 | "britesnow.vscode-toggle-quotes", 5 | "fcrespo82.markdown-table-formatter", 6 | "mitchdenny.ecdc", 7 | "redhat.ansible", 8 | "signageos.signageos-vscode-sops", 9 | "will-stone.in-any-case", 10 | "EditorConfig.editorconfig", 11 | "HashiCorp.terraform", 12 | "PKief.material-icon-theme", 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "*.json5": "jsonc", 4 | "**/ansible/**/*.yml": "ansible", 5 | "**/ansible/**/*.sops.yml": "yaml", 6 | "**/ansible/**/inventory/**/*.yml": "yaml", 7 | "**/terraform/**/*.tf": "terraform", 8 | "**/kubernetes/**/*.sops.toml": "plaintext" 9 | }, 10 | "yaml.schemas": { 11 | "ansible": "./ansible/**/*.yml", 12 | "Kubernetes": "./kubernetes/*.yaml" 13 | }, 14 | "editor.bracketPairColorization.enabled": true, 15 | "editor.guides.bracketPairs": true, 16 | "editor.guides.bracketPairsHorizontal": true, 17 | "editor.guides.highlightActiveBracketPair": true, 18 | "editor.hover.delay": 1500, 19 | "files.trimTrailingWhitespace": true, 20 | "ansible.python.interpreterPath": "/usr/bin/python3", 21 | } 22 | -------------------------------------------------------------------------------- /LICENCE: -------------------------------------------------------------------------------- 1 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 | Version 2, December 2004 3 | 4 | Copyright (C) 2024 Ales Lerch 5 | 6 | Everyone is permitted to copy and distribute verbatim or modified 7 | copies of this license document, and changing it is allowed as long 8 | as the name is changed. 9 | 10 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 | 13 | 0. You just DO WHAT THE FUCK YOU WANT TO. 14 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: '3' 4 | 5 | set: [pipefail] 6 | shopt: [globstar] 7 | 8 | vars: 9 | CLUSTER: '{{.CLUSTER | default "main"}}' 10 | BOOTSTRAP_DIR: '{{.ROOT_DIR}}/bootstrap' 11 | KUBERNETES_DIR: '{{.ROOT_DIR}}/kubernetes' 12 | SCRIPTS_DIR: '{{.ROOT_DIR}}/scripts' 13 | BOOTSTRAP_CONFIG_FILE: '{{.ROOT_DIR}}/config.yaml' 14 | MAKEJINJA_CONFIG_FILE: '{{.ROOT_DIR}}/makejinja.toml' 15 | SOPS_CONFIG_FILE: '{{.ROOT_DIR}}/.sops.yaml' 16 | 17 | env: 18 | KUBECONFIG: '{{.ROOT_DIR}}/kubeconfig' 19 | PYTHONDONTWRITEBYTECODE: '1' 20 | SOPS_AGE_KEY_FILE: '{{.ROOT_DIR}}/age.key' 21 | VIRTUAL_ENV: '{{.ROOT_DIR}}/.venv' 22 | 23 | includes: 24 | bootstrap: .taskfiles/bootstrap 25 | kubernetes: .taskfiles/kubernetes 26 | talos: .taskfiles/talos 27 | volsync: .taskfiles/volsync 28 | workstation: .taskfiles/workstation 29 | user: 30 | taskfile: .taskfiles/User 31 | optional: true 32 | 33 | tasks: 34 | 35 | default: task --list 36 | 37 | init: 38 | desc: Initialize configuration files 39 | cmd: cp {{.BOOTSTRAP_CONFIG_FILE | replace ".yaml" ".sample.yaml"}} {{.BOOTSTRAP_CONFIG_FILE}} 40 | status: 41 | - test -f {{.BOOTSTRAP_CONFIG_FILE}} 42 | 43 | configure: 44 | desc: Render and validate configuration files 45 | prompt: Any conflicting files in the kubernetes directory will be overwritten... continue? 46 | cmds: 47 | - task: bootstrap:template 48 | - task: bootstrap:secrets 49 | - task: kubernetes:kubeconform 50 | - > 51 | {{if eq .HOME_SOPS_AGE_KEY_FILE_EXISTS "true"}} 52 | echo "WARNING: SOPS Age key found in home directory, this may cause conflicts." 53 | {{end}} 54 | vars: 55 | HOME_SOPS_AGE_KEY_FILE_EXISTS: 56 | sh: test -f ~/.config/sops/age/keys.txt && echo true || echo false 57 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: cert-manager 11 | version: v1.17.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: jetstack 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | values: 24 | crds: 25 | enabled: true 26 | dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query 27 | dns01RecursiveNameserversOnly: true 28 | prometheus: 29 | enabled: true 30 | servicemonitor: 31 | enabled: true 32 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: letsencrypt-production 5 | spec: 6 | acme: 7 | server: https://acme-v02.api.letsencrypt.org/directory 8 | email: "${SECRET_ACME_EMAIL}" 9 | privateKeySecretRef: 10 | name: letsencrypt-production 11 | solvers: 12 | - dns01: 13 | cloudflare: 14 | apiTokenSecretRef: 15 | name: cert-manager-secret 16 | key: api-token 17 | selector: 18 | dnsZones: 19 | - "${SECRET_DOMAIN}" 20 | --- 21 | apiVersion: cert-manager.io/v1 22 | kind: ClusterIssuer 23 | metadata: 24 | name: letsencrypt-staging 25 | spec: 26 | acme: 27 | server: https://acme-staging-v02.api.letsencrypt.org/directory 28 | email: "${SECRET_ACME_EMAIL}" 29 | privateKeySecretRef: 30 | name: letsencrypt-staging 31 | solvers: 32 | - dns01: 33 | cloudflare: 34 | apiTokenSecretRef: 35 | name: cert-manager-secret 36 | key: api-token 37 | selector: 38 | dnsZones: 39 | - "${SECRET_DOMAIN}" 40 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./secret.sops.yaml 6 | - ./issuers.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cert-manager-secret 5 | stringData: 6 | api-token: ENC[AES256_GCM,data:r/x6LEPeAnvLdznM3UZ1fxVT9oSJPsk3SbIntxUjx+3UQykKHjas3A==,iv:gHv4qlhW/efrU5SZRNUOTifP+3jqNKaRjmQZGPssF6Q=,tag:ckqpq3JueVYu3xigc1KJ4g==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age12evtyez2gz3w209lld8r6nw0v0572v468v0hl05m5259v0zrn5eq3cct4h 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheGpxZWM3UXJXaVVwN0Jh 17 | bFZIZHpXWVZUcGU5TnVsZDNwUE9mOWsxR3lFCk1jdFlMaFFVZEplNWx1d2xOaExv 18 | bDgyVGQxbXZVRVdNQUI0ZWwrMEgyOGMKLS0tIHFrS2dWaFdHdWY2VUNZUHNCWXB1 19 | YzUyTGduUVRjT0RxZXBpNGpaOUpWTTgKS18LNtqKtYHrmCzixrcxGDPhu9rRJICI 20 | n3Not1QbH9auLkXLOnjrZI5hV2qD7O994Tmn1fwCJMXK61V0Wwt+fw== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2024-11-24T22:19:45Z" 23 | mac: ENC[AES256_GCM,data:88g7zq6JB5a+LKptMMHG6GPGyt+l2x4oC3JlW/uhgnSPtaroF/pxlJC8JqHVgfy05fZt+S/IHwVTNcYDP5ZcVrZzKZcuaegV+Xq9eJkcmGpDq3Uj+/45A66MigYtBnaZLdAKRiSQnSotrZ60SE9k7Dbrvoe8lk3OdrSt8WocLnQ=,iv:F5fco+ndLgLcjVerx5Vhe1IP3Twtj6hRCOyZpwsOFJc=,tag:xTXAjbKKatmf7lxgxyCwLg==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.9.0 27 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app cert-manager 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: cert-manager 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/cert-manager/cert-manager/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: true 18 | interval: 30m 19 | timeout: 5m 20 | --- 21 | apiVersion: kustomize.toolkit.fluxcd.io/v1 22 | kind: Kustomization 23 | metadata: 24 | name: &app cert-manager-issuers 25 | namespace: flux-system 26 | spec: 27 | targetNamespace: cert-manager 28 | commonMetadata: 29 | labels: 30 | app.kubernetes.io/name: *app 31 | dependsOn: 32 | - name: cert-manager 33 | path: ./kubernetes/apps/cert-manager/cert-manager/issuers 34 | prune: true 35 | sourceRef: 36 | kind: GitRepository 37 | name: home-kubernetes 38 | wait: true 39 | interval: 30m 40 | timeout: 5m 41 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./cert-manager/ks.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cert-manager 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator 7 | - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.11/manifests/crd.yaml 8 | - ./helmrelease.yaml 9 | - ./rbac.yaml -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: dragonfly-operator 6 | rules: 7 | - apiGroups: ["coordination.k8s.io"] 8 | resources: ["leases"] 9 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 10 | - apiGroups: [""] 11 | resources: ["events"] 12 | verbs: ["create", "patch"] 13 | - apiGroups: [""] 14 | resources: ["pods", "services"] 15 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 16 | - apiGroups: ["apps"] 17 | resources: ["statefulsets"] 18 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 19 | - apiGroups: ["dragonflydb.io"] 20 | resources: ["dragonflies"] 21 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 22 | - apiGroups: ["dragonflydb.io"] 23 | resources: ["dragonflies/finalizers"] 24 | verbs: ["update"] 25 | - apiGroups: ["dragonflydb.io"] 26 | resources: ["dragonflies/status"] 27 | verbs: ["get", "patch", "update"] 28 | --- 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | kind: ClusterRoleBinding 31 | metadata: 32 | name: dragonfly-operator 33 | roleRef: 34 | apiGroup: rbac.authorization.k8s.io 35 | kind: ClusterRole 36 | name: dragonfly-operator 37 | subjects: 38 | - kind: ServiceAccount 39 | name: dragonfly-operator 40 | namespace: database 41 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/cluster/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/dragonflydb.io/dragonfly_v1alpha1.json 3 | apiVersion: dragonflydb.io/v1alpha1 4 | kind: Dragonfly 5 | metadata: 6 | name: dragonfly 7 | spec: 8 | image: ghcr.io/dragonflydb/dragonfly:v1.30.3@sha256:29d44a25a9e6937672f1c12e28c9f481f3d3c0441001ee56ed274a72f50593b7 9 | replicas: 3 10 | env: 11 | - name: MAX_MEMORY 12 | valueFrom: 13 | resourceFieldRef: 14 | resource: limits.memory 15 | divisor: 1Mi 16 | args: 17 | - --maxmemory=$(MAX_MEMORY)Mi 18 | - --proactor_threads=1 19 | - --cluster_mode=emulated 20 | - --default_lua_flags=allow-undeclared-keys 21 | resources: 22 | requests: 23 | cpu: 100m 24 | limits: 25 | memory: 256Mi 26 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster.yaml 7 | - ./podmonitor.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/cluster/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PodMonitor 5 | metadata: 6 | name: dragonfly 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: dragonfly 11 | podTargetLabels: ["app"] 12 | podMetricsEndpoints: 13 | - port: admin 14 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app dragonfly 6 | namespace: flux-system 7 | # namespace: &namespace database 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/database/dragonfly/app 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | namespace: flux-system 20 | targetNamespace: database 21 | timeout: 5m 22 | wait: true 23 | --- 24 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 25 | apiVersion: kustomize.toolkit.fluxcd.io/v1 26 | kind: Kustomization 27 | metadata: 28 | name: &app dragonfly-cluster 29 | namespace: flux-system 30 | spec: 31 | commonMetadata: 32 | labels: 33 | app.kubernetes.io/name: *app 34 | dependsOn: 35 | - name: dragonfly 36 | interval: 1h 37 | path: ./kubernetes/apps/database/dragonfly/cluster 38 | prune: true 39 | sourceRef: 40 | kind: GitRepository 41 | name: home-kubernetes 42 | namespace: flux-system 43 | targetNamespace: database 44 | timeout: 5m 45 | wait: true 46 | -------------------------------------------------------------------------------- /kubernetes/apps/database/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./dragonfly/ks.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/database/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: database 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/affine/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kochhaus-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: affine 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: affine-secret 13 | template: 14 | data: 15 | REDIS_SERVER_HOST: dragonfly.database.svc.cluster.local 16 | DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@${DATABASE_IP}:5432/affine 17 | INIT_POSTGRES_DBNAME: affine 18 | INIT_POSTGRES_HOST: ${DATABASE_IP} 19 | INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" 20 | INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" 21 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 22 | INIT_POSTGRES_ENCODING: "UTF8" 23 | AFFINE_SERVER_HTTPS: "true" 24 | AFFINE_SERVER_HOST: "nt.juno.moe" 25 | dataFrom: 26 | - extract: 27 | key: affine 28 | - extract: 29 | key: cloudnative-pg 30 | -------------------------------------------------------------------------------- /kubernetes/apps/default/affine/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml -------------------------------------------------------------------------------- /kubernetes/apps/default/affine/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app affine 6 | namespace: flux-system 7 | # namespace: &namespace default 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: flux-system 17 | - name: volsync 18 | namespace: flux-system 19 | interval: 1h 20 | path: ./kubernetes/apps/default/affine/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 2Gi 25 | prune: true 26 | retryInterval: 2m 27 | sourceRef: 28 | kind: GitRepository 29 | name: home-kubernetes 30 | namespace: flux-system 31 | targetNamespace: default 32 | timeout: 5m 33 | wait: true 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: atuin 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: atuin-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | ATUIN_DB_URI: |- 17 | postgres://{{ .ATUIN_POSTGRES_USER }}:{{ .ATUIN_POSTGRES_PASS }}@${DATABASE_IP}/atuin 18 | INIT_POSTGRES_DBNAME: atuin 19 | INIT_POSTGRES_HOST: ${DATABASE_IP} 20 | INIT_POSTGRES_USER: "{{ .ATUIN_POSTGRES_USER }}" 21 | INIT_POSTGRES_PASS: "{{ .ATUIN_POSTGRES_PASS }}" 22 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 23 | dataFrom: 24 | - extract: 25 | key: atuin 26 | - extract: 27 | key: cloudnative-pg 28 | -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app atuin 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: default 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: cluster-apps-external-secrets-stores 15 | path: ./kubernetes/apps/default/atuin/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: home-kubernetes 20 | wait: false 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 5m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/default/docmost/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kochhaus-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: docmost 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: docmost-secret 13 | template: 14 | data: 15 | # App 16 | APP_SECRET: "{{ .DOCMOST_APP_SECRET }}" 17 | DATABASE_URL: "postgres://{{ .DOCMOST_POSTGRES_USER }}:{{ .DOCMOST_POSTGRES_PASS }}@${DATABASE_IP}/docmost?sslmode=disable" 18 | # Postgres Init 19 | INIT_POSTGRES_DBNAME: docmost 20 | INIT_POSTGRES_HOST: ${DATABASE_IP} 21 | INIT_POSTGRES_USER: "{{ .DOCMOST_POSTGRES_USER }}" 22 | INIT_POSTGRES_PASS: "{{ .DOCMOST_POSTGRES_PASS }}" 23 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 24 | dataFrom: 25 | - extract: 26 | key: docmost 27 | - extract: 28 | key: cloudnative-pg 29 | -------------------------------------------------------------------------------- /kubernetes/apps/default/docmost/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/docmost/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app docmost 6 | namespace: flux-system 7 | # namespace: &namespace default 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: flux-system 17 | - name: volsync 18 | namespace: flux-system 19 | interval: 1h 20 | path: ./kubernetes/apps/default/docmost/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 1Gi 25 | prune: true 26 | retryInterval: 2m 27 | sourceRef: 28 | kind: GitRepository 29 | name: home-kubernetes 30 | namespace: flux-system 31 | targetNamespace: default 32 | timeout: 5m 33 | wait: true 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/glance/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: glance-configmap 8 | files: 9 | - glance.yml=./config/glance.yml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | # annotations: 13 | # kustomize.toolkit.fluxcd.io/substitute: disabled 14 | -------------------------------------------------------------------------------- /kubernetes/apps/default/glance/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app glance 6 | namespace: flux-system 7 | # namespace: &namespace database 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/default/glance/app 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | namespace: flux-system 20 | targetNamespace: default 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/apps/default/hajimari/app/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: hajimari-config 6 | namespace: default 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | storageClassName: ceph-block 11 | resources: 12 | requests: 13 | storage: 128Mi 14 | -------------------------------------------------------------------------------- /kubernetes/apps/default/hajimari/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./config-pvc.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/hajimari/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app hajimari 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: default 9 | path: ./kubernetes/apps/default/hajimari/app 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: home-kubernetes 14 | healthChecks: 15 | - apiVersion: helm.toolkit.fluxcd.io/v2beta1 16 | kind: HelmRelease 17 | name: *app 18 | namespace: default 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 3m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/default/karakeep/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: karakeep 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: karakeep-secret 13 | template: 14 | data: 15 | NEXTAUTH_SECRET: "{{ .ENCRYPTION_KEY }}" 16 | MEILI_MASTER_KEY: "{{ .MEILISEARCH_MASTER_KEY }}" 17 | # AI 18 | OPENAI_BASE_URL: "{{ .OPENAI_BASE_URL }}" 19 | OPENAI_API_KEY: "{{ .OPENAI_API_KEY }}" 20 | # OIDC 21 | OAUTH_CLIENT_ID: "{{ .OIDC_CLIENT_ID }}" 22 | OAUTH_CLIENT_SECRET: "{{ .OIDC_CLIENT_SECRET }}" 23 | OAUTH_PROVIDER_NAME: Authentik 24 | OAUTH_WELLKNOWN_URL: https://sso.juno.moe/application/o/karakeep/.well-known/openid-configuration 25 | OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: "true" 26 | dataFrom: 27 | - extract: 28 | key: karakeep 29 | -------------------------------------------------------------------------------- /kubernetes/apps/default/karakeep/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/karakeep/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app karakeep 6 | namespace: flux-system 7 | # namespace: &namespace default 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: flux-system 17 | - name: volsync 18 | namespace: flux-system 19 | interval: 1h 20 | path: ./kubernetes/apps/default/karakeep/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 1Gi 25 | prune: true 26 | retryInterval: 2m 27 | sourceRef: 28 | kind: GitRepository 29 | name: home-kubernetes 30 | namespace: flux-system 31 | targetNamespace: default 32 | timeout: 5m 33 | wait: true 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./atuin/ks.yaml 7 | - ./hajimari/ks.yaml 8 | - ./glance/ks.yaml 9 | - ./karakeep/ks.yaml 10 | - ./docmost/ks.yaml 11 | # - ./affine/ks.yaml # Waiting for stable version 12 | -------------------------------------------------------------------------------- /kubernetes/apps/default/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: default 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/external/database/app/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: &app database 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | annotations: 11 | hajimari.io/icon: "simple-icons:database" 12 | nginx.ingress.kubernetes.io/backend-protocol: HTTPS 13 | spec: 14 | ingressClassName: internal 15 | rules: 16 | - host: &host database.${SECRET_DOMAIN} 17 | http: 18 | paths: 19 | - path: / 20 | pathType: Prefix 21 | backend: 22 | service: 23 | name: *app 24 | port: 25 | number: 443 26 | tls: 27 | - hosts: 28 | - *host 29 | -------------------------------------------------------------------------------- /kubernetes/apps/external/database/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service.yaml 6 | - ./ingress.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/external/database/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app database 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - port: 443 14 | protocol: TCP 15 | targetPort: 443 16 | 17 | --- 18 | apiVersion: v1 19 | kind: Endpoints 20 | metadata: 21 | name: &app database 22 | namespace: external 23 | labels: 24 | app.kubernetes.io/name: *app 25 | app.kubernetes.io/instance: *app 26 | subsets: 27 | - addresses: 28 | - ip: 192.168.69.104 29 | ports: 30 | - port: 12321 31 | -------------------------------------------------------------------------------- /kubernetes/apps/external/database/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps-external-database 7 | namespace: flux-system 8 | spec: 9 | dependsOn: 10 | - name: ingress-nginx-internal 11 | path: ./kubernetes/apps/external/database/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: home-kubernetes 16 | healthChecks: 17 | - apiVersion: v1 18 | kind: Service 19 | name: database 20 | namespace: external 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 3m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/external/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./truenas/ks.yaml 7 | - ./proxmox/ks.yaml 8 | - ./minio/ks.yaml 9 | #- ./database/ks.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/app/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: &app minio 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | annotations: 11 | hajimari.io/icon: "simple-icons:minio" 12 | nginx.ingress.kubernetes.io/backend-protocol: HTTP 13 | spec: 14 | ingressClassName: internal 15 | rules: 16 | - host: &host minio.${SECRET_DOMAIN} 17 | http: 18 | paths: 19 | - path: / 20 | pathType: Prefix 21 | backend: 22 | service: 23 | name: *app 24 | port: 25 | number: 443 26 | tls: 27 | - hosts: 28 | - *host 29 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service.yaml 6 | - ./ingress.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app minio 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - port: 443 14 | protocol: TCP 15 | targetPort: 9001 16 | 17 | --- 18 | apiVersion: v1 19 | kind: Endpoints 20 | metadata: 21 | name: &app minio 22 | namespace: external 23 | labels: 24 | app.kubernetes.io/name: *app 25 | app.kubernetes.io/instance: *app 26 | subsets: 27 | - addresses: 28 | - ip: 192.168.3.3 29 | ports: 30 | - port: 9001 31 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps-external-minio 7 | namespace: flux-system 8 | spec: 9 | dependsOn: 10 | - name: ingress-nginx-internal 11 | path: ./kubernetes/apps/external/minio/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: home-kubernetes 16 | healthChecks: 17 | - apiVersion: v1 18 | kind: Service 19 | name: minio 20 | namespace: external 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 3m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/external/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: external 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | goldilocks.fairwinds.com/enabled: "true" 9 | -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/app/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: &app proxmox 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | annotations: 11 | hajimari.io/icon: "simple-icons:proxmox" 12 | nginx.ingress.kubernetes.io/backend-protocol: HTTPS 13 | spec: 14 | ingressClassName: internal 15 | rules: 16 | - host: &host proxmox.${SECRET_DOMAIN} 17 | http: 18 | paths: 19 | - path: / 20 | pathType: Prefix 21 | backend: 22 | service: 23 | name: *app 24 | port: 25 | number: 443 26 | tls: 27 | - hosts: 28 | - *host 29 | -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service.yaml 6 | - ./ingress.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app proxmox 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - port: 443 14 | protocol: TCP 15 | targetPort: 8006 16 | 17 | --- 18 | apiVersion: v1 19 | kind: Endpoints 20 | metadata: 21 | name: &app proxmox 22 | namespace: external 23 | labels: 24 | app.kubernetes.io/name: *app 25 | app.kubernetes.io/instance: *app 26 | subsets: 27 | - addresses: 28 | - ip: 192.168.69.80 29 | ports: 30 | - port: 8006 31 | -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps-external-proxmox 7 | namespace: flux-system 8 | spec: 9 | dependsOn: 10 | - name: ingress-nginx-internal 11 | path: ./kubernetes/apps/external/proxmox/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: home-kubernetes 16 | healthChecks: 17 | - apiVersion: v1 18 | kind: Service 19 | name: proxmox 20 | namespace: external 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 3m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/app/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: &app truenas 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | annotations: 11 | hajimari.io/icon: "simple-icons:truenas" 12 | nginx.ingress.kubernetes.io/backend-protocol: HTTPS 13 | spec: 14 | ingressClassName: internal 15 | rules: 16 | - host: &host truenas.${SECRET_DOMAIN} 17 | http: 18 | paths: 19 | - path: / 20 | pathType: Prefix 21 | backend: 22 | service: 23 | name: *app 24 | port: 25 | number: 443 26 | tls: 27 | - hosts: 28 | - *host 29 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service.yaml 6 | - ./ingress.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app truenas 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - port: 443 14 | protocol: TCP 15 | targetPort: 443 16 | 17 | --- 18 | apiVersion: v1 19 | kind: Endpoints 20 | metadata: 21 | name: &app truenas 22 | namespace: external 23 | labels: 24 | app.kubernetes.io/name: *app 25 | app.kubernetes.io/instance: *app 26 | subsets: 27 | - addresses: 28 | - ip: 192.168.69.69 29 | ports: 30 | - port: 443 31 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps-external-truenas 7 | namespace: flux-system 8 | spec: 9 | dependsOn: 10 | - name: ingress-nginx-internal 11 | path: ./kubernetes/apps/external/truenas/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: home-kubernetes 16 | healthChecks: 17 | - apiVersion: v1 18 | kind: Service 19 | name: truenas 20 | namespace: external 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 3m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./webhooks/ks.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: flux-system 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/webhooks/app/github/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: github-webhook-token 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: github-webhook-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | token: "{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}" 17 | dataFrom: 18 | - extract: 19 | key: flux 20 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: flux-webhook 6 | annotations: 7 | gatus.io/status-code: "404" 8 | spec: 9 | ingressClassName: external 10 | rules: 11 | - host: "flux-webhook.${SECRET_DOMAIN}" 12 | http: 13 | paths: 14 | - path: /hook/ 15 | pathType: Prefix 16 | backend: 17 | service: 18 | name: webhook-receiver 19 | port: 20 | number: 80 21 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./ingress.yaml 7 | - ./receiver.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1 3 | kind: Receiver 4 | metadata: 5 | name: github-receiver 6 | spec: 7 | type: github 8 | events: 9 | - ping 10 | - push 11 | secretRef: 12 | name: github-webhook-secret 13 | resources: 14 | - apiVersion: source.toolkit.fluxcd.io/v1 15 | kind: GitRepository 16 | name: home-kubernetes 17 | namespace: flux-system 18 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 19 | kind: Kustomization 20 | name: cluster 21 | namespace: flux-system 22 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 23 | kind: Kustomization 24 | name: cluster-apps 25 | namespace: flux-system 26 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/webhooks/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./github 6 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/webhooks/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app flux-webhooks 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: flux-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/flux-system/webhooks/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: true 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | autoDirectNodeRoutes: true 3 | bpf: 4 | masquerade: false # Required for Talos `.machine.features.hostDNS.forwardKubeDNSToHost` 5 | cgroup: 6 | automount: 7 | enabled: false 8 | hostRoot: /sys/fs/cgroup 9 | cluster: 10 | id: 1 11 | name: "home-kubernetes" 12 | cni: 13 | exclusive: false 14 | # NOTE: devices might need to be set if you have more than one active NIC on your hosts 15 | # devices: eno+ eth+ 16 | endpointRoutes: 17 | enabled: true 18 | envoy: 19 | enabled: false 20 | hubble: 21 | enabled: false 22 | ipam: 23 | mode: kubernetes 24 | ipv4NativeRoutingCIDR: "10.69.0.0/16" 25 | k8sServiceHost: 127.0.0.1 26 | k8sServicePort: 7445 27 | kubeProxyReplacement: true 28 | kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 29 | l2announcements: 30 | enabled: true 31 | loadBalancer: 32 | algorithm: maglev 33 | mode: "dsr" 34 | localRedirectPolicy: true 35 | operator: 36 | replicas: 1 37 | rollOutPods: true 38 | rollOutCiliumPods: true 39 | routingMode: native 40 | securityContext: 41 | capabilities: 42 | ciliumAgent: 43 | - CHOWN 44 | - KILL 45 | - NET_ADMIN 46 | - NET_RAW 47 | - IPC_LOCK 48 | - SYS_ADMIN 49 | - SYS_RESOURCE 50 | - DAC_OVERRIDE 51 | - FOWNER 52 | - SETGID 53 | - SETUID 54 | cleanCiliumState: 55 | - NET_ADMIN 56 | - SYS_ADMIN 57 | - SYS_RESOURCE 58 | socketLB: 59 | hostNamespaceOnly: true 60 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: cilium-helm-values 8 | files: 9 | - values.yaml=./helm-values.yaml 10 | configurations: 11 | - kustomizeconfig.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # https://docs.cilium.io/en/latest/network/l2-announcements 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumL2AnnouncementPolicy 5 | metadata: 6 | name: l2-policy 7 | spec: 8 | loadBalancerIPs: true 9 | # NOTE: interfaces might need to be set if you have more than one active NIC on your hosts 10 | # interfaces: 11 | # - ^eno[0-9]+ 12 | # - ^eth[0-9]+ 13 | nodeSelector: 14 | matchLabels: 15 | kubernetes.io/os: linux 16 | --- 17 | apiVersion: cilium.io/v2alpha1 18 | kind: CiliumLoadBalancerIPPool 19 | metadata: 20 | name: l2-pool 21 | spec: 22 | allowFirstLastIPs: "Yes" 23 | blocks: 24 | - cidr: "192.168.69.0/24" 25 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cilium-l2.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app cilium 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/cilium/app 13 | prune: false # never should be deleted 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: true 18 | interval: 30m 19 | timeout: 5m 20 | --- 21 | apiVersion: kustomize.toolkit.fluxcd.io/v1 22 | kind: Kustomization 23 | metadata: 24 | name: &app cilium-config 25 | namespace: flux-system 26 | spec: 27 | targetNamespace: kube-system 28 | commonMetadata: 29 | labels: 30 | app.kubernetes.io/name: *app 31 | dependsOn: 32 | - name: cilium 33 | path: ./kubernetes/apps/kube-system/cilium/config 34 | prune: false # never should be deleted 35 | sourceRef: 36 | kind: GitRepository 37 | name: home-kubernetes 38 | wait: false 39 | interval: 30m 40 | timeout: 5m 41 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fullnameOverride: coredns 3 | k8sAppLabelOverride: kube-dns 4 | serviceAccount: 5 | create: true 6 | service: 7 | name: kube-dns 8 | clusterIP: "10.96.0.10" 9 | replicaCount: 2 10 | servers: 11 | - zones: 12 | - zone: . 13 | scheme: dns:// 14 | use_tcp: true 15 | port: 53 16 | plugins: 17 | - name: errors 18 | - name: health 19 | configBlock: |- 20 | lameduck 5s 21 | - name: ready 22 | - name: log 23 | configBlock: |- 24 | class error 25 | - name: prometheus 26 | parameters: 0.0.0.0:9153 27 | - name: kubernetes 28 | parameters: cluster.local in-addr.arpa ip6.arpa 29 | configBlock: |- 30 | pods insecure 31 | fallthrough in-addr.arpa ip6.arpa 32 | - name: forward 33 | parameters: . /etc/resolv.conf 34 | - name: cache 35 | parameters: 30 36 | - name: loop 37 | - name: reload 38 | - name: loadbalance 39 | affinity: 40 | nodeAffinity: 41 | requiredDuringSchedulingIgnoredDuringExecution: 42 | nodeSelectorTerms: 43 | - matchExpressions: 44 | - key: node-role.kubernetes.io/control-plane 45 | operator: Exists 46 | tolerations: 47 | - key: CriticalAddonsOnly 48 | operator: Exists 49 | - key: node-role.kubernetes.io/control-plane 50 | operator: Exists 51 | effect: NoSchedule 52 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: coredns 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: coredns 11 | version: 1.42.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: coredns 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | strategy: rollback 23 | retries: 3 24 | valuesFrom: 25 | - kind: ConfigMap 26 | name: coredns-helm-values 27 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: coredns-helm-values 8 | files: 9 | - values.yaml=./helm-values.yaml 10 | configurations: 11 | - kustomizeconfig.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app coredns 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/coredns/app 13 | prune: false # never should be deleted 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: external-secrets 7 | namespace: kube-system 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: external-secrets 13 | version: 0.17.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: external-secrets 17 | namespace: flux-system 18 | interval: 15m 19 | maxHistory: 3 20 | install: 21 | createNamespace: true 22 | remediation: 23 | retries: 3 24 | upgrade: 25 | cleanupOnFail: true 26 | remediation: 27 | retries: 3 28 | uninstall: 29 | keepHistory: false 30 | values: 31 | installCRDs: true 32 | replicaCount: 1 33 | leaderElect: true 34 | serviceMonitor: 35 | enabled: true 36 | interval: 1m 37 | webhook: 38 | serviceMonitor: 39 | enabled: true 40 | interval: 1m 41 | certController: 42 | serviceMonitor: 43 | enabled: true 44 | interval: 1m 45 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps-external-secrets 7 | namespace: flux-system 8 | spec: 9 | path: ./kubernetes/apps/kube-system/external-secrets/app 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: home-kubernetes 14 | wait: true 15 | interval: 30m 16 | retryInterval: 1m 17 | timeout: 5m 18 | --- 19 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 20 | apiVersion: kustomize.toolkit.fluxcd.io/v1 21 | kind: Kustomization 22 | metadata: 23 | name: cluster-apps-external-secrets-stores 24 | namespace: flux-system 25 | spec: 26 | dependsOn: 27 | - name: cluster-apps-external-secrets 28 | path: ./kubernetes/apps/kube-system/external-secrets/stores 29 | prune: true 30 | sourceRef: 31 | kind: GitRepository 32 | name: home-kubernetes 33 | wait: true 34 | interval: 30m 35 | retryInterval: 1m 36 | timeout: 5m 37 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./onepassword 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/clustersecretstore_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ClusterSecretStore 5 | metadata: 6 | name: onepassword-connect 7 | namespace: kube-system 8 | spec: 9 | provider: 10 | onepassword: 11 | connectHost: http://onepassword-connect.kube-system.svc.cluster.local 12 | vaults: 13 | home-ops: 1 14 | auth: 15 | secretRef: 16 | connectTokenSecretRef: 17 | name: onepassword-connect-secret 18 | key: token 19 | namespace: kube-system 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./clustersecretstore.yaml 8 | - ./helmrelease.yaml 9 | - ./secret.sops.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | providerRegex: ^(k8s-0|k8s-1|k8s-2)$ 3 | bypassDnsResolution: true 4 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: kubelet-csr-approver 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: kubelet-csr-approver 11 | version: 1.2.10 12 | sourceRef: 13 | kind: HelmRepository 14 | name: postfinance 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | valuesFrom: 24 | - kind: ConfigMap 25 | name: kubelet-csr-approver-helm-values 26 | values: 27 | metrics: 28 | enable: true 29 | serviceMonitor: 30 | enabled: true 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: kubelet-csr-approver-helm-values 8 | files: 9 | - values.yaml=./helm-values.yaml 10 | configurations: 11 | - kustomizeconfig.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app kubelet-csr-approver 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/kubelet-csr-approver/app 13 | prune: false # never should be deleted 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./cilium/ks.yaml 7 | - ./coredns/ks.yaml 8 | - ./metrics-server/ks.yaml 9 | - ./reloader/ks.yaml 10 | - ./kubelet-csr-approver/ks.yaml 11 | - ./spegel/ks.yaml 12 | - ./external-secrets/ks.yaml 13 | - ./local-path-provisioner/ks.yaml 14 | - ./nvidia-device-plugin/ks.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/local-path-provisioner/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/local-path-provisioner/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app local-path-provisioner 6 | namespace: flux-system 7 | labels: 8 | substitution.flux.home.arpa/disabled: "true" 9 | spec: 10 | targetNamespace: kube-system 11 | path: ./kubernetes/apps/kube-system/local-path-provisioner/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: home-kubernetes 16 | healthChecks: 17 | - apiVersion: helm.toolkit.fluxcd.io/v2beta1 18 | kind: HelmRelease 19 | name: *app 20 | namespace: kube-system 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 3m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: metrics-server 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: metrics-server 11 | version: 3.12.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: metrics-server 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | values: 24 | args: 25 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 26 | - --kubelet-use-node-status-port 27 | - --metric-resolution=15s 28 | metrics: 29 | enabled: true 30 | serviceMonitor: 31 | enabled: true 32 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app metrics-server 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/metrics-server/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kube-system 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/nvidia-device-plugin/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/NVIDIA/k8s-device-plugin 2 | # Possibly switch to https://github.com/NVIDIA/gpu-operator 3 | --- 4 | apiVersion: helm.toolkit.fluxcd.io/v2 5 | kind: HelmRelease 6 | metadata: 7 | name: nvidia-device-plugin 8 | namespace: kube-system 9 | spec: 10 | interval: 15m 11 | chart: 12 | spec: 13 | # renovate: registryUrl=https://nvidia.github.io/k8s-device-plugin 14 | chart: nvidia-device-plugin 15 | version: 0.17.1 16 | sourceRef: 17 | kind: HelmRepository 18 | name: nvidia-device-plugin 19 | namespace: flux-system 20 | interval: 15m 21 | # https://github.com/NVIDIA/k8s-device-plugin/blob/main/deployments/helm/nvidia-device-plugin/values.yaml 22 | values: 23 | image: 24 | repository: nvcr.io/nvidia/k8s-device-plugin 25 | tag: v0.17.2 26 | runtimeClassName: nvidia 27 | nodeSelector: 28 | feature.node.kubernetes.io/custom-nvidia-gpu: "true" 29 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/nvidia-device-plugin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./runtimeclass.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/nvidia-device-plugin/app/runtimeclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: node.k8s.io/v1 3 | kind: RuntimeClass 4 | metadata: 5 | name: nvidia 6 | handler: nvidia 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/nvidia-device-plugin/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cluster-apps-nvidia 6 | namespace: flux-system 7 | spec: 8 | path: ./kubernetes/apps/kube-system/nvidia-device-plugin/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: home-kubernetes 13 | healthChecks: 14 | - apiVersion: helm.toolkit.fluxcd.io/v2beta1 15 | kind: HelmRelease 16 | name: nvidia-device-plugin 17 | namespace: kube-system 18 | interval: 30m 19 | retryInterval: 1m 20 | timeout: 3m 21 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: reloader 11 | version: 2.1.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: stakater 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | values: 24 | fullnameOverride: reloader 25 | reloader: 26 | readOnlyRootFileSystem: true 27 | podMonitor: 28 | enabled: true 29 | namespace: "{{ .Release.Namespace }}" 30 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app reloader 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/reloader/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | spegel: 3 | containerdSock: /run/containerd/containerd.sock 4 | containerdRegistryConfigPath: /etc/cri/conf.d/hosts 5 | service: 6 | registry: 7 | hostPort: 29999 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: spegel 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: spegel 11 | version: 0.2.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: spegel 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | valuesFrom: 24 | - kind: ConfigMap 25 | name: spegel-helm-values 26 | values: 27 | grafanaDashboard: 28 | enabled: true 29 | serviceMonitor: 30 | enabled: true 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: spegel-helm-values 8 | files: 9 | - values.yaml=./helm-values.yaml 10 | configurations: 11 | - kustomizeconfig.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app spegel 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/spegel/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./namespace.yaml 7 | - ./kyverno/ks.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: &app kyverno 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: kyverno 11 | version: 3.4.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: kyverno 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | strategy: rollback 23 | retries: 3 24 | values: 25 | crds: 26 | install: true 27 | grafana: 28 | enabled: true 29 | admissionController: 30 | replicas: 3 31 | rbac: 32 | clusterRole: 33 | extraResources: 34 | - apiGroups: 35 | - "" 36 | resources: 37 | - pods 38 | verbs: 39 | - create 40 | - update 41 | - delete 42 | serviceMonitor: 43 | enabled: true 44 | backgroundController: 45 | rbac: 46 | clusterRole: 47 | extraResources: 48 | - apiGroups: 49 | - "" 50 | resources: 51 | - pods 52 | verbs: 53 | - create 54 | - update 55 | - patch 56 | - delete 57 | - get 58 | - list 59 | resources: 60 | requests: 61 | cpu: 100m 62 | limits: 63 | memory: 1Gi 64 | serviceMonitor: 65 | enabled: true 66 | cleanupController: 67 | serviceMonitor: 68 | enabled: true 69 | reportsController: 70 | serviceMonitor: 71 | enabled: true 72 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kyverno/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kyverno 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./rbac.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kyverno/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: kyverno:admin 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: kyverno 13 | namespace: kyverno 14 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kyverno/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | 4 | apiVersion: kustomize.toolkit.fluxcd.io/v1 5 | kind: Kustomization 6 | metadata: 7 | name: &app kyverno 8 | namespace: flux-system 9 | spec: 10 | targetNamespace: kyverno 11 | path: ./kubernetes/apps/kyverno/kyverno/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: home-kubernetes 16 | healthChecks: 17 | - apiVersion: helm.toolkit.fluxcd.io/v2beta1 18 | kind: HelmRelease 19 | name: kyverno 20 | namespace: kyverno 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 3m 24 | --- 25 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 26 | apiVersion: kustomize.toolkit.fluxcd.io/v1 27 | kind: Kustomization 28 | metadata: 29 | name: &app kyverno-policies 30 | namespace: flux-system 31 | spec: 32 | targetNamespace: kyverno 33 | dependsOn: 34 | - name: kyverno 35 | path: ./kubernetes/apps/kyverno/kyverno/policies 36 | prune: true 37 | sourceRef: 38 | kind: GitRepository 39 | name: home-kubernetes 40 | wait: true 41 | interval: 30m 42 | retryInterval: 1m 43 | timeout: 3m 44 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kyverno/policies/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kyverno.io/v1 3 | kind: ClusterPolicy 4 | metadata: 5 | name: &name ingress 6 | annotations: 7 | policies.kyverno.io/title: Add Ingress annotations 8 | policies.kyverno.io/category: Ingress 9 | policies.kyverno.io/severity: low 10 | policies.kyverno.io/subject: Ingress 11 | policies.kyverno.io/description: >- 12 | This policy will automatically add external-dns annotations to Ingresses 13 | based on the ingressClassName. 14 | pod-policies.kyverno.io/autogen-controllers: none 15 | spec: 16 | rules: 17 | - name: *name 18 | match: 19 | any: 20 | - resources: 21 | kinds: 22 | - Ingress 23 | context: 24 | - name: INGRESS_CLASS_NAME 25 | variable: 26 | value: "{{ request.object.spec.ingressClassName }}" 27 | jmesPath: "to_string(@)" 28 | mutate: 29 | patchStrategicMerge: 30 | metadata: 31 | annotations: 32 | external-dns.alpha.kubernetes.io/target: "{{ INGRESS_CLASS_NAME }}.${SECRET_DOMAIN}" 33 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./limits.yaml 7 | - ./gatus.yaml 8 | - ./ingress.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/kyverno/policies/limits.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kyverno.io/v1 3 | kind: ClusterPolicy 4 | metadata: 5 | name: limits 6 | annotations: 7 | policies.kyverno.io/title: Remove CPU limits 8 | policies.kyverno.io/category: Best Practices 9 | policies.kyverno.io/severity: medium 10 | policies.kyverno.io/subject: Pod 11 | policies.kyverno.io/description: >- 12 | This policy removes CPU limits from all Pods. 13 | pod-policies.kyverno.io/autogen-controllers: none 14 | spec: 15 | rules: 16 | - name: remove-containers-cpu-limits 17 | match: 18 | any: 19 | - resources: 20 | kinds: 21 | - Pod 22 | mutate: 23 | foreach: 24 | - list: request.object.spec.containers 25 | patchesJson6902: |- 26 | - path: /spec/containers/{{elementIndex}}/resources/limits/cpu 27 | op: remove 28 | - name: delete-initcontainers-cpu-limits 29 | match: 30 | any: 31 | - resources: 32 | kinds: 33 | - Pod 34 | preconditions: 35 | all: 36 | - key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}" 37 | operator: GreaterThanOrEquals 38 | value: 1 39 | mutate: 40 | foreach: 41 | - list: request.object.spec.initContainers 42 | patchesJson6902: |- 43 | - path: /spec/initContainers/{{elementIndex}}/resources/limits/cpu 44 | op: remove 45 | -------------------------------------------------------------------------------- /kubernetes/apps/kyverno/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kyverno 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/flaresolverr/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: &app flaresolverr 6 | spec: 7 | interval: 15m 8 | chart: 9 | spec: 10 | chart: app-template 11 | version: 3.7.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: bjw-s 15 | namespace: flux-system 16 | install: 17 | createNamespace: true 18 | remediation: 19 | retries: 3 20 | remediateLastFailure: true 21 | upgrade: 22 | remediation: 23 | retries: 3 24 | remediateLastFailure: true 25 | values: 26 | controllers: 27 | flaresolverr: 28 | replicas: 1 29 | strategy: RollingUpdate 30 | annotations: 31 | reloader.stakater.com/auto: "true" 32 | containers: 33 | app: 34 | image: 35 | repository: ghcr.io/flaresolverr/flaresolverr 36 | tag: v3.3.21 37 | resources: 38 | requests: 39 | cpu: 15m 40 | memory: 150Mi 41 | service: 42 | app: 43 | controller: *app 44 | type: ClusterIP 45 | ports: 46 | http: 47 | port: 8191 48 | -------------------------------------------------------------------------------- /kubernetes/apps/media/flaresolverr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/flaresolverr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app flaresolverr 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/media/flaresolverr/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | retryInterval: 1m 20 | timeout: 5m 21 | -------------------------------------------------------------------------------- /kubernetes/apps/media/komga/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./volsync.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/komga/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://lds-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app komga 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: media 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/media/komga/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: home-kubernetes 18 | wait: false # no flux ks dependents 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./plex/ks.yaml 7 | - ./radarr/ks.yaml 8 | - ./sonarr/ks.yaml 9 | - ./sabnzbd/ks.yaml 10 | - ./prowlarr/ks.yaml 11 | - ./flaresolverr/ks.yaml 12 | - ./unpackerr/ks.yaml 13 | - ./recyclarr/ks.yaml 14 | - ./komga/ks.yaml 15 | - ./tautulli/ks.yaml 16 | - ./overseerr/ks.yaml 17 | -------------------------------------------------------------------------------- /kubernetes/apps/media/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: media 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/overseerr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml -------------------------------------------------------------------------------- /kubernetes/apps/media/overseerr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: overseerr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 5Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/overseerr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app overseerr 6 | namespace: flux-system 7 | # namespace: &namespace media 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: flux-system 17 | - name: volsync 18 | namespace: flux-system 19 | interval: 1h 20 | path: ./kubernetes/apps/media/overseerr/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 3Gi 25 | prune: true 26 | retryInterval: 2m 27 | sourceRef: 28 | kind: GitRepository 29 | name: home-kubernetes 30 | namespace: flux-system 31 | targetNamespace: media 32 | timeout: 5m 33 | wait: true 34 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | namespace: media 6 | name: plex-config-v1 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | storageClassName: ceph-block 11 | resources: 12 | requests: 13 | storage: 20Gi 14 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./config-pvc.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app plex 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | dependsOn: 10 | # - name: local-path-provisioner 11 | # - name: cluster-apps-nvidia 12 | - name: rook-ceph 13 | path: ./kubernetes/apps/media/plex/app 14 | prune: false 15 | sourceRef: 16 | kind: GitRepository 17 | name: home-kubernetes 18 | wait: true 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: prowlarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: prowlarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | PROWLARR__AUTH__APIKEY: "{{ .PROWLARR_API_KEY }}" 17 | PROWLARR__POSTGRES__HOST: &dbHost ${DATABASE_IP} 18 | PROWLARR__POSTGRES__PORT: "5432" 19 | PROWLARR__POSTGRES__USER: &dbUser "{{ .PROWLARR_POSTGRES_USER }}" 20 | PROWLARR__POSTGRES__PASSWORD: &dbPass "{{ .PROWLARR_POSTGRES_PASS }}" 21 | PROWLARR__POSTGRES__MAINDB: prowlarr_main 22 | PROWLARR__POSTGRES__LOGDB: prowlarr_log 23 | INIT_POSTGRES_DBNAME: prowlarr_main prowlarr_log 24 | INIT_POSTGRES_HOST: *dbHost 25 | INIT_POSTGRES_USER: *dbUser 26 | INIT_POSTGRES_PASS: *dbPass 27 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 28 | dataFrom: 29 | - extract: 30 | key: cloudnative-pg 31 | - extract: 32 | key: prowlarr 33 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app prowlarr 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: cluster-apps-external-secrets-stores 14 | path: ./kubernetes/apps/media/prowlarr/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: true 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: radarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: radarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | RADARR__AUTH__APIKEY: "{{ .RADARR_API_KEY }}" 17 | RADARR__POSTGRES__HOST: &dbHost ${DATABASE_IP} 18 | RADARR__POSTGRES__PORT: "5432" 19 | RADARR__POSTGRES__USER: &dbUser "{{ .RADARR_POSTGRES_USER }}" 20 | RADARR__POSTGRES__PASSWORD: &dbPass "{{ .RADARR_POSTGRES_PASS }}" 21 | RADARR__POSTGRES__MAINDB: radarr_main 22 | RADARR__POSTGRES__LOGDB: radarr_log 23 | INIT_POSTGRES_DBNAME: radarr_main radarr_log 24 | INIT_POSTGRES_HOST: *dbHost 25 | INIT_POSTGRES_USER: *dbUser 26 | INIT_POSTGRES_PASS: *dbPass 27 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 28 | dataFrom: 29 | - extract: 30 | key: cloudnative-pg 31 | - extract: 32 | key: radarr 33 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radarr 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 5Gi 11 | storageClassName: ceph-filesystem 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app radarr 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: rook-ceph-cluster 14 | - name: cluster-apps-external-secrets-stores 15 | path: ./kubernetes/apps/media/radarr/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: home-kubernetes 20 | wait: true 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 5m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: recyclarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: recyclarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | RADARR_API_KEY: "{{ .RADARR_API_KEY }}" 17 | SONARR_API_KEY: "{{ .SONARR_API_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: radarr 21 | - extract: 22 | key: sonarr 23 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: media 5 | resources: 6 | - ./pvc.yaml 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: recyclarr-configmap 11 | files: 12 | - ./config/recyclarr.yml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | labels: 16 | - pairs: 17 | app.kubernetes.io/name: recyclarr 18 | app.kubernetes.io/instance: recyclarr 19 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: recyclarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | storageClassName: ceph-block 11 | resources: 12 | requests: 13 | storage: 500Mi 14 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app recyclarr 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: sonarr 14 | - name: radarr 15 | - name: cluster-apps-external-secrets-stores 16 | path: ./kubernetes/apps/media/recyclarr/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: home-kubernetes 21 | wait: true 22 | interval: 30m 23 | retryInterval: 1m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: sabnzbd 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: sabnzbd-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | SABNZBD__API_KEY: "{{ .SABNZBD_API_KEY }}" 17 | # SABNZBD__NZB_KEY: "{{ .SABNZBD_NZB_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: sabnzbd 21 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./volsync.yaml 8 | configMapGenerator: 9 | - name: sabnzbd-scripts 10 | files: 11 | - post-process.sh=./resources/post-process.sh 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app sabnzbd 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: volsync 14 | - name: rook-ceph-cluster 15 | - name: cluster-apps-external-secrets-stores 16 | path: ./kubernetes/apps/media/sabnzbd/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: home-kubernetes 21 | wait: true 22 | interval: 30m 23 | retryInterval: 1m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: sonarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: sonarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | SONARR__AUTH__APIKEY: "{{ .SONARR_API_KEY }}" 17 | SONARR__POSTGRES__HOST: &dbHost ${DATABASE_IP} 18 | SONARR__POSTGRES__PORT: "5432" 19 | SONARR__POSTGRES__USER: &dbUser "{{ .SONARR_POSTGRES_USER }}" 20 | SONARR__POSTGRES__PASSWORD: &dbPass "{{ .SONARR_POSTGRES_PASS }}" 21 | SONARR__POSTGRES__MAINDB: sonarr_main 22 | SONARR__POSTGRES__LOGDB: sonarr_log 23 | INIT_POSTGRES_DBNAME: sonarr_main sonarr_log 24 | INIT_POSTGRES_HOST: *dbHost 25 | INIT_POSTGRES_USER: *dbUser 26 | INIT_POSTGRES_PASS: *dbPass 27 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 28 | dataFrom: 29 | - extract: 30 | key: cloudnative-pg 31 | - extract: 32 | key: sonarr 33 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sonarr 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 5Gi 11 | storageClassName: ceph-filesystem 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app sonarr 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: rook-ceph-cluster 14 | - name: cluster-apps-external-secrets-stores 15 | path: ./kubernetes/apps/media/sonarr/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: home-kubernetes 20 | wait: true 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 5m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tautulli-cache 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 3Gi 13 | storageClassName: ceph-block 14 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app tautulli 6 | namespace: flux-system 7 | # namespace: &namespace media 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: flux-system 17 | - name: volsync 18 | namespace: flux-system 19 | interval: 1h 20 | path: ./kubernetes/apps/media/tautulli/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 5Gi 25 | prune: true 26 | retryInterval: 2m 27 | sourceRef: 28 | kind: GitRepository 29 | name: home-kubernetes 30 | namespace: flux-system 31 | targetNamespace: media 32 | timeout: 5m 33 | wait: true 34 | -------------------------------------------------------------------------------- /kubernetes/apps/media/unpackerr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: unpackerr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: unpackerr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | UN_RADARR_0_API_KEY: "{{ .RADARR_API_KEY }}" 17 | UN_SONARR_0_API_KEY: "{{ .SONARR_API_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: radarr 21 | - extract: 22 | key: sonarr 23 | -------------------------------------------------------------------------------- /kubernetes/apps/media/unpackerr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/unpackerr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app unpackerr 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: media 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: cluster-apps-external-secrets-stores 14 | path: ./kubernetes/apps/media/unpackerr/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: true 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/configs/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | originRequest: 3 | originServerName: "external.${SECRET_DOMAIN}" 4 | 5 | ingress: 6 | - hostname: "${SECRET_DOMAIN}" 7 | service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 8 | - hostname: "*.${SECRET_DOMAIN}" 9 | service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 10 | - service: http_status:404 11 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: cloudflared 6 | spec: 7 | endpoints: 8 | - dnsName: "external.${SECRET_DOMAIN}" 9 | recordType: CNAME 10 | targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] 11 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cloudflared 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: cloudflared-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | CLOUDFLARE_TUNNEL_ID: "{{ .CLOUDFLARE_TUNNEL_ID }}" 17 | credentials.json: | 18 | { 19 | "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_ID }}", 20 | "TunnelID": "{{ .CLOUDFLARE_TUNNEL_ID }}", 21 | "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}" 22 | } 23 | dataFrom: 24 | - extract: 25 | key: cloudflare 26 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./dnsendpoint.yaml 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: cloudflared-configmap 10 | files: 11 | - ./configs/config.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app cloudflared 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: network 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: external-dns-cloudflare 14 | path: ./kubernetes/apps/network/cloudflared/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: false 20 | interval: 30m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/network/e1000e-fix/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/network/e1000e-fix/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app e1000e-fix 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: network 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/network/e1000e-fix/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/network/echo-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/network/echo-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app echo-server 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: network 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/network/echo-server/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: external-dns-cloudflare 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: external-dns-cloudflare-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | CF_ZONE_ID: "{{ .CLOUDFLARE_ZONE_ID }}" 17 | CF_API_TOKEN: "{{ .CLOUDFLARE_API_TOKEN }}" 18 | dataFrom: 19 | - extract: 20 | key: cloudflare 21 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: &app external-dns-cloudflare 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: external-dns 11 | version: 1.16.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: external-dns 15 | namespace: flux-system 16 | install: 17 | crds: CreateReplace 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | crds: CreateReplace 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | fullnameOverride: *app 28 | provider: cloudflare 29 | env: 30 | - name: &name CF_API_TOKEN 31 | valueFrom: 32 | secretKeyRef: 33 | name: &secret external-dns-cloudflare-secret 34 | key: *name 35 | - name: &name CF_ZONE_ID 36 | valueFrom: 37 | secretKeyRef: 38 | name: *secret 39 | key: *name 40 | extraArgs: 41 | - --annotation-filter=external-dns.alpha.kubernetes.io/target 42 | - --cloudflare-proxied 43 | - --ingress-class=external 44 | - --zone-id-filter=$(CF_ZONE_ID) 45 | policy: sync 46 | # sources: ["crd", "ingress"] 47 | sources: 48 | - ingress 49 | txtOwnerId: k8s 50 | txtPrefix: k8s. 51 | domainFilters: ["${SECRET_DOMAIN}"] 52 | serviceMonitor: 53 | enabled: true 54 | podAnnotations: 55 | secret.reloader.stakater.com/reload: *secret 56 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app external-dns-cloudflare 6 | namespace: flux-system 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 1h 12 | path: ./kubernetes/apps/network/external-dns/cloudflare 13 | prune: true 14 | retryInterval: 2m 15 | sourceRef: 16 | kind: GitRepository 17 | name: home-kubernetes 18 | namespace: flux-system 19 | targetNamespace: network 20 | timeout: 5m 21 | wait: true 22 | --- 23 | apiVersion: kustomize.toolkit.fluxcd.io/v1 24 | kind: Kustomization 25 | metadata: 26 | name: &app external-dns-unifi 27 | namespace: flux-system 28 | spec: 29 | commonMetadata: 30 | labels: 31 | app.kubernetes.io/name: *app 32 | interval: 1h 33 | path: ./kubernetes/apps/network/external-dns/unifi 34 | prune: true 35 | retryInterval: 2m 36 | sourceRef: 37 | kind: GitRepository 38 | name: home-kubernetes 39 | namespace: flux-system 40 | targetNamespace: network 41 | timeout: 5m 42 | wait: true 43 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/unifi/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: external-dns-unifi 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: external-dns-unifi-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | UNIFI_USER: "{{ .EXTERNAL_DNS_UNIFI_USER }}" 17 | UNIFI_PASS: "{{ .EXTERNAL_DNS_UNIFI_PASS }}" 18 | dataFrom: 19 | - extract: 20 | key: unifi 21 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/unifi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./staging.yaml 6 | - ./production.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/ingress-nginx/certificates/production.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "${SECRET_DOMAIN/./-}-production" 6 | spec: 7 | secretName: "${SECRET_DOMAIN/./-}-production-tls" 8 | issuerRef: 9 | name: letsencrypt-production 10 | kind: ClusterIssuer 11 | commonName: "${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "${SECRET_DOMAIN}" 14 | - "*.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /kubernetes/apps/network/ingress-nginx/certificates/staging.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "${SECRET_DOMAIN/./-}-staging" 6 | spec: 7 | secretName: "${SECRET_DOMAIN/./-}-staging-tls" 8 | issuerRef: 9 | name: letsencrypt-staging 10 | kind: ClusterIssuer 11 | commonName: "${SECRET_DOMAIN}" 12 | dnsNames: 13 | - "${SECRET_DOMAIN}" 14 | - "*.${SECRET_DOMAIN}" 15 | -------------------------------------------------------------------------------- /kubernetes/apps/network/ingress-nginx/external/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/network/ingress-nginx/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app ingress-nginx-certificates 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: network 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: cert-manager-issuers 14 | path: ./kubernetes/apps/network/ingress-nginx/certificates 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: true 20 | interval: 30m 21 | timeout: 5m 22 | --- 23 | apiVersion: kustomize.toolkit.fluxcd.io/v1 24 | kind: Kustomization 25 | metadata: 26 | name: &app ingress-nginx-internal 27 | namespace: flux-system 28 | spec: 29 | targetNamespace: network 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | dependsOn: 34 | - name: ingress-nginx-certificates 35 | path: ./kubernetes/apps/network/ingress-nginx/internal 36 | prune: true 37 | sourceRef: 38 | kind: GitRepository 39 | name: home-kubernetes 40 | wait: false 41 | interval: 30m 42 | timeout: 5m 43 | --- 44 | apiVersion: kustomize.toolkit.fluxcd.io/v1 45 | kind: Kustomization 46 | metadata: 47 | name: &app ingress-nginx-external 48 | namespace: flux-system 49 | spec: 50 | targetNamespace: network 51 | commonMetadata: 52 | labels: 53 | app.kubernetes.io/name: *app 54 | dependsOn: 55 | - name: ingress-nginx-certificates 56 | path: ./kubernetes/apps/network/ingress-nginx/external 57 | prune: true 58 | sourceRef: 59 | kind: GitRepository 60 | name: home-kubernetes 61 | wait: false 62 | interval: 30m 63 | timeout: 5m 64 | -------------------------------------------------------------------------------- /kubernetes/apps/network/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./cloudflared/ks.yaml 7 | - ./echo-server/ks.yaml 8 | - ./external-dns/ks.yaml 9 | - ./ingress-nginx/ks.yaml 10 | - ./e1000e-fix/ks.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/apps/network/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: network 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: gatus 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: gatus-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | GATUS_PUSHOVER_APP_TOKEN: "{{ .GATUS_PUSHOVER_TOKEN }}" 17 | GATUS_PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" 18 | INIT_POSTGRES_DBNAME: gatus 19 | INIT_POSTGRES_HOST: ${DATABASE_IP} 20 | INIT_POSTGRES_USER: "{{ .GATUS_POSTGRES_USER }}" 21 | INIT_POSTGRES_PASS: "{{ .GATUS_POSTGRES_PASS }}" 22 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 23 | dataFrom: 24 | - extract: 25 | key: pushover 26 | - extract: 27 | key: cloudnative-pg 28 | - extract: 29 | key: gatus 30 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./rbac.yaml 8 | configMapGenerator: 9 | - name: gatus-configmap 10 | files: 11 | - ./resources/config.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: gatus 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["configmaps", "secrets"] 9 | verbs: ["get", "watch", "list"] 10 | --- 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRoleBinding 13 | metadata: 14 | name: gatus 15 | roleRef: 16 | kind: ClusterRole 17 | name: gatus 18 | apiGroup: rbac.authorization.k8s.io 19 | subjects: 20 | - kind: ServiceAccount 21 | name: gatus 22 | namespace: observability 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | alerting: 3 | pushover: 4 | application-token: $${GATUS_PUSHOVER_APP_TOKEN} 5 | user-key: $${GATUS_PUSHOVER_USER_KEY} 6 | priority: 1 7 | default-alert: 8 | description: healthcheck failed 9 | send-on-resolved: true 10 | failure-threshold: 3 11 | success-threshold: 3 12 | 13 | connectivity: 14 | checker: 15 | target: 1.1.1.1:53 16 | interval: 1m 17 | 18 | metrics: true 19 | 20 | storage: 21 | type: postgres 22 | path: postgres://$${INIT_POSTGRES_USER}:$${INIT_POSTGRES_PASS}@$${INIT_POSTGRES_HOST}:5432/$${INIT_POSTGRES_DBNAME}?sslmode=disable 23 | caching: true 24 | 25 | ui: 26 | title: Status | Gatus 27 | header: Status 28 | logo: https://camo.githubusercontent.com/d2689c2c178ad21d7c91c2fd4fe3753643499d34e789d177ece4ed3a2eec2782/68747470733a2f2f692e696d6775722e636f6d2f676476426b4e452e706e67 29 | link: https://github.com/axeII 30 | buttons: 31 | - name: Github 32 | link: https://github.com/axeII 33 | - name: Homelab 34 | link: https://github.com/axeII/home-ops 35 | 36 | endpoints: 37 | - name: blog 38 | group: external 39 | url: https://axell.dev 40 | interval: 1m 41 | client: 42 | dns-resolver: tcp://1.1.1.1:53 43 | conditions: 44 | - "[STATUS] == 200" 45 | alerts: 46 | - type: pushover 47 | 48 | web: 49 | port: $${GATUS_WEB_PORT} 50 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app gatus 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: cluster-apps-external-secrets-stores 14 | path: ./kubernetes/apps/observability/gatus/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: true 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: grafana 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: grafana-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | admin-user: "{{ .GRAFANA_ADMIN_USER }}" 17 | admin-password: "{{ .GRAFANA_ADMIN_PASS }}" 18 | dataFrom: 19 | - extract: 20 | key: grafana 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./externalsecret.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app grafana 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: cluster-apps-external-secrets-stores 14 | path: ./kubernetes/apps/observability/grafana/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: true 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: karma-configmap 8 | files: 9 | - config.yaml=./resources/config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | annotations: 13 | kustomize.toolkit.fluxcd.io/substitute: disabled 14 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/app/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | alertmanager: 3 | interval: 1m 4 | servers: 5 | - name: home 6 | uri: http://alertmanager-operated.observability.svc.cluster.local:9093 7 | timeout: 10s 8 | proxy: true 9 | healthcheck: 10 | visible: false 11 | filters: 12 | main: 13 | - alertname=Watchdog 14 | - prometheus=observability/kube-prometheus-stack 15 | # networking: # FIXME: this is not working 16 | # - alertname=Watchdog 17 | # - prometheus=observability/kube-prometheus-stack 18 | 19 | alertAcknowledgement: 20 | enabled: true 21 | 22 | filters: 23 | default: 24 | - "@state!=suppressed" 25 | - "@receiver!=observability/alertmanager/heartbeat" 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app karma 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: kube-prometheus-stack 14 | path: ./kubernetes/apps/observability/karma/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: true 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 15m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: kromgo-configmap 8 | files: 9 | - ./resources/config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app kromgo 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/observability/kromgo/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: true 18 | interval: 30m 19 | retryInterval: 1m 20 | timeout: 5m 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: alertmanager 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: alertmanager-secret 14 | template: 15 | engineVersion: v2 16 | data: 17 | ALERTMANAGER_HEARTBEAT_URL: "{{ .ALERTMANAGER_HEARTBEAT_URL }}" 18 | ALERTMANAGER_PUSHOVER_TOKEN: "{{ .ALERTMANAGER_PUSHOVER_TOKEN }}" 19 | PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" 20 | dataFrom: 21 | - extract: 22 | key: pushover 23 | - extract: 24 | key: alertmanager 25 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./externalsecret.yaml 7 | - ./prometheusrule.yaml 8 | - ./alertmanagerconfig.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: miscellaneous-rules 7 | spec: 8 | groups: 9 | - name: dockerhub 10 | rules: 11 | - alert: BootstrapRateLimitRisk 12 | annotations: 13 | summary: Kubernetes cluster at risk of being rate limited by dockerhub on bootstrap 14 | expr: count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100 15 | for: 15m 16 | labels: 17 | severity: critical 18 | - name: oom 19 | rules: 20 | - alert: OOMKilled 21 | annotations: 22 | summary: Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes. 23 | expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1 24 | labels: 25 | severity: critical 26 | - name: zfs 27 | rules: 28 | - alert: ZfsUnexpectedPoolState 29 | annotations: 30 | summary: ZFS pool {{$labels.zpool}} on {{$labels.instance}} is in a unexpected state {{$labels.state}} 31 | expr: node_zfs_zpool_state{state!="online"} > 0 32 | for: 15m 33 | labels: 34 | severity: critical 35 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app kube-prometheus-stack 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: cluster-apps-external-secrets-stores 15 | path: ./kubernetes/apps/observability/kube-prometheus-stack/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: home-kubernetes 20 | wait: false 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 15m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./prometheus-operator-crds/ks.yaml 7 | - ./kube-prometheus-stack/ks.yaml 8 | - ./kromgo/ks.yaml 9 | - ./karma/ks.yaml 10 | - ./gatus/ks.yaml 11 | - ./grafana/ks.yaml 12 | - ./loki/ks.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/loki/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/loki/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app loki 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: rook-ceph-cluster 14 | path: ./kubernetes/apps/observability/loki/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: home-kubernetes 19 | wait: true 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: observability 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: prometheus-operator-crds 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: prometheus-operator-crds 11 | version: 20.0.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: prometheus-community 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app prometheus-operator-crds 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/observability/prometheus-operator-crds/app 13 | prune: false # never should be deleted 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: false 18 | interval: 30m 19 | timeout: 5m 20 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./namespace.yaml 7 | - ./rook-ceph/ks.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rook-ceph 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: rook-ceph-operator 6 | spec: 7 | interval: 1h 8 | timeout: 15m 9 | chart: 10 | spec: 11 | chart: rook-ceph 12 | version: v1.16.6 13 | sourceRef: 14 | kind: HelmRepository 15 | name: rook-ceph 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | values: 26 | csi: 27 | cephFSKernelMountOptions: ms_mode=prefer-crc 28 | enableLiveness: true 29 | serviceMonitor: 30 | enabled: true 31 | monitoring: 32 | enabled: true 33 | resources: 34 | requests: 35 | cpu: 100m # buroa says unchangable 36 | memory: 128Mi # buroa says unchangable 37 | limits: {} 38 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | configMapGenerator: 7 | # Ref: https://grafana.com/grafana/dashboards/2842 8 | - name: ceph-cluster-dashboard 9 | files: 10 | - ceph-cluster-dashboard.json 11 | # Ref: https://grafana.com/grafana/dashboards/5336 12 | - name: ceph-osd-dashboard 13 | files: 14 | - ceph-osd-dashboard.json 15 | # Ref: https://grafana.com/grafana/dashboards/5342 16 | - name: ceph-pools-dashboard 17 | files: 18 | - ceph-pools-dashboard.json 19 | generatorOptions: 20 | disableNameSuffixHash: true 21 | annotations: 22 | kustomize.toolkit.fluxcd.io/substitute: disabled 23 | labels: 24 | grafana_dashboard: "true" 25 | commonLabels: 26 | app.kubernetes.io/name: rook-ceph 27 | app.kubernetes.io/instance: rook-ceph 28 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app rook-ceph 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: rook-ceph 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/rook-ceph/rook-ceph/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: true 18 | interval: 30m 19 | retryInterval: 1m 20 | timeout: 15m 21 | --- 22 | apiVersion: kustomize.toolkit.fluxcd.io/v1 23 | kind: Kustomization 24 | metadata: 25 | name: &app rook-ceph-cluster 26 | namespace: flux-system 27 | spec: 28 | targetNamespace: rook-ceph 29 | commonMetadata: 30 | labels: 31 | app.kubernetes.io/name: *app 32 | dependsOn: 33 | - name: rook-ceph 34 | path: ./kubernetes/apps/rook-ceph/rook-ceph/cluster 35 | prune: true 36 | sourceRef: 37 | kind: GitRepository 38 | name: home-kubernetes 39 | wait: true 40 | interval: 30m 41 | retryInterval: 1m 42 | timeout: 15m 43 | -------------------------------------------------------------------------------- /kubernetes/apps/security/authentik/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: authentik 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | chart: authentik 12 | version: 2025.4.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: authentik 16 | namespace: flux-system 17 | interval: 5m 18 | install: 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | global: 28 | podAnnotations: 29 | secret.reloader.stakater.com/reload: &secret authentik-secret 30 | deploymentStrategy: 31 | type: RollingUpdate 32 | envFrom: 33 | - secretRef: 34 | name: *secret 35 | authentik: 36 | redis: 37 | host: dragonfly.database.svc.cluster.local 38 | server: 39 | replicas: 1 40 | initContainers: 41 | - name: init-db 42 | image: ghcr.io/onedr0p/postgres-init:16 43 | envFrom: 44 | - secretRef: 45 | name: *secret 46 | metrics: 47 | enabled: false 48 | serviceMonitor: 49 | enabled: false 50 | ingress: 51 | enabled: true 52 | ingressClassName: internal 53 | annotations: 54 | hajimari.io/icon: simple-icons:authentik 55 | hosts: 56 | - &host sso.juno.moe 57 | tls: [hosts: [*host]] 58 | prometheus: 59 | rules: 60 | enabled: false 61 | -------------------------------------------------------------------------------- /kubernetes/apps/security/authentik/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/security/authentik/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app authentik 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: security 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/security/authentik/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: home-kubernetes 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/security/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./authentik/ks.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/security/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: security 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | - ./snapshot-controller/ks.yaml 7 | - ./volsync/ks.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: volsync-system 6 | labels: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: snapshot-controller 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: snapshot-controller 11 | version: 4.0.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: piraeus 15 | namespace: flux-system 16 | install: 17 | crds: CreateReplace 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | crds: CreateReplace 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | controller: 28 | serviceMonitor: 29 | create: true 30 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app snapshot-controller 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: volsync-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/volsync-system/snapshot-controller/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: home-kubernetes 17 | wait: true 18 | interval: 30m 19 | retryInterval: 1m 20 | timeout: 5m 21 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: volsync 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | chart: volsync 12 | version: 0.12.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: backube 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | dependsOn: 26 | - name: kyverno 27 | namespace: kyverno 28 | - name: snapshot-controller 29 | namespace: volsync-system 30 | values: 31 | manageCRDs: true 32 | replicaCount: 2 33 | metrics: 34 | disableAuth: true 35 | podSecurityContext: 36 | runAsNonRoot: true 37 | runAsUser: 65534 38 | runAsGroup: 65534 39 | seccompProfile: { type: RuntimeDefault } 40 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: volsync 7 | spec: 8 | groups: 9 | - name: volsync.rules 10 | rules: 11 | - alert: VolSyncComponentAbsent 12 | annotations: 13 | summary: VolSync component has disappeared from Prometheus target discovery. 14 | expr: | 15 | absent(up{job="volsync-metrics"}) 16 | for: 15m 17 | labels: 18 | severity: critical 19 | - alert: VolSyncVolumeOutOfSync 20 | annotations: 21 | summary: >- 22 | {{ $labels.obj_namespace }}/{{ $labels.obj_name }} volume 23 | is out of sync. 24 | expr: | 25 | volsync_volume_out_of_sync == 1 26 | for: 15m 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app volsync 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: volsync-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: kyverno-policies 15 | path: ./kubernetes/apps/volsync-system/volsync/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: home-kubernetes 20 | wait: false 21 | interval: 30m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/helmfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | helmDefaults: 3 | wait: true 4 | waitForJobs: true 5 | timeout: 600 6 | recreatePods: true 7 | force: true 8 | 9 | repositories: 10 | - name: cilium 11 | url: https://helm.cilium.io 12 | - name: coredns 13 | url: https://coredns.github.io/helm 14 | - name: postfinance 15 | url: https://postfinance.github.io/kubelet-csr-approver 16 | 17 | releases: 18 | - name: prometheus-operator-crds 19 | namespace: observability 20 | chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds 21 | version: 20.0.0 22 | - name: cilium 23 | namespace: kube-system 24 | chart: cilium/cilium 25 | version: 1.17.4 26 | values: 27 | - ../apps/kube-system/cilium/app/helm-values.yaml 28 | needs: 29 | - observability/prometheus-operator-crds 30 | - name: coredns 31 | namespace: kube-system 32 | chart: coredns/coredns 33 | version: 1.42.2 34 | values: 35 | - ../apps/kube-system/coredns/app/helm-values.yaml 36 | needs: 37 | - observability/prometheus-operator-crds 38 | - kube-system/cilium 39 | - name: kubelet-csr-approver 40 | namespace: kube-system 41 | chart: postfinance/kubelet-csr-approver 42 | version: 1.2.10 43 | values: 44 | - ../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml 45 | needs: 46 | - observability/prometheus-operator-crds 47 | - kube-system/cilium 48 | - kube-system/coredns 49 | - name: spegel 50 | namespace: kube-system 51 | chart: oci://ghcr.io/spegel-org/helm-charts/spegel 52 | version: 0.2.0 53 | values: 54 | - ../apps/kube-system/spegel/app/helm-values.yaml 55 | needs: 56 | - observability/prometheus-operator-crds 57 | - kube-system/cilium 58 | - kube-system/coredns 59 | - kube-system/kubelet-csr-approver 60 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/clusterconfig/.gitignore: -------------------------------------------------------------------------------- 1 | home-kubernetes-k8s-0.yaml 2 | home-kubernetes-k8s-1.yaml 3 | home-kubernetes-k8s-2.yaml 4 | talosconfig 5 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/README.md: -------------------------------------------------------------------------------- 1 | # Talos Patching 2 | 3 | This directory contains Kustomization patches that are added to the talhelper configuration file. 4 | 5 | 6 | 7 | ## Patch Directories 8 | 9 | Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. 10 | Each directory is optional and therefore might not created by default. 11 | 12 | - `global/`: patches that are applied to both the controller and worker configurations 13 | - `controller/`: patches that are applied to the controller configurations 14 | - `worker/`: patches that are applied to the worker configurations 15 | - `${node-hostname}/`: patches that are applied to the node with the specified name 16 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/controller/api-access.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | features: 3 | kubernetesTalosAPIAccess: 4 | enabled: true 5 | allowedRoles: 6 | - os:admin 7 | allowedKubernetesNamespaces: 8 | - system-upgrade 9 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/controller/cluster.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | allowSchedulingOnControlPlanes: true 3 | controllerManager: 4 | extraArgs: 5 | bind-address: 0.0.0.0 6 | coreDNS: 7 | disabled: true 8 | proxy: 9 | disabled: true 10 | scheduler: 11 | extraArgs: 12 | bind-address: 0.0.0.0 13 | config: 14 | apiVersion: kubescheduler.config.k8s.io/v1 15 | kind: KubeSchedulerConfiguration 16 | profiles: 17 | - schedulerName: default-scheduler 18 | pluginConfig: 19 | - name: PodTopologySpread 20 | args: 21 | defaultingType: List 22 | defaultConstraints: 23 | - maxSkew: 1 24 | topologyKey: kubernetes.io/hostname 25 | whenUnsatisfiable: ScheduleAnyway 26 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /cluster/apiServer/admissionControl 3 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/controller/etcd.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | etcd: 3 | extraArgs: 4 | listen-metrics-urls: http://0.0.0.0:2381 5 | advertisedSubnets: 6 | - 192.168.69.0/24 7 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/controller/gpu-controller-patch.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | kernel: 3 | modules: 4 | - name: nvidia 5 | - name: nvidia_uvm 6 | - name: nvidia_drm 7 | - name: nvidia_modeset 8 | sysctls: 9 | net.core.bpf_jit_harden: 1 10 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | discovery: 3 | registries: 4 | kubernetes: 5 | disabled: false 6 | service: 7 | disabled: true 8 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/containerd.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | files: 3 | - op: create 4 | path: /etc/cri/conf.d/20-customization.part 5 | content: |- 6 | [plugins."io.containerd.grpc.v1.cri"] 7 | enable_unprivileged_ports = true 8 | enable_unprivileged_icmp = true 9 | [plugins."io.containerd.grpc.v1.cri".containerd] 10 | discard_unpacked_layers = false 11 | [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] 12 | discard_unpacked_layers = false 13 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | network: 3 | disableSearchDomain: true 4 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/dns.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | network: 3 | nameservers: 4 | - 1.1.1.1 5 | - 1.0.0.1 6 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/hostdns.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | features: 3 | hostDNS: 4 | enabled: true 5 | resolveMemberNames: true 6 | forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false` 7 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/kubelet.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | kubelet: 3 | extraArgs: 4 | rotate-server-certificates: true 5 | nodeIP: 6 | validSubnets: 7 | - 192.168.69.0/24 8 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/ntp.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | time: 3 | disabled: false 4 | servers: 5 | - 162.159.200.1 6 | - 162.159.200.123 7 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/openebs-local.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | kubelet: 3 | extraMounts: 4 | - destination: /var/openebs/local 5 | type: bind 6 | source: /var/openebs/local 7 | options: 8 | - bind 9 | - rshared 10 | - rw 11 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/sysctl.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | sysctls: 3 | fs.inotify.max_user_watches: "1048576" 4 | fs.inotify.max_user_instances: "8192" 5 | net.core.rmem_max: "7500000" 6 | net.core.wmem_max: "7500000" 7 | vm.nr_hugepages: "1024" 8 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | resources: 5 | - ./r2 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 8 | dataSourceRef: 9 | kind: ReplicationDestination 10 | apiGroup: volsync.backube 11 | name: "${APP}" 12 | resources: 13 | requests: 14 | storage: "${VOLSYNC_CAPACITY:=5Gi}" 15 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 16 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: "${APP}-restic" 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: "${APP}-restic-secret" 12 | template: 13 | data: 14 | RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/${APP}" 15 | RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}" 16 | AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" 17 | AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: volsync-restic-template 21 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./replicationdestination.yaml 7 | - ./replicationsource.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/replicationdestination.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | trigger: 8 | manual: restore-once 9 | restic: 10 | repository: "${APP}-restic-secret" 11 | copyMethod: Snapshot 12 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-blockpool}" 13 | cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:=ceph-block}" 14 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 15 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=2Gi}" 16 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 17 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 18 | capacity: "${VOLSYNC_CAPACITY:=5Gi}" 19 | moverSecurityContext: 20 | runAsUser: ${VOLSYNC_PUID:=1000} 21 | runAsGroup: ${VOLSYNC_PGID:=1000} 22 | fsGroup: ${VOLSYNC_PGID:=1000} 23 | enableFileDeletion: true 24 | cleanupCachePVC: true 25 | cleanupTempPVC: true 26 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/replicationsource.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | sourcePVC: "${APP}" 8 | trigger: 9 | schedule: "15 */8 * * *" 10 | restic: 11 | copyMethod: "${VOLSYNC_COPYMETHOD:=Snapshot}" 12 | pruneIntervalDays: 14 13 | repository: "${APP}-restic-secret" 14 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-blockpool}" 15 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=2Gi}" 16 | cacheStorageClassName: "${VOLSYNC_CACHE_STORAGECLASS:=ceph-block}" 17 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 18 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 19 | accessModes: ["${VOLSYNC_SNAP_ACCESSMODES:=ReadWriteOnce}"] 20 | moverSecurityContext: 21 | runAsUser: ${VOLSYNC_PUID:=1000} 22 | runAsGroup: ${VOLSYNC_PGID:=1000} 23 | fsGroup: ${VOLSYNC_PGID:=1000} 24 | retain: 25 | hourly: 24 26 | daily: 7 27 | weekly: 5 28 | -------------------------------------------------------------------------------- /kubernetes/flux/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cluster-apps 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | path: ./kubernetes/apps 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: home-kubernetes 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | postBuild: 19 | substituteFrom: 20 | - kind: ConfigMap 21 | name: cluster-settings 22 | - kind: Secret 23 | name: cluster-secrets 24 | - kind: ConfigMap 25 | name: cluster-user-settings 26 | optional: true 27 | - kind: Secret 28 | name: cluster-user-secrets 29 | optional: true 30 | patches: 31 | - patch: |- 32 | apiVersion: kustomize.toolkit.fluxcd.io/v1 33 | kind: Kustomization 34 | metadata: 35 | name: not-used 36 | spec: 37 | decryption: 38 | provider: sops 39 | secretRef: 40 | name: sops-age 41 | postBuild: 42 | substituteFrom: 43 | - kind: ConfigMap 44 | name: cluster-settings 45 | - kind: Secret 46 | name: cluster-secrets 47 | - kind: ConfigMap 48 | name: cluster-user-settings 49 | optional: true 50 | - kind: Secret 51 | name: cluster-user-secrets 52 | optional: true 53 | target: 54 | group: kustomize.toolkit.fluxcd.io 55 | kind: Kustomization 56 | labelSelector: substitution.flux.home.arpa/disabled notin (true) 57 | -------------------------------------------------------------------------------- /kubernetes/flux/config/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: home-kubernetes 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: "https://github.com/axeii/home-ops.git" 10 | ref: 11 | branch: "main" 12 | ignore: | 13 | # exclude all 14 | /* 15 | # include kubernetes directory 16 | !/kubernetes 17 | --- 18 | apiVersion: kustomize.toolkit.fluxcd.io/v1 19 | kind: Kustomization 20 | metadata: 21 | name: cluster 22 | namespace: flux-system 23 | spec: 24 | interval: 30m 25 | path: ./kubernetes/flux 26 | prune: true 27 | wait: false 28 | sourceRef: 29 | kind: GitRepository 30 | name: home-kubernetes 31 | decryption: 32 | provider: sops 33 | secretRef: 34 | name: sops-age 35 | postBuild: 36 | substituteFrom: 37 | - kind: ConfigMap 38 | name: cluster-settings 39 | - kind: Secret 40 | name: cluster-secrets 41 | -------------------------------------------------------------------------------- /kubernetes/flux/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./flux.yaml 6 | - ./cluster.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/git/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: [] 5 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/authentik.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: authentik 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.goauthentik.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/backube.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: backube 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://backube.github.io/helm-charts/ 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/bjw-s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/bjw-s/helm 11 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: cilium 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://helm.cilium.io 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/coredns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: coredns 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://coredns.github.io/helm 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/democratic-csi.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: democratic-csi 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://democratic-csi.github.io/charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/external-dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: external-dns 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kubernetes-sigs.github.io/external-dns 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: external-secrets 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.external-secrets.io 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://grafana.github.io/helm-charts 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/hajimari.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: hajimari 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://hajimari.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: ingress-nginx 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kubernetes.github.io/ingress-nginx 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/jetstack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://charts.jetstack.io 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/k8s-gateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-gateway 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://ori-edge.github.io/k8s_gateway 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./authentik.yaml 6 | - ./bjw-s.yaml 7 | - ./cilium.yaml 8 | - ./coredns.yaml 9 | - ./jetstack.yaml 10 | - ./metrics-server.yaml 11 | - ./postfinance.yaml 12 | - ./prometheus-community.yaml 13 | - ./spegel.yaml 14 | - ./stakater.yaml 15 | - ./external-dns.yaml 16 | - ./ingress-nginx.yaml 17 | - ./k8s-gateway.yaml 18 | - ./external-secrets.yaml 19 | - ./rook-ceph.yaml 20 | - ./piraeus.yaml 21 | - ./democratic-csi.yaml 22 | - ./hajimari.yaml 23 | - ./backube.yaml 24 | - ./grafana.yaml 25 | - ./nvidia.yaml 26 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metrics-server 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kubernetes-sigs.github.io/metrics-server 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/nvidia.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: nvidia-device-plugin 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://nvidia.github.io/k8s-device-plugin 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/openebs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: openebs 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://openebs.github.io/openebs 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/piraeus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: piraeus 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://piraeus.io/helm-charts/ 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/postfinance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: postfinance 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://postfinance.github.io/kubelet-csr-approver 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/prometheus-community.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-community 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/prometheus-community/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: rook-ceph 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.rook.io/release 10 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: spegel 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/spegel-org/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/stakater.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/stakater/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./git 6 | - ./helm 7 | - ./oci 8 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/oci/app-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: OCIRepository 4 | metadata: 5 | name: app-template 6 | namespace: flux-system 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 3.7.3 14 | url: oci://ghcr.io/bjw-s/helm/app-template 15 | verify: 16 | provider: cosign 17 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/oci/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./app-template.yaml 6 | - ./kyverno.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/oci/kyverno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: kyverno 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/kyverno/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/vars/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-settings 6 | namespace: flux-system 7 | data: 8 | TIMEZONE: "Europe/Prague" 9 | 10 | # LAN 11 | PLEX_IP: "192.168.69.101" 12 | USER_ID: "65534" 13 | DATABASE_IP: "192.168.69.107" 14 | 15 | # NAS 16 | NAS_IP: "192.168.69.69" 17 | NAS_MEDIA_PATH: "/mnt/ThiccBoi/SiccBoi/data/media" 18 | NFS_BACKUP: "nfs://192.168.69.69:/mnt/ThiccBoi/k3s" 19 | -------------------------------------------------------------------------------- /kubernetes/flux/vars/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./cluster-settings.yaml 5 | - ./cluster-secrets.sops.yaml 6 | -------------------------------------------------------------------------------- /scripts/backup-docker-volume.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | 6 | function backup-volume(){ 7 | local volume 8 | volume=$(docker volume ls | awk '$2 != "VOLUME" {print $2}' | fzf) 9 | 10 | docker run --rm --name backup\ 11 | -v "$volume":/backup-volume \ 12 | busybox \ 13 | /bin/sh -c \ 14 | "tar zcf - /backup-volume | cat" > $volume.tar.gz 15 | #"tar acf - /backup-volume | cat" > $volume.tar.zst 16 | } 17 | 18 | 19 | function main() { 20 | backup-volume 21 | } 22 | 23 | 24 | main 25 | -------------------------------------------------------------------------------- /scripts/busybox.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: busybox-debug 6 | spec: 7 | containers: 8 | - name: debug 9 | image: busybox 10 | command: ['sh', '-c', 'echo Lets debug! && sleep 3600'] 11 | # volumeMounts: 12 | # - name: volume-claim 13 | # mountPath: "/data" 14 | # volumes: 15 | # - name: volume-claim 16 | # persistentVolumeClaim: 17 | # claimName: appdata # CHANGE THIS TO YOUR PVC NAME 18 | restartPolicy: Never 19 | -------------------------------------------------------------------------------- /scripts/database-manager.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # on macos don't forget to updates bash to 5.x 4 | 5 | DB_HOST="localhost" 6 | DB_PORT="5432" 7 | DB_USER=postgres 8 | 9 | variables=("ROOT_PASSWORD" "DATABASE_NAME" "USERNAME" "PASSWORD") 10 | 11 | declare -A map_of_answers 12 | 13 | for var in ${variables[@]}; do 14 | echo -n "Enter a value for $var: " 15 | read input 16 | 17 | map_of_answers[$var]=$input 18 | done 19 | 20 | export PGPASSWORD=${map_of_answers["ROOT_PASSWORD"]} 21 | 22 | # echo "psql -h $DB_HOST -p $DB_PORT -U $DB_USER -c CREATE USER ${map_of_answers["USERNAME"]} WITH PASSWORD '${map_of_answers["PASSWORD"]}' and db ${map_of_answers["DATABASE_NAME"]}" 23 | psql -h $DB_HOST -p $DB_PORT -U $DB_USER -c "CREATE USER ${map_of_answers["USERNAME"]} WITH PASSWORD '${map_of_answers["PASSWORD"]}';" 24 | psql -h $DB_HOST -p $DB_PORT -U $DB_USER -c "CREATE DATABASE ${map_of_answers["DATABASE_NAME"]} WITH OWNER ${map_of_answers["USERNAME"]};" 25 | 26 | unset PGPASSWORD 27 | -------------------------------------------------------------------------------- /scripts/delete-stuck.containers.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function delete_pod () { 4 | echo "Deleting pod $1" 5 | kubectl delete pod $1 6 | } 7 | 8 | 9 | function delete_from_source () { 10 | for pod in $1 11 | do 12 | delete_pod $pod 13 | done 14 | } 15 | 16 | UNKNOWN_PODS=$(kubectl get pods | awk '$3=="ContainerStatusUnknown" {print $1}') 17 | EVICTED_PODS=$(kubectl get pods | awk '$3=="Evicted" {print $1}') 18 | 19 | delete_from_source $UNKNOWN_PODS 20 | delete_from_source $EVICTED_PODS 21 | -------------------------------------------------------------------------------- /scripts/delete-stuck.ns.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function delete_namespace () { 4 | echo "Deleting namespace $1" 5 | kubectl get namespace $1 -o json > tmp.json 6 | sed -i 's/"kubernetes"//g' tmp.json 7 | kubectl replace --raw "/api/v1/namespaces/$1/finalize" -f ./tmp.json 8 | rm ./tmp.json 9 | } 10 | 11 | TERMINATING_NS=$(kubectl get ns | awk '$2=="Terminating" {print $1}') 12 | 13 | for ns in $TERMINATING_NS 14 | do 15 | delete_namespace $ns 16 | done 17 | -------------------------------------------------------------------------------- /scripts/dns-test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: dns-test-pod 6 | spec: 7 | containers: 8 | - name: dns-test-container 9 | image: alpine 10 | command: 11 | - sh 12 | - "-c" 13 | - > 14 | apk update && 15 | apk add curl && 16 | apk add bash && 17 | curl https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh -o dnsleaktest.sh && 18 | bash dnsleaktest.sh 19 | -------------------------------------------------------------------------------- /scripts/find_mistakes.py: -------------------------------------------------------------------------------- 1 | 2 | import re 3 | import subprocess 4 | import pathlib 5 | 6 | files = subprocess.run("fd kustomization.yaml", shell=True, stdout=subprocess.PIPE) 7 | 8 | for file_ in filter(None, files.stdout.decode().split('\n')): 9 | abs_path = pathlib.Path(file_).absolute().parents[0] 10 | files = subprocess.run(f"cat {file_} | grep y.ml | grep -v '#'|grep -v http", shell=True, stdout=subprocess.PIPE).stdout.decode().split('\n') 11 | for checkfile in filter(None, files): 12 | # check if files exts 13 | thefile = pathlib.Path(str(abs_path)+'/'+checkfile.strip()[1:].strip().replace('./','')) 14 | if not thefile.exists(): 15 | print(str(thefile)) 16 | -------------------------------------------------------------------------------- /scripts/generate_dns_records.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | result = subprocess.run("kubectl get ingress -A | awk '{print $4}' | awk -F ',' '{print $1}' | grep -v flux-rec | awk -F '.' '{print $1}' | grep -v HOSTS", stdout=subprocess.PIPE, shell=True, stderr=subprocess.STDOUT) 4 | 5 | template = """resource "pihole_dns_record" "{}_moe" {{ 6 | domain = "{}.${{data.sops_file.pihole_secrets.data["domain"]}}" 7 | ip = "192.168.69.105" 8 | }} 9 | """ 10 | 11 | for line in filter(None, result.stdout.decode().split('\n')): 12 | print(template.format(line, line)) 13 | -------------------------------------------------------------------------------- /scripts/healthcheck-ping.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | curl -fsS -m 10 --retry 5 https://hc-ping.com/1e492b0e-b661-45dd-b78a-06b2ee2e79d7 3 | --------------------------------------------------------------------------------