├── .markdownlintignore ├── .secretlintignore ├── .github ├── linters │ ├── .prettierignore │ ├── .prettierrc.yaml │ ├── .yamllint.yaml │ └── .markdownlint.yaml ├── release.yaml ├── PULL_REQUEST_TEMPLATE.md ├── yamllint.config.yaml ├── workflows │ ├── pluto.yml │ ├── labeler.yaml │ ├── label-sync.yaml │ ├── invalid-template.yaml │ ├── kubeconform.yaml │ ├── support.yaml │ └── pr-check.yml ├── labeler.yaml ├── renovate.json5 ├── labels.yaml └── scripts │ └── lib │ └── functions.sh ├── kubernetes ├── apps │ ├── flux-system │ │ ├── flux-operator │ │ │ ├── app │ │ │ │ ├── helm │ │ │ │ │ ├── values.yaml │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── flux-instance │ │ │ ├── app │ │ │ │ ├── helm │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── httproute.yaml │ │ │ │ ├── receiver.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── media │ │ ├── komga │ │ │ ├── app │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── plex-music │ │ │ ├── app │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── flaresolverr │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── overseerr │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── ks.yaml │ │ ├── tautulli │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── ks.yaml │ │ ├── prowlarr │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── unpackerr │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── radarr │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── sonarr │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── kapowarr │ │ │ ├── app │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── recyclarr │ │ │ ├── app │ │ │ │ ├── pvc.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── plex │ │ │ ├── app │ │ │ │ ├── lokirule.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── sabnzbd │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── network │ │ ├── echo-server │ │ │ ├── app │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── external-dns │ │ │ ├── unifi │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ ├── cloudflare │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── cloudflare-tunnel │ │ │ ├── app │ │ │ │ ├── dnsendpoint.yaml │ │ │ │ ├── configs │ │ │ │ │ └── config.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── observability │ │ ├── loki │ │ │ ├── app │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── prometheus-operator-crds │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── grafana │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── silence-operator │ │ │ ├── silences │ │ │ │ └── kustomization.yaml │ │ │ └── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── repository.yaml │ │ │ │ └── helmrelease.yaml │ │ ├── keda │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── repository.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── kube-prometheus-stack │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── unpoller │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── repository.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── blackbox-exporter │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── repository.yaml │ │ │ │ └── probes.yaml │ │ │ └── ks.yaml │ │ ├── alloy │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── kromgo │ │ │ ├── app │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── gatus │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── rbac.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ └── resources │ │ │ │ │ └── config.yaml │ │ │ └── ks.yaml │ │ ├── karma │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── resources │ │ │ │ │ └── config.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── external │ │ ├── minio │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── route.yaml │ │ │ │ └── service.yaml │ │ │ └── ks.yaml │ │ ├── proxmox │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── route.yaml │ │ │ │ └── service.yaml │ │ │ └── ks.yaml │ │ ├── truenas │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── route.yaml │ │ │ │ └── service.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── kube-system │ │ ├── external-secrets │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ ├── stores │ │ │ │ ├── kustomization.yaml │ │ │ │ └── onepassword │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── clustersecretstore.yaml │ │ │ └── ks.yaml │ │ ├── cilium │ │ │ ├── app │ │ │ │ ├── helm │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── networks.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── gateway │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── certificate.yaml │ │ │ │ ├── external.yaml │ │ │ │ └── internal.yaml │ │ ├── coredns │ │ │ ├── app │ │ │ │ ├── helm │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── spegel │ │ │ ├── app │ │ │ │ ├── helm │ │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ │ └── values.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── reloader │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── csi-driver-nfs │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── metrics-server │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── intel-device-plugin-operator │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── gpu │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ └── kustomization.yaml │ ├── volsync-system │ │ ├── snapshot-controller │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ ├── volsync │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── prometheusrule.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── rook-ceph │ │ ├── rook-ceph │ │ │ ├── cluster │ │ │ │ ├── kustomization.yaml │ │ │ │ └── repository.yaml │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── repository.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── dashboard │ │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ ├── cert-manager │ │ ├── cert-manager │ │ │ ├── app │ │ │ │ ├── helm │ │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ │ └── values.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── clusterissuer.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── secret.sops.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ ├── default │ │ ├── minecraft │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── repository.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── affine │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── atuin │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── docmost │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── karakeep │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── paperless │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ └── glance │ │ │ ├── app │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ ├── database │ │ ├── dragonfly │ │ │ ├── cluster │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── podmonitor.yaml │ │ │ │ └── cluster.yaml │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── rbac.yaml │ │ │ └── ks.yaml │ │ ├── pgbackup │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── ks.yaml │ │ └── kustomization.yaml │ └── security │ │ ├── authentik │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ │ └── kustomization.yaml ├── components │ ├── volsync │ │ ├── kustomization.yaml │ │ ├── r2 │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── replicationdestination.yaml │ │ │ └── replicationsource.yaml │ │ └── pvc.yaml │ ├── common │ │ ├── namespace.yaml │ │ ├── repos │ │ │ ├── kustomization.yaml │ │ │ └── app-template │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ocirepository.yaml │ │ ├── kustomization.yaml │ │ └── sops │ │ │ ├── kustomization.yaml │ │ │ ├── cluster-secrets.sops.yaml │ │ │ └── sops-age.sops.yaml │ ├── keda │ │ └── nfs-scaler │ │ │ ├── kustomization.yaml │ │ │ └── scaledobject.yaml │ └── gatus │ │ ├── config.yaml │ │ └── kustomization.yaml └── flux │ ├── meta │ ├── kustomization.yaml │ └── repos │ │ ├── piraeus.yaml │ │ ├── backube.yaml │ │ ├── grafana.yaml │ │ ├── external-secrets.yaml │ │ ├── authentik.yaml │ │ ├── prometheus-community.yaml │ │ ├── kustomization.yaml │ │ └── external-dns.yaml │ └── cluster │ └── ks.yaml ├── .lycheeignore ├── talos ├── patches │ ├── controller │ │ ├── admission-controller-patch.yaml │ │ └── cluster.yaml │ ├── global │ │ ├── machine-network.yaml │ │ ├── machine-time.yaml │ │ ├── machine-kubelet.yaml │ │ ├── machine-sysctls.yaml │ │ └── machine-files.yaml │ └── README.md ├── clusterconfig │ └── .gitignore ├── talenv.yaml └── manifests │ └── e1000e.yaml ├── scripts ├── healthcheck-ping.sh ├── delete-stuck.ns.sh ├── dns-test.yaml ├── busybox.yaml ├── delete-stuck.containers.sh ├── backup-docker-volume.sh ├── generate_dns_records.py ├── find_mistakes.py └── database-manager.sh ├── .gitattributes ├── .renovate ├── allowedVersions.json5 ├── commitMessage.json5 ├── customManagers.json5 ├── labels.json5 ├── autoMerge.json5 ├── grafanaDashboards.json5 └── semanticCommits.json5 ├── .taskfiles ├── workstation │ ├── Archfile │ └── Brewfile ├── PreCommitTasks.yml ├── volsync │ └── resources │ │ ├── replicationdestination.yaml.j2 │ │ └── unlock.yaml.j2 └── KubernetesTasks.yml ├── .editorconfig ├── .gitignore ├── .vscode ├── extensions.json └── settings.json ├── .sops.yaml ├── LICENCE ├── .envrc └── .pre-commit-config.yaml /.markdownlintignore: -------------------------------------------------------------------------------- 1 | README.md 2 | -------------------------------------------------------------------------------- /.secretlintignore: -------------------------------------------------------------------------------- 1 | megalinter-reports 2 | README.md 3 | -------------------------------------------------------------------------------- /.github/linters/.prettierignore: -------------------------------------------------------------------------------- 1 | *.sops.* 2 | gotk-components.yaml 3 | -------------------------------------------------------------------------------- /.github/release.yaml: -------------------------------------------------------------------------------- 1 | changelog: 2 | exclude: 3 | authors: 4 | - renovate 5 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | serviceMonitor: 3 | create: true 4 | -------------------------------------------------------------------------------- /.github/linters/.prettierrc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | trailingComma: "es5" 3 | tabWidth: 2 4 | semi: false 5 | singleQuote: false 6 | -------------------------------------------------------------------------------- /.lycheeignore: -------------------------------------------------------------------------------- 1 | https://dash.cloudflare.com/profile/api-tokens 2 | https://www.mend.io/free-developer-tools/renovate/ 3 | -------------------------------------------------------------------------------- /talos/patches/controller/admission-controller-patch.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /cluster/apiServer/admissionControl 3 | -------------------------------------------------------------------------------- /talos/clusterconfig/.gitignore: -------------------------------------------------------------------------------- 1 | kubernetes-k8s-0.yaml 2 | kubernetes-k8s-1.yaml 3 | kubernetes-k8s-2.yaml 4 | talosconfig 5 | -------------------------------------------------------------------------------- /scripts/healthcheck-ping.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | curl -fsS -m 10 --retry 5 https://hc-ping.com/1e492b0e-b661-45dd-b78a-06b2ee2e79d7 3 | -------------------------------------------------------------------------------- /talos/patches/global/machine-network.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | network: 3 | disableSearchDomain: true 4 | nameservers: 5 | - 192.168.69.1 6 | -------------------------------------------------------------------------------- /talos/patches/global/machine-time.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | time: 3 | disabled: false 4 | servers: 5 | - 162.159.200.1 6 | - 162.159.200.123 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/komga/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | resources: 5 | - ./r2 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | *.yml.j2 linguist-language=YAML 3 | *.yaml.j2 linguist-language=YAML 4 | *.sops.* diff=sopsdiffer 5 | *.sops.toml linguist-language=JSON 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex-music/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/flaresolverr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/network/echo-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/loki/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service.yaml 6 | - ./route.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/overseerr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service.yaml 6 | - ./route.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./service.yaml 6 | - ./route.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/components/common/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: not-used 6 | annotations: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /talos/patches/global/machine-kubelet.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | kubelet: 3 | extraConfig: 4 | serializeImagePulls: false 5 | nodeIP: 6 | validSubnets: 7 | - 192.168.69.0/24 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/unpackerr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/unifi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./externalsecret.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./repository.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /talos/talenv.yaml: -------------------------------------------------------------------------------- 1 | # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 2 | talosVersion: v1.10.6 3 | # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 4 | kubernetesVersion: v1.33.3 5 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./repos 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minecraft/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./repository.yaml 7 | - ./externalsecret.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./replicationdestination.yaml 7 | - ./replicationsource.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./app-template 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/kapowarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/keda/nfs-scaler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./scaledobject.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/piraeus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: piraeus 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://piraeus.io/helm-charts/ 10 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/csi-driver-nfs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/backube.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: backube 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://backube.github.io/helm-charts/ 10 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://grafana.github.io/helm-charts 10 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/silences/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./silences.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/app-template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./ocirepository.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/common/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./namespace.yaml 7 | - ./repos 8 | - ./sops 9 | -------------------------------------------------------------------------------- /kubernetes/apps/default/affine/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin-operator/gpu/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: external-secrets 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.external-secrets.io 10 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster.yaml 7 | - ./podmonitor.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/database/pgbackup/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./externalsecret.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/docmost/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/karakeep/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/keda/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./repository.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/security/authentik/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/authentik.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: authentik 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.goauthentik.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /.renovate/allowedVersions.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchDatasources: ["docker"], 6 | matchPackageNames: ["/postgresql/"], 7 | allowedVersions: "<=17", 8 | }, 9 | ], 10 | } -------------------------------------------------------------------------------- /.taskfiles/workstation/Archfile: -------------------------------------------------------------------------------- 1 | age 2 | cloudflared-bin 3 | direnv 4 | flux-bin 5 | go-task 6 | go-yq 7 | helm 8 | helmfile 9 | jq 10 | kubeconform 11 | kubectl-bin 12 | kustomize 13 | minijinja-cli-bin 14 | moreutils 15 | sops 16 | stern-bin 17 | talhelper-bin 18 | talosctl 19 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radarr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 2Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sonarr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 2Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./externalsecret.yaml 7 | - ./prometheusrule.yaml 8 | - ./alertmanagerconfig.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/components/common/sops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster-secrets.sops.yaml 7 | - ./sops-age.sops.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/overseerr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: overseerr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 5Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./repository.yaml 8 | -------------------------------------------------------------------------------- /talos/patches/global/machine-sysctls.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | sysctls: 3 | fs.inotify.max_user_watches: "1048576" # Watchdog 4 | fs.inotify.max_user_instances: "8192" # Watchdog 5 | net.core.rmem_max: "7500000" # Cloudflared | QUIC 6 | net.core.wmem_max: "7500000" # Cloudflared | QUIC 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./certificate.yaml 7 | - ./external.yaml 8 | - ./internal.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./repository.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./repository.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/prometheus-community.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-community 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/prometheus-community/charts 11 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./onepassword 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./repository.yaml 8 | - ./probes.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tautulli-cache 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 3Gi 13 | storageClassName: ceph-block 14 | -------------------------------------------------------------------------------- /talos/manifests/e1000e.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1alpha1 3 | kind: EthernetConfig 4 | name: eno1 5 | features: # tso off gso off gro off 6 | tx-tcp-segmentation: false # TSO (IPv4) 7 | tx-tcp6-segmentation: false # TSO (IPv6) 8 | tx-generic-segmentation: false # GSO 9 | rx-gro: false # GRO -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: recyclarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | storageClassName: ceph-block 11 | resources: 12 | requests: 13 | storage: 500Mi 14 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./rook-ceph/ks.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/security/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: security 6 | components: 7 | - ../../components/common 8 | # resources: 9 | # - ./authentik/ks.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./cert-manager/ks.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | spegel: 3 | containerdSock: /run/containerd/containerd.sock 4 | containerdRegistryConfigPath: /etc/cri/conf.d/hosts 5 | service: 6 | registry: 7 | hostPort: 29999 8 | serviceMonitor: 9 | enabled: true 10 | grafanaDashboard: 11 | enabled: true 12 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | crds: 3 | enabled: true 4 | replicaCount: 1 5 | dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query 6 | dns01RecursiveNameserversOnly: true 7 | prometheus: 8 | enabled: true 9 | servicemonitor: 10 | enabled: true 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./authentik.yaml 6 | - ./backube.yaml 7 | - ./external-dns.yaml 8 | - ./external-secrets.yaml 9 | - ./grafana.yaml 10 | - ./piraeus.yaml 11 | - ./prometheus-community.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/default/paperless/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/database/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: database 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./dragonfly/ks.yaml 10 | - ./pgbackup/ks.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflare-tunnel/app/dnsendpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: cloudflared 6 | spec: 7 | endpoints: 8 | - dnsName: "external.${SECRET_DOMAIN}" 9 | recordType: CNAME 10 | targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] 11 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/alloy/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: alloy-configmap 8 | files: 9 | - ./resources/config.alloy 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: kromgo-configmap 8 | files: 9 | - ./resources/config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/components/gatus/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | endpoints: 3 | - name: "${APP}" 4 | url: "https://${GATUS_SUBDOMAIN:=${APP}}.juno.moe${GATUS_PATH:=/}" 5 | interval: 1m 6 | client: 7 | dns-resolver: tcp://1.1.1.1:53 8 | conditions: 9 | - "[STATUS] == ${GATUS_STATUS:=200}" 10 | alerts: 11 | - type: pushover 12 | -------------------------------------------------------------------------------- /kubernetes/components/gatus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | configMapGenerator: 5 | - name: ${APP}-gatus-ep 6 | files: 7 | - ./config.yaml 8 | options: 9 | labels: 10 | gatus.io/enabled: "true" 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # editorconfig.org 2 | root = true 3 | 4 | [*] 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | charset = utf-8 9 | trim_trailing_whitespace = true 10 | insert_final_newline = true 11 | 12 | [Makefile] 13 | indent_style = space 14 | indent_size = 4 15 | 16 | [*.{bash,sh}] 17 | indent_style = space 18 | indent_size = 4 19 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./flux-instance/ks.yaml 10 | - ./flux-operator/ks.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/apps/external/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./truenas/ks.yaml 10 | - ./minio/ks.yaml 11 | - ./proxmox/ks.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: volsync-system 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./snapshot-controller/ks.yaml 10 | - ./volsync/ks.yaml 11 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## What's Changed 2 | 3 | 4 | ### Type of Change 5 | 6 | - [ ] 🆕 New app/service 7 | - [ ] ⬆️ Version upgrade 8 | - [ ] 🔧 Config change 9 | - [ ] 🐛 Bug fix 10 | - [ ] 🧹 Cleanup 11 | 12 | ### Notes and apps affected 13 | 14 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflare-tunnel/app/configs/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | originRequest: 3 | originServerName: "external.${SECRET_DOMAIN}" 4 | 5 | ingress: 6 | - hostname: "${SECRET_DOMAIN}" 7 | service: &svc https://cilium-gateway-external.kube-system.svc.cluster.local 8 | - hostname: "*.${SECRET_DOMAIN}" 9 | service: *svc 10 | - service: http_status:404 11 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Secrets 2 | *.pub 3 | *.key 4 | *.decrypted~*.yaml 5 | /age.key 6 | /cloudflare-tunnel.json 7 | /github-deploy.key 8 | /github-deploy.key.pub 9 | /github-push-token.txt 10 | # Template config files 11 | /cluster.yaml 12 | /nodes.yaml 13 | # Kubernetes 14 | kubeconfig 15 | talosconfig 16 | # Misc. 17 | .private/ 18 | .task/ 19 | .venv/ 20 | .DS_Store 21 | Thumbs.db 22 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "albert.TabOut", 4 | "britesnow.vscode-toggle-quotes", 5 | "fcrespo82.markdown-table-formatter", 6 | "mitchdenny.ecdc", 7 | "signageos.signageos-vscode-sops", 8 | "will-stone.in-any-case", 9 | "EditorConfig.editorconfig", 10 | "PKief.material-icon-theme", 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /kubernetes/apps/network/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: network 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./cloudflare-tunnel/ks.yaml 10 | - ./echo-server/ks.yaml 11 | - ./external-dns/ks.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./rbac.yaml 8 | configMapGenerator: 9 | - name: gatus-configmap 10 | files: 11 | - ./resources/config.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./clustersecretstore.yaml 8 | - ./helmrelease.yaml 9 | - ./secret.sops.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repos/external-dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: external-dns 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://kubernetes-sigs.github.io/external-dns 11 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: spegel-values 9 | files: 10 | - values.yaml=./helm/values.yaml 11 | configurations: 12 | - ./helm/kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: coredns-values 9 | files: 10 | - values.yaml=./helm/values.yaml 11 | configurations: 12 | - ./helm/kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflare-tunnel/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./dnsendpoint.yaml 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: cloudflare-tunnel-configmap 10 | files: 11 | - config.yaml=./configs/config.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: karma-configmap 8 | files: 9 | - config.yaml=./resources/config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | annotations: 13 | kustomize.toolkit.fluxcd.io/substitute: disabled 14 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/cluster/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PodMonitor 5 | metadata: 6 | name: dragonfly 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: dragonfly 11 | podTargetLabels: ["app"] 12 | podMetricsEndpoints: 13 | - port: admin 14 | -------------------------------------------------------------------------------- /.taskfiles/PreCommitTasks.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | tasks: 6 | init: 7 | desc: Initialize pre-commit hooks 8 | cmds: 9 | - pre-commit install-hooks 10 | run: 11 | desc: Run pre-commit 12 | cmds: 13 | - pre-commit run --all-files 14 | update: 15 | desc: Updates pre-commit 16 | cmds: 17 | - pre-commit autoupdate 18 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: flux-operator-values 9 | files: 10 | - values.yaml=./helm/values.yaml 11 | configurations: 12 | - ./helm/kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/lokirule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | groups: 3 | - name: plex 4 | rules: 5 | - alert: PlexDatabaseIsBusy 6 | expr: | 7 | sum by (app) (count_over_time({app="plex"} |~ "(?i)retry busy DB"[5m])) > 0 8 | for: 5m 9 | annotations: 10 | summary: >- 11 | {{ $labels.app }} is experiencing database issues 12 | labels: 13 | severity: critical 14 | -------------------------------------------------------------------------------- /.github/linters/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ignore: | 3 | *.sops.* 4 | gotk-components.yaml 5 | extends: default 6 | rules: 7 | truthy: 8 | allowed-values: ["true", "false", "on"] 9 | comments: 10 | min-spaces-from-content: 1 11 | line-length: disable 12 | braces: 13 | min-spaces-inside: 0 14 | max-spaces-inside: 1 15 | brackets: 16 | min-spaces-inside: 0 17 | max-spaces-inside: 0 18 | indentation: enable 19 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - path_regex: talos/.*\.sops\.ya?ml 4 | mac_only_encrypted: true 5 | age: "age1ryhy9dduzk5hyn33lnm7swtg72r7luklfv397s3wmhqav099w95s3cu3rh" 6 | - path_regex: (bootstrap|kubernetes)/.*\.sops\.ya?ml 7 | encrypted_regex: "^(data|stringData)$" 8 | mac_only_encrypted: true 9 | age: "age1ryhy9dduzk5hyn33lnm7swtg72r7luklfv397s3wmhqav099w95s3cu3rh" 10 | stores: 11 | yaml: 12 | indent: 2 13 | -------------------------------------------------------------------------------- /kubernetes/apps/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./atuin/ks.yaml 10 | - ./glance/ks.yaml 11 | - ./karakeep/ks.yaml 12 | - ./docmost/ks.yaml 13 | - ./minecraft/ks.yaml 14 | - ./paperless/ks.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./networks.yaml 8 | configMapGenerator: 9 | - name: cilium-values 10 | files: 11 | - values.yaml=./helm/values.yaml 12 | configurations: 13 | - ./helm/kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator 7 | - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.3.1/manifests/crd.yaml 8 | - ./helmrelease.yaml 9 | - ./rbac.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 8 | dataSourceRef: 9 | kind: ReplicationDestination 10 | apiGroup: volsync.backube 11 | name: "${APP}" 12 | resources: 13 | requests: 14 | storage: "${VOLSYNC_CAPACITY:=5Gi}" 15 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 16 | -------------------------------------------------------------------------------- /.github/yamllint.config.yaml: -------------------------------------------------------------------------------- 1 | ignore: | 2 | .github/ 3 | crds.yaml 4 | extends: default 5 | rules: 6 | truthy: 7 | allowed-values: ["true", "false", "on", "yes"] 8 | comments: 9 | min-spaces-from-content: 1 10 | line-length: disable 11 | braces: 12 | min-spaces-inside: 0 13 | max-spaces-inside: 1 14 | brackets: 15 | min-spaces-inside: 0 16 | max-spaces-inside: 0 17 | indentation: 18 | spaces: 2 19 | indent-sequences: consistent 20 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: plex-loki-rules 8 | files: 9 | - plex.yaml=./lokirule.yaml 10 | options: 11 | labels: 12 | loki_rule: "true" 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | annotations: 16 | kustomize.toolkit.fluxcd.io/substitute: disabled 17 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./volsync.yaml 8 | configMapGenerator: 9 | - name: sabnzbd-scripts 10 | files: 11 | - post-process.sh=./resources/post-process.sh 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /.taskfiles/workstation/Brewfile: -------------------------------------------------------------------------------- 1 | tap "fluxcd/tap" 2 | tap "go-task/tap" 3 | tap "siderolabs/tap" 4 | brew "age" 5 | brew "cloudflared" 6 | brew "direnv" 7 | brew "fluxcd/tap/flux" 8 | brew "go-task/tap/go-task" 9 | brew "helm" 10 | brew "helmfile" 11 | brew "jq" 12 | brew "kubeconform" 13 | brew "kubernetes-cli" 14 | brew "kustomize" 15 | brew "minijinja-cli" 16 | brew "moreutils" 17 | brew "siderolabs/tap/talosctl" 18 | brew "sops" 19 | brew "stern" 20 | brew "talhelper" 21 | brew "yq" 22 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./clusterissuer.yaml 7 | - ./helmrelease.yaml 8 | - ./secret.sops.yaml 9 | configMapGenerator: 10 | - name: cert-manager-values 11 | files: 12 | - values.yaml=./helm/values.yaml 13 | configurations: 14 | - ./helm/kustomizeconfig.yaml 15 | -------------------------------------------------------------------------------- /scripts/delete-stuck.ns.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function delete_namespace () { 4 | echo "Deleting namespace $1" 5 | kubectl get namespace $1 -o json > tmp.json 6 | sed -i 's/"kubernetes"//g' tmp.json 7 | kubectl replace --raw "/api/v1/namespaces/$1/finalize" -f ./tmp.json 8 | rm ./tmp.json 9 | } 10 | 11 | TERMINATING_NS=$(kubectl get ns | awk '$2=="Terminating" {print $1}') 12 | 13 | for ns in $TERMINATING_NS 14 | do 15 | delete_namespace $ns 16 | done 17 | -------------------------------------------------------------------------------- /.github/workflows/pluto.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Pluto 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | pull_request: 7 | 8 | jobs: 9 | yaml: 10 | runs-on: ubuntu-24.04 11 | steps: 12 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 13 | - name: Download Pluto 14 | uses: FairwindsOps/pluto/github-action@master 15 | 16 | - name: Use pluto 17 | run: | 18 | pluto detect-files -d ./kubernetes 19 | -------------------------------------------------------------------------------- /.renovate/commitMessage.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "commitMessageTopic": "{{depName}}", 4 | "commitMessageExtra": "to {{newVersion}}", 5 | "commitMessageSuffix": "", 6 | "packageRules": [ 7 | { 8 | "matchDatasources": ["helm"], 9 | "commitMessageTopic": "chart {{depName}}" 10 | }, 11 | { 12 | "matchDatasources": ["docker"], 13 | "commitMessageTopic": "image {{depName}}" 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /kubernetes/apps/default/glance/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: glance-configmap 9 | files: 10 | - glance.yml=./config/glance.yml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | annotations: 14 | kustomize.toolkit.fluxcd.io/substitute: disabled 15 | -------------------------------------------------------------------------------- /scripts/dns-test.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: dns-test-pod 6 | spec: 7 | containers: 8 | - name: dns-test-container 9 | image: alpine 10 | command: 11 | - sh 12 | - "-c" 13 | - > 14 | apk update && 15 | apk add curl && 16 | apk add bash && 17 | curl https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh -o dnsleaktest.sh && 18 | bash dnsleaktest.sh 19 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: rook-ceph 7 | spec: 8 | interval: 15m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: v1.18.7 14 | url: oci://ghcr.io/rook/rook-ceph 15 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Labeler" 3 | 4 | on: 5 | workflow_dispatch: 6 | pull_request_target: 7 | branches: ["main"] 8 | 9 | jobs: 10 | labeler: 11 | name: Labeler 12 | runs-on: ubuntu-latest 13 | permissions: 14 | contents: read 15 | pull-requests: write 16 | steps: 17 | - name: Labeler 18 | uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6 19 | with: 20 | configuration-path: .github/labeler.yaml 21 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: "juno-moe-production" 7 | spec: 8 | secretName: "juno-moe-production-tls" 9 | issuerRef: 10 | name: letsencrypt-production 11 | kind: ClusterIssuer 12 | commonName: "juno.moe" 13 | dnsNames: ["juno.moe", "*.juno.moe"] 14 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minecraft/app/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: minecraft 7 | spec: 8 | interval: 1h 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 5.0.0 14 | url: oci://ghcr.io/itzg/minecraft-server-charts/minecraft 15 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./externalsecret.yaml 8 | - ./httproute.yaml 9 | - ./receiver.yaml 10 | configMapGenerator: 11 | - name: flux-instance-values 12 | files: 13 | - values.yaml=./helm/values.yaml 14 | configurations: 15 | - ./helm/kustomizeconfig.yaml 16 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/keda/app/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: keda 7 | spec: 8 | interval: 15m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 2.18.2 14 | url: oci://ghcr.io/home-operations/charts-mirror/keda 15 | -------------------------------------------------------------------------------- /scripts/busybox.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: busybox-debug 6 | spec: 7 | containers: 8 | - name: debug 9 | image: busybox 10 | command: ['sh', '-c', 'echo Lets debug! && sleep 3600'] 11 | # volumeMounts: 12 | # - name: volume-claim 13 | # mountPath: "/data" 14 | # volumes: 15 | # - name: volume-claim 16 | # persistentVolumeClaim: 17 | # claimName: appdata # CHANGE THIS TO YOUR PVC NAME 18 | restartPolicy: Never 19 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "*.json5": "jsonc", 4 | "**/kubernetes/**/*.sops.toml": "plaintext" 5 | }, 6 | "yaml.schemas": { 7 | "Kubernetes": "./kubernetes/**/*.yaml" 8 | }, 9 | "editor.bracketPairColorization.enabled": true, 10 | "editor.guides.bracketPairs": true, 11 | "editor.guides.bracketPairsHorizontal": true, 12 | "editor.guides.highlightActiveBracketPair": true, 13 | "editor.hover.delay": 1500, 14 | "files.trimTrailingWhitespace": true 15 | } 16 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: unpoller 7 | spec: 8 | interval: 15m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 4.5.0 14 | url: oci://ghcr.io/bjw-s-labs/helm/app-template 15 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/cluster/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: rook-ceph-cluster 7 | spec: 8 | interval: 15m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: v1.18.7 14 | url: oci://ghcr.io/rook/rook-ceph-cluster 15 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: media 5 | resources: 6 | - ./pvc.yaml 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: recyclarr-configmap 11 | files: 12 | - ./config/recyclarr.yml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | labels: 16 | - pairs: 17 | app.kubernetes.io/name: recyclarr 18 | app.kubernetes.io/instance: recyclarr 19 | -------------------------------------------------------------------------------- /scripts/delete-stuck.containers.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function delete_pod () { 4 | echo "Deleting pod $1" 5 | kubectl delete pod $1 6 | } 7 | 8 | 9 | function delete_from_source () { 10 | for pod in $1 11 | do 12 | delete_pod $pod 13 | done 14 | } 15 | 16 | UNKNOWN_PODS=$(kubectl get pods | awk '$3=="ContainerStatusUnknown" {print $1}') 17 | EVICTED_PODS=$(kubectl get pods | awk '$3=="Evicted" {print $1}') 18 | 19 | delete_from_source $UNKNOWN_PODS 20 | delete_from_source $EVICTED_PODS 21 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | area/bootstrap: 3 | - changed-files: 4 | - any-glob-to-any-file: bootstrap/**/* 5 | area/github: 6 | - changed-files: 7 | - any-glob-to-any-file: .github/**/* 8 | area/kubernetes: 9 | - changed-files: 10 | - any-glob-to-any-file: kubernetes/**/* 11 | area/taskfile: 12 | - changed-files: 13 | - any-glob-to-any-file: .taskfiles/**/* 14 | - any-glob-to-any-file: Taskfile* 15 | area/minecraft: 16 | - changed-files: 17 | - any-glob-to-any-file: kubernetes/**/minecraft/* 18 | -------------------------------------------------------------------------------- /talos/patches/global/machine-files.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | files: 3 | - # Spegel 4 | op: create 5 | path: /etc/cri/conf.d/20-customization.part 6 | content: | 7 | [plugins."io.containerd.cri.v1.images"] 8 | discard_unpacked_layers = false 9 | - # NFS Mount 10 | op: overwrite 11 | path: /etc/nfsmount.conf 12 | permissions: 0o644 13 | content: | 14 | [ NFSMount_Global_Options ] 15 | nfsvers=4.2 16 | hard=True 17 | nconnect=16 18 | noatime=True -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: github-webhook-token 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: github-webhook-token-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | token: "{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}" 17 | dataFrom: 18 | - extract: 19 | key: flux 20 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/app-template/ocirepository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: app-template 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 4.5.0 14 | url: oci://ghcr.io/bjw-s-labs/helm/app-template 15 | -------------------------------------------------------------------------------- /LICENCE: -------------------------------------------------------------------------------- 1 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 | Version 2, December 2004 3 | 4 | Copyright (C) 2024 Ales Lerch 5 | 6 | Everyone is permitted to copy and distribute verbatim or modified 7 | copies of this license document, and changing it is allowed as long 8 | as the name is changed. 9 | 10 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 | 13 | 0. You just DO WHAT THE FUCK YOU WANT TO. 14 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/alloy/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app alloy 6 | namespace: &namespace observability 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 1h 12 | path: ./kubernetes/apps/observability/alloy/app 13 | prune: true 14 | retryInterval: 2m 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/app/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: silence-operator 7 | spec: 8 | interval: 15m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.20.0 14 | url: oci://ghcr.io/home-operations/charts-mirror/silence-operator 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/keda/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: keda 7 | spec: 8 | interval: 1h 9 | chartRef: 10 | kind: OCIRepository 11 | name: keda 12 | install: 13 | remediation: 14 | retries: -1 15 | upgrade: 16 | cleanupOnFail: true 17 | remediation: 18 | retries: 3 19 | values: 20 | enableServiceLinks: false 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/repository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: blackbox-exporter 7 | spec: 8 | interval: 15m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 11.5.0 14 | url: oci://ghcr.io/prometheus-community/charts/prometheus-blackbox-exporter 15 | -------------------------------------------------------------------------------- /scripts/backup-docker-volume.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | 6 | function backup-volume(){ 7 | local volume 8 | volume=$(docker volume ls | awk '$2 != "VOLUME" {print $2}' | fzf) 9 | 10 | docker run --rm --name backup\ 11 | -v "$volume":/backup-volume \ 12 | busybox \ 13 | /bin/sh -c \ 14 | "tar zcf - /backup-volume | cat" > $volume.tar.gz 15 | #"tar acf - /backup-volume | cat" > $volume.tar.zst 16 | } 17 | 18 | 19 | function main() { 20 | backup-volume 21 | } 22 | 23 | 24 | main 25 | -------------------------------------------------------------------------------- /kubernetes/apps/database/pgbackup/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app pgbackup 6 | namespace: &namespace database 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 1h 12 | path: ./kubernetes/apps/database/pgbackup/app 13 | prune: true 14 | retryInterval: 2m 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: database 20 | timeout: 5m 21 | wait: true 22 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: sabnzbd 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: sabnzbd-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | SABNZBD__API_KEY: "{{ .SABNZBD_API_KEY }}" 17 | # SABNZBD__NZB_KEY: "{{ .SABNZBD_NZB_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: sabnzbd 21 | -------------------------------------------------------------------------------- /scripts/generate_dns_records.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | 3 | result = subprocess.run("kubectl get ingress -A | awk '{print $4}' | awk -F ',' '{print $1}' | grep -v flux-rec | awk -F '.' '{print $1}' | grep -v HOSTS", stdout=subprocess.PIPE, shell=True, stderr=subprocess.STDOUT) 4 | 5 | template = """resource "pihole_dns_record" "{}_moe" {{ 6 | domain = "{}.${{data.sops_file.pihole_secrets.data["domain"]}}" 7 | ip = "192.168.69.105" 8 | }} 9 | """ 10 | 11 | for line in filter(None, result.stdout.decode().split('\n')): 12 | print(template.format(line, line)) 13 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: grafana 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: grafana-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | admin-user: "{{ .GRAFANA_ADMIN_USER }}" 17 | admin-password: "{{ .GRAFANA_ADMIN_PASS }}" 18 | dataFrom: 19 | - extract: 20 | key: grafana 21 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | #shellcheck disable=SC2148,SC2155 2 | export KUBECONFIG="$(expand_path ./kubeconfig)" 3 | export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)" 4 | # Venv 5 | PATH_add "$(expand_path ./.venv/bin)" 6 | export VIRTUAL_ENV="$(expand_path ./.venv)" 7 | export PYTHONDONTWRITEBYTECODE="1" 8 | # Talos 9 | # Point to Talos client config generated in repo's talos directory 10 | export TALOSCONFIG="$(expand_path ./talos/clusterconfig/talosconfig)" 11 | # Bin 12 | PATH_add "$(expand_path ./.bin)" 13 | # Taskfile 14 | export TASK_X_ENV_PRECEDENCE=1 15 | export TASK_X_MAP_VARIABLES=0 16 | -------------------------------------------------------------------------------- /kubernetes/apps/media/flaresolverr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app flaresolverr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/media/flaresolverr/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: unpoller 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: unpoller-secret 13 | template: 14 | data: 15 | UP_UNIFI_DEFAULT_API_KEY: "{{ .UNIFI_API_KEY }}" 16 | dataFrom: 17 | - extract: 18 | key: unifi 19 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/unifi/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: external-dns-unifi 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: external-dns-unifi-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | UNIFI_USER: "{{ .EXTERNAL_DNS_UNIFI_USER }}" 17 | UNIFI_PASS: "{{ .EXTERNAL_DNS_UNIFI_PASS }}" 18 | dataFrom: 19 | - extract: 20 | key: unifi 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: prometheus-operator-crds 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: prometheus-operator-crds 11 | version: 25.0.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: prometheus-community 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | -------------------------------------------------------------------------------- /.github/linters/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default: true 3 | 4 | # MD013/line-length - Line length 5 | MD013: 6 | # Number of characters 7 | line_length: 240 8 | # Number of characters for headings 9 | heading_line_length: 80 10 | # Number of characters for code blocks 11 | code_block_line_length: 80 12 | # Include code blocks 13 | code_blocks: true 14 | # Include tables 15 | tables: true 16 | # Include headings 17 | headings: true 18 | # Include headings 19 | headers: true 20 | # Strict length checking 21 | strict: false 22 | # Stern length checking 23 | stern: false 24 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: recyclarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: recyclarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | RADARR_API_KEY: "{{ .RADARR_API_KEY }}" 17 | SONARR_API_KEY: "{{ .SONARR_API_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: radarr 21 | - extract: 22 | key: sonarr 23 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: external-dns-cloudflare 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: external-dns-cloudflare-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | CF_ZONE_ID: "{{ .CLOUDFLARE_ZONE_ID }}" 17 | CF_API_TOKEN: "{{ .CLOUDFLARE_API_TOKEN }}" 18 | dataFrom: 19 | - extract: 20 | key: cloudflare 21 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app snapshot-controller 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: volsync-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/volsync-system/snapshot-controller/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: true 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /.github/workflows/label-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Label Sync" 3 | 4 | on: 5 | workflow_dispatch: 6 | push: 7 | branches: ["main"] 8 | paths: [".github/labels.yaml"] 9 | 10 | jobs: 11 | label-sync: 12 | name: Label Sync 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Checkout 16 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 17 | 18 | - name: Sync Labels 19 | uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2 20 | with: 21 | config-file: .github/labels.yaml 22 | delete-other-labels: true 23 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/app/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: &app minio 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | parentRefs: 12 | - name: internal 13 | namespace: kube-system 14 | sectionName: https 15 | hostnames: 16 | - minio.juno.moe 17 | rules: 18 | - matches: 19 | - path: 20 | type: PathPrefix 21 | value: / 22 | backendRefs: 23 | - name: *app 24 | port: 443 25 | -------------------------------------------------------------------------------- /kubernetes/apps/media/unpackerr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: unpackerr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: unpackerr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | UN_RADARR_0_API_KEY: "{{ .RADARR_API_KEY }}" 17 | UN_SONARR_0_API_KEY: "{{ .SONARR_API_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: radarr 21 | - extract: 22 | key: sonarr 23 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/app/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: &app truenas 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | parentRefs: 12 | - name: internal 13 | namespace: kube-system 14 | sectionName: https 15 | hostnames: 16 | - truenas.juno.moe 17 | rules: 18 | - matches: 19 | - path: 20 | type: PathPrefix 21 | value: / 22 | backendRefs: 23 | - name: *app 24 | port: 443 25 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./cilium/ks.yaml 10 | - ./coredns/ks.yaml 11 | - ./metrics-server/ks.yaml 12 | - ./reloader/ks.yaml 13 | - ./spegel/ks.yaml 14 | - ./external-secrets/ks.yaml 15 | - ./intel-device-plugin-operator/ks.yaml 16 | # - ./csi-driver-nfs/ks.yaml # Let's not deploy this for now, as it is not needed in the current setup. 17 | -------------------------------------------------------------------------------- /talos/patches/controller/cluster.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | allowSchedulingOnControlPlanes: true 3 | apiServer: 4 | extraArgs: 5 | # https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/ 6 | enable-aggregator-routing: true 7 | controllerManager: 8 | extraArgs: 9 | bind-address: 0.0.0.0 10 | coreDNS: 11 | disabled: true 12 | etcd: 13 | extraArgs: 14 | listen-metrics-urls: http://0.0.0.0:2381 15 | advertisedSubnets: 16 | - 192.168.69.0/24 17 | proxy: 18 | disabled: true 19 | scheduler: 20 | extraArgs: 21 | bind-address: 0.0.0.0 22 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minecraft/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crd.movishell.pl/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name minecraft-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: *name 13 | creationPolicy: Owner 14 | template: 15 | engineVersion: v2 16 | data: 17 | RCON_PASSWORD: "{{ .RCON_PASSWORD }}" 18 | dataFrom: 19 | - extract: 20 | key: minecraft 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app prometheus-operator-crds 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/observability/prometheus-operator-crds/app 13 | prune: false # never should be deleted 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | timeout: 5m 21 | -------------------------------------------------------------------------------- /kubernetes/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: media 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./plex/ks.yaml 10 | - ./plex-music/ks.yaml 11 | - ./radarr/ks.yaml 12 | - ./sonarr/ks.yaml 13 | - ./sabnzbd/ks.yaml 14 | - ./prowlarr/ks.yaml 15 | - ./flaresolverr/ks.yaml 16 | - ./unpackerr/ks.yaml 17 | - ./recyclarr/ks.yaml 18 | - ./komga/ks.yaml 19 | - ./tautulli/ks.yaml 20 | - ./overseerr/ks.yaml 21 | - ./kapowarr/ks.yaml 22 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app karma 6 | namespace: &namespace observability 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: kube-prometheus-stack 14 | path: ./kubernetes/apps/observability/karma/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | wait: true 21 | interval: 30m 22 | retryInterval: 1m 23 | timeout: 15m 24 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: observability 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./prometheus-operator-crds/ks.yaml 10 | - ./kube-prometheus-stack/ks.yaml 11 | - ./kromgo/ks.yaml 12 | - ./karma/ks.yaml 13 | - ./gatus/ks.yaml 14 | - ./grafana/ks.yaml 15 | - ./loki/ks.yaml 16 | - ./alloy/ks.yaml 17 | - ./keda/ks.yaml 18 | - ./blackbox-exporter/ks.yaml 19 | - ./unpoller/ks.yaml 20 | - ./silence-operator/ks.yaml 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/loki/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app loki 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: rook-ceph-cluster 14 | namespace: rook-ceph 15 | path: ./kubernetes/apps/observability/loki/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | interval: 30m 23 | retryInterval: 1m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app prowlarr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: external-secrets-stores 14 | namespace: kube-system 15 | path: ./kubernetes/apps/media/prowlarr/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | interval: 30m 23 | retryInterval: 1m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app gatus 6 | namespace: &namespace observability 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: external-secrets-stores 14 | namespace: kube-system 15 | path: ./kubernetes/apps/observability/gatus/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | interval: 30m 23 | retryInterval: 1m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: "${APP}-restic" 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: "${APP}-restic-secret" 12 | template: 13 | data: 14 | RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/${APP}" 15 | RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}" 16 | AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" 17 | AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: volsync-restic-template 21 | -------------------------------------------------------------------------------- /kubernetes/apps/default/glance/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app glance 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../components/gatus 13 | interval: 1h 14 | path: ./kubernetes/apps/default/glance/app 15 | postBuild: 16 | substitute: 17 | APP: *app 18 | prune: true 19 | retryInterval: 2m 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | targetNamespace: default 25 | timeout: 5m 26 | wait: false 27 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app grafana 6 | namespace: &namespace observability 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: external-secrets-stores 14 | namespace: kube-system 15 | path: ./kubernetes/apps/observability/grafana/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | interval: 30m 23 | retryInterval: 1m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /.github/workflows/invalid-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Invalid Template 3 | 4 | on: 5 | issues: 6 | types: 7 | - labeled 8 | - unlabeled 9 | - reopened 10 | 11 | jobs: 12 | support: 13 | runs-on: ubuntu-24.04 14 | steps: 15 | - uses: dessant/support-requests@47d5ea12f6c9e4a081637de9626b7319b415a3bf # v4 16 | with: 17 | github-token: ${{ github.token }} 18 | support-label: "template-incomplete" 19 | issue-comment: > 20 | :wave: @{issue-author}, please follow the template provided. 21 | close-issue: true 22 | lock-issue: true 23 | issue-lock-reason: "resolved" 24 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app minio 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - port: 443 14 | protocol: TCP 15 | targetPort: 9001 16 | 17 | --- 18 | apiVersion: v1 19 | kind: Endpoints 20 | metadata: 21 | name: &app minio 22 | namespace: external 23 | labels: 24 | app.kubernetes.io/name: *app 25 | app.kubernetes.io/instance: *app 26 | subsets: 27 | - addresses: 28 | - ip: 192.168.3.3 29 | ports: 30 | - port: 9001 31 | -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/app/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: &app proxmox 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | annotations: 11 | ingress.cilium.io/ssl-passthrough 12 | spec: 13 | parentRefs: 14 | - name: internal 15 | namespace: kube-system 16 | sectionName: https 17 | hostnames: 18 | - pxm.juno.moe 19 | rules: 20 | - matches: 21 | - path: 22 | type: PathPrefix 23 | value: / 24 | backendRefs: 25 | - name: *app 26 | port: 8006 27 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app truenas 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - port: 443 14 | protocol: TCP 15 | targetPort: 80 16 | 17 | --- 18 | apiVersion: v1 19 | kind: Endpoints 20 | metadata: 21 | name: &app truenas 22 | namespace: external 23 | labels: 24 | app.kubernetes.io/name: *app 25 | app.kubernetes.io/instance: *app 26 | subsets: 27 | - addresses: 28 | - ip: 192.168.69.69 29 | ports: 30 | - port: 80 31 | -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: &app proxmox 6 | namespace: external 7 | labels: 8 | app.kubernetes.io/name: *app 9 | app.kubernetes.io/instance: *app 10 | spec: 11 | type: ClusterIP 12 | ports: 13 | - port: 8006 14 | protocol: TCP 15 | targetPort: 8006 16 | 17 | --- 18 | apiVersion: v1 19 | kind: Endpoints 20 | metadata: 21 | name: &app proxmox 22 | namespace: external 23 | labels: 24 | app.kubernetes.io/name: *app 25 | app.kubernetes.io/instance: *app 26 | subsets: 27 | - addresses: 28 | - ip: 192.168.69.80 29 | ports: 30 | - port: 8006 31 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app volsync 7 | namespace: &namespace volsync-system 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/volsync-system/volsync/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /scripts/find_mistakes.py: -------------------------------------------------------------------------------- 1 | 2 | import re 3 | import subprocess 4 | import pathlib 5 | 6 | files = subprocess.run("fd kustomization.yaml", shell=True, stdout=subprocess.PIPE) 7 | 8 | for file_ in filter(None, files.stdout.decode().split('\n')): 9 | abs_path = pathlib.Path(file_).absolute().parents[0] 10 | files = subprocess.run(f"cat {file_} | grep y.ml | grep -v '#'|grep -v http", shell=True, stdout=subprocess.PIPE).stdout.decode().split('\n') 11 | for checkfile in filter(None, files): 12 | # check if files exts 13 | thefile = pathlib.Path(str(abs_path)+'/'+checkfile.strip()[1:].strip().replace('./','')) 14 | if not thefile.exists(): 15 | print(str(thefile)) 16 | -------------------------------------------------------------------------------- /kubernetes/apps/security/authentik/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app authentik 7 | namespace: &namespace security 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/security/authentik/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: gatus 6 | namespace: observability 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRole 10 | metadata: 11 | name: gatus 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["configmaps", "secrets"] 15 | verbs: ["get", "watch", "list"] 16 | --- 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: ClusterRoleBinding 19 | metadata: 20 | name: gatus 21 | roleRef: 22 | kind: ClusterRole 23 | name: gatus 24 | apiGroup: rbac.authorization.k8s.io 25 | subjects: 26 | - kind: ServiceAccount 27 | name: gatus 28 | namespace: observability 29 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/clusterissuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: letsencrypt-production 7 | spec: 8 | acme: 9 | server: https://acme-v02.api.letsencrypt.org/directory 10 | privateKeySecretRef: 11 | name: letsencrypt-production 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | apiTokenSecretRef: 16 | name: cert-manager-secret 17 | key: api-token 18 | selector: 19 | dnsZones: ["${SECRET_DOMAIN}"] 20 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://github.com/datreeio/CRDs-catalog/raw/refs/heads/main/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: github-webhook 7 | spec: 8 | hostnames: ["flux-webhook.juno.moe"] 9 | parentRefs: 10 | - name: external 11 | namespace: kube-system 12 | sectionName: https 13 | rules: 14 | - backendRefs: 15 | - name: webhook-receiver 16 | namespace: flux-system 17 | port: 80 18 | matches: 19 | - path: 20 | type: PathPrefix 21 | value: /hook/ 22 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app unpoller 7 | namespace: &namespace observability 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/observability/unpoller/app 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/clustersecretstore_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ClusterSecretStore 5 | metadata: 6 | name: onepassword-connect 7 | namespace: kube-system 8 | spec: 9 | provider: 10 | onepassword: 11 | connectHost: http://onepassword-connect.kube-system.svc.cluster.local 12 | vaults: 13 | home-ops: 1 14 | auth: 15 | secretRef: 16 | connectTokenSecretRef: 17 | name: onepassword-connect-secret 18 | key: token 19 | namespace: kube-system 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/csi-driver-nfs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app csi-driver-nfs 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/kube-system/csi-driver-nfs/app 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/receiver-notification-v1.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1 4 | kind: Receiver 5 | metadata: 6 | name: github-webhook 7 | spec: 8 | type: github 9 | events: ["ping", "push"] 10 | secretRef: 11 | name: github-webhook-token-secret 12 | resources: 13 | - apiVersion: source.toolkit.fluxcd.io/v1 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | name: flux-system 20 | namespace: flux-system 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app blackbox-exporter 7 | namespace: &namespace observability 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/observability/blackbox-exporter/app 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app kromgo 6 | namespace: &namespace observability 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/gatus 14 | path: ./kubernetes/apps/observability/kromgo/app 15 | postBuild: 16 | substitute: 17 | APP: *app 18 | GATUS_PATH: /talos_version 19 | prune: true 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | wait: true 25 | interval: 30m 26 | retryInterval: 1m 27 | timeout: 5m 28 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: silence-operator 7 | spec: 8 | interval: 1h 9 | chartRef: 10 | kind: OCIRepository 11 | name: silence-operator 12 | install: 13 | remediation: 14 | retries: -1 15 | upgrade: 16 | cleanupOnFail: true 17 | remediation: 18 | retries: 3 19 | values: 20 | alertmanagerAddress: http://kube-prometheus-stack-alertmanager:9093 21 | image: 22 | registry: gsoci.azurecr.io 23 | networkPolicy: 24 | enabled: false 25 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: snapshot-controller 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: snapshot-controller 11 | version: 4.2.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: piraeus 15 | namespace: flux-system 16 | install: 17 | crds: CreateReplace 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | crds: CreateReplace 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | controller: 28 | serviceMonitor: 29 | create: true 30 | -------------------------------------------------------------------------------- /kubernetes/apps/external/minio/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: external-minio 7 | namespace: external 8 | spec: 9 | dependsOn: 10 | - name: cilium-gateway 11 | namespace: kube-system 12 | path: ./kubernetes/apps/external/minio/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | healthChecks: 19 | - apiVersion: v1 20 | kind: Service 21 | name: minio 22 | namespace: external 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 3m 26 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex-music/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app plex-music 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/gatus 14 | interval: 1h 15 | path: ./kubernetes/apps/media/plex-music/app 16 | postBuild: 17 | substitute: 18 | APP: *app 19 | GATUS_SUBDOMAIN: music 20 | # GATUS_PATH: /identity 21 | prune: true 22 | retryInterval: 2m 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | timeout: 5m 28 | wait: true 29 | -------------------------------------------------------------------------------- /kubernetes/apps/media/kapowarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app kapowarr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: volsync 16 | namespace: volsync-system 17 | interval: 1h 18 | path: ./kubernetes/apps/media/kapowarr/app 19 | postBuild: 20 | substitute: 21 | APP: *app 22 | prune: true 23 | retryInterval: 2m 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | timeout: 5m 29 | wait: true 30 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app recyclarr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: sonarr 14 | namespace: media 15 | - name: radarr 16 | namespace: media 17 | - name: external-secrets-stores 18 | namespace: kube-system 19 | path: ./kubernetes/apps/media/recyclarr/app 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | wait: true 26 | interval: 30m 27 | retryInterval: 1m 28 | timeout: 5m 29 | -------------------------------------------------------------------------------- /kubernetes/apps/external/proxmox/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: external-proxmox 7 | namespace: external 8 | spec: 9 | dependsOn: 10 | - name: cilium-gateway 11 | namespace: kube-system 12 | path: ./kubernetes/apps/external/proxmox/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | healthChecks: 19 | - apiVersion: v1 20 | kind: Service 21 | name: proxmox 22 | namespace: external 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 3m 26 | -------------------------------------------------------------------------------- /kubernetes/apps/external/truenas/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: external-truenas 7 | namespace: external 8 | spec: 9 | dependsOn: 10 | - name: cilium-gateway 11 | namespace: kube-system 12 | path: ./kubernetes/apps/external/truenas/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | healthChecks: 19 | - apiVersion: v1 20 | kind: Service 21 | name: truenas 22 | namespace: external 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 3m 26 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/replicationdestination.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: {{ ENV.APP }}-manual 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | trigger: 9 | manual: restore-once 10 | restic: 11 | repository: {{ ENV.APP }}-restic-secret 12 | destinationPVC: {{ ENV.CLAIM }} 13 | copyMethod: Direct 14 | storageClassName: {{ ENV.STORAGE_CLASS_NAME }} 15 | accessModes: {{ ENV.ACCESS_MODES }} 16 | previous: {{ ENV.PREVIOUS }} 17 | moverSecurityContext: 18 | runAsUser: {{ ENV.PUID }} 19 | runAsGroup: {{ ENV.PGID }} 20 | fsGroup: {{ ENV.PGID }} 21 | enableFileDeletion: true 22 | cleanupCachePVC: true 23 | cleanupTempPVC: true 24 | -------------------------------------------------------------------------------- /kubernetes/components/keda/nfs-scaler/scaledobject.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/keda.sh/scaledobject_v1alpha1.json 3 | apiVersion: keda.sh/v1alpha1 4 | kind: ScaledObject 5 | metadata: 6 | name: ${APP} 7 | spec: 8 | advanced: 9 | restoreToOriginalReplicaCount: true 10 | cooldownPeriod: 0 11 | minReplicaCount: 0 12 | maxReplicaCount: 1 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | kind: Deployment 16 | name: ${APP} 17 | triggers: 18 | - type: prometheus 19 | metadata: 20 | serverAddress: http://prometheus-operated.observability.svc.cluster.local:9090 21 | query: probe_success{instance=~".+:2049"} 22 | threshold: "1" 23 | ignoreNullValues: "0" 24 | -------------------------------------------------------------------------------- /.github/workflows/kubeconform.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Kubeconform" 3 | 4 | on: 5 | pull_request: 6 | branches: ["main"] 7 | paths: ["kubernetes/**"] 8 | 9 | env: 10 | KUBERNETES_DIR: ./kubernetes 11 | 12 | jobs: 13 | kubeconform: 14 | name: Kubeconform 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 19 | 20 | - name: Setup Homebrew 21 | uses: Homebrew/actions/setup-homebrew@master 22 | 23 | - name: Setup Workflow Tools 24 | run: brew install fluxcd/tap/flux kubeconform kustomize 25 | 26 | - name: Run kubeconform 27 | shell: bash 28 | run: .taskfiles/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} 29 | -------------------------------------------------------------------------------- /kubernetes/apps/media/unpackerr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app unpackerr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/keda/nfs-scaler 14 | dependsOn: 15 | - name: external-secrets-stores 16 | namespace: kube-system 17 | path: ./kubernetes/apps/media/unpackerr/app 18 | postBuild: 19 | substitute: 20 | APP: *app 21 | prune: true 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | interval: 30m 28 | retryInterval: 1m 29 | timeout: 5m 30 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflare-tunnel/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cloudflared 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: cloudflare-tunnel-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | CLOUDFLARE_TUNNEL_ID: "{{ .CLOUDFLARE_TUNNEL_ID }}" 17 | credentials.json: | 18 | { 19 | "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_ID }}", 20 | "TunnelID": "{{ .CLOUDFLARE_TUNNEL_ID }}", 21 | "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}" 22 | } 23 | dataFrom: 24 | - extract: 25 | key: cloudflare 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/app/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | alertmanager: 3 | interval: 1m 4 | servers: 5 | - name: home 6 | uri: http://alertmanager-operated.observability.svc.cluster.local:9093 7 | timeout: 10s 8 | proxy: true 9 | healthcheck: 10 | visible: false 11 | filters: 12 | main: 13 | - alertname=Watchdog 14 | - prometheus=observability/kube-prometheus-stack 15 | # networking: # FIXME: this is not working 16 | # - alertname=Watchdog 17 | # - prometheus=observability/kube-prometheus-stack 18 | 19 | alertAcknowledgement: 20 | enabled: true 21 | 22 | filters: 23 | default: 24 | - "@state!=suppressed" 25 | - "@receiver!=observability/alertmanager/heartbeat" 26 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minecraft/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app minecraft 6 | namespace: &namespace default 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | interval: 1h 18 | path: ./kubernetes/apps/default/minecraft/app 19 | postBuild: 20 | substitute: 21 | APP: *app 22 | VOLSYNC_CAPACITY: 20Gi 23 | prune: true 24 | retryInterval: 2m 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | namespace: flux-system 29 | timeout: 5m 30 | wait: true 31 | -------------------------------------------------------------------------------- /talos/patches/README.md: -------------------------------------------------------------------------------- 1 | # Talos Patching 2 | 3 | This directory contains Kustomization patches that are added to the talhelper configuration file. 4 | 5 | 6 | 7 | ## Patch Directories 8 | 9 | Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. 10 | Each directory is optional and therefore might not created by default. 11 | 12 | - `global/`: patches that are applied to both the controller and worker configurations 13 | - `controller/`: patches that are applied to the controller configurations 14 | - `worker/`: patches that are applied to the worker configurations 15 | - `${node-hostname}/`: patches that are applied to the node with the specified name 16 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/keda/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app keda 7 | namespace: &namespace observability 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | healthChecks: 13 | - apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | name: *app 16 | namespace: *namespace 17 | interval: 1h 18 | path: ./kubernetes/apps/observability/keda/app 19 | prune: true 20 | retryInterval: 2m 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: *namespace 26 | timeout: 5m 27 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app kube-prometheus-stack 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: kube-system 16 | path: ./kubernetes/apps/observability/kube-prometheus-stack/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 15m 26 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/cluster/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/dragonflydb.io/dragonfly_v1alpha1.json 3 | apiVersion: dragonflydb.io/v1alpha1 4 | kind: Dragonfly 5 | metadata: 6 | name: dragonfly 7 | spec: 8 | image: ghcr.io/dragonflydb/dragonfly:v1.35.1@sha256:af7f7f1143269c7ffe4128451dff8f8fc09e157d885abcc9bafeec832d2928e6 9 | replicas: 1 10 | env: 11 | - name: MAX_MEMORY 12 | valueFrom: 13 | resourceFieldRef: 14 | resource: limits.memory 15 | divisor: 1Mi 16 | args: 17 | - --maxmemory=$(MAX_MEMORY)Mi 18 | - --proactor_threads=1 19 | - --cluster_mode=emulated 20 | - --default_lua_flags=allow-undeclared-keys 21 | resources: 22 | requests: 23 | cpu: 100m 24 | limits: 25 | memory: 256Mi 26 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app radarr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/keda/nfs-scaler 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: external-secrets-stores 18 | namespace: kube-system 19 | path: ./kubernetes/apps/media/radarr/app 20 | postBuild: 21 | substitute: 22 | APP: *app 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | interval: 30m 30 | retryInterval: 1m 31 | timeout: 5m 32 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app sonarr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/keda/nfs-scaler 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: external-secrets-stores 18 | namespace: kube-system 19 | path: ./kubernetes/apps/media/sonarr/app 20 | postBuild: 21 | substitute: 22 | APP: *app 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | interval: 30m 30 | retryInterval: 1m 31 | timeout: 5m 32 | -------------------------------------------------------------------------------- /kubernetes/apps/default/affine/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app affine 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../components/volsync 13 | dependsOn: 14 | - name: rook-ceph-cluster 15 | namespace: flux-system 16 | - name: volsync 17 | namespace: flux-system 18 | interval: 1h 19 | path: ./kubernetes/apps/default/affine/app 20 | postBuild: 21 | substitute: 22 | APP: *app 23 | VOLSYNC_CAPACITY: 2Gi 24 | prune: true 25 | retryInterval: 2m 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | targetNamespace: default 31 | timeout: 5m 32 | wait: true 33 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app tautulli 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 1h 20 | path: ./kubernetes/apps/media/tautulli/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 5Gi 25 | prune: true 26 | retryInterval: 2m 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | timeout: 5m 32 | wait: true 33 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: alertmanager 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: alertmanager-secret 14 | template: 15 | engineVersion: v2 16 | data: 17 | ALERTMANAGER_HEARTBEAT_URL: "{{ .ALERTMANAGER_HEARTBEAT_URL }}" 18 | ALERTMANAGER_PUSHOVER_TOKEN: "{{ .ALERTMANAGER_PUSHOVER_TOKEN }}" 19 | PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" 20 | dataFrom: 21 | - extract: 22 | key: pushover 23 | - extract: 24 | key: alertmanager 25 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/networks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://datreeio.github.io/CRDs-catalog/cilium.io/ciliumloadbalancerippool_v2alpha1.json 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumLoadBalancerIPPool 5 | metadata: 6 | name: pool 7 | spec: 8 | allowFirstLastIPs: "No" 9 | blocks: 10 | - cidr: "192.168.69.0/24" 11 | --- 12 | # yaml-language-server: $schema=https://datreeio.github.io/CRDs-catalog/cilium.io/ciliuml2announcementpolicy_v2alpha1.json 13 | apiVersion: cilium.io/v2alpha1 14 | kind: CiliumL2AnnouncementPolicy 15 | metadata: 16 | name: l2-policy 17 | spec: 18 | loadBalancerIPs: true 19 | # NOTE: interfaces might need to be set if you have more than one active NIC on your hosts 20 | # interfaces: 21 | # - ^eno[0-9]+ 22 | # - ^eth[0-9]+ 23 | nodeSelector: 24 | matchLabels: 25 | kubernetes.io/os: linux 26 | -------------------------------------------------------------------------------- /kubernetes/apps/media/komga/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://lds-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app komga 7 | namespace: &namespace media 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | components: 14 | - ../../../../components/volsync 15 | - ../../../../components/keda/nfs-scaler 16 | path: ./kubernetes/apps/media/komga/app 17 | postBuild: 18 | substitute: 19 | APP: *app 20 | VOLSYNC_CAPACITY: 1Gi 21 | prune: true 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: false # no flux ks dependents 27 | interval: 30m 28 | retryInterval: 1m 29 | timeout: 5m 30 | -------------------------------------------------------------------------------- /kubernetes/apps/default/karakeep/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app karakeep 6 | namespace: &namespace default 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | - ../../../../components/gatus 15 | dependsOn: 16 | - name: rook-ceph-cluster 17 | namespace: rook-ceph 18 | - name: volsync 19 | namespace: volsync-system 20 | interval: 1h 21 | path: ./kubernetes/apps/default/karakeep/app 22 | postBuild: 23 | substitute: 24 | APP: *app 25 | VOLSYNC_CAPACITY: 1Gi 26 | prune: true 27 | retryInterval: 2m 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | namespace: flux-system 32 | timeout: 5m 33 | wait: true 34 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app spegel 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | interval: 1h 17 | path: ./kubernetes/apps/kube-system/spegel/app 18 | postBuild: 19 | substituteFrom: 20 | - name: cluster-secrets 21 | kind: Secret 22 | prune: true 23 | retryInterval: 2m 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | targetNamespace: *namespace 29 | timeout: 5m 30 | wait: false 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app coredns 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | interval: 1h 17 | path: ./kubernetes/apps/kube-system/coredns/app 18 | postBuild: 19 | substituteFrom: 20 | - name: cluster-secrets 21 | kind: Secret 22 | prune: true 23 | retryInterval: 2m 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | targetNamespace: *namespace 29 | timeout: 5m 30 | wait: false 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app reloader 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | interval: 1h 17 | path: ./kubernetes/apps/kube-system/reloader/app 18 | postBuild: 19 | substituteFrom: 20 | - name: cluster-secrets 21 | kind: Secret 22 | prune: true 23 | retryInterval: 2m 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | targetNamespace: *namespace 29 | timeout: 5m 30 | wait: false 31 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/probes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/probe_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: Probe 5 | metadata: 6 | name: devices 7 | spec: 8 | module: icmp 9 | prober: 10 | url: blackbox-exporter.observability.svc.cluster.local:9115 11 | targets: 12 | staticConfig: 13 | static: 14 | - nas.internal 15 | - db.internal 16 | --- 17 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/probe_v1.json 18 | apiVersion: monitoring.coreos.com/v1 19 | kind: Probe 20 | metadata: 21 | name: nfs 22 | spec: 23 | module: tcp_connect 24 | prober: 25 | url: blackbox-exporter.observability.svc.cluster.local:9115 26 | targets: 27 | staticConfig: 28 | static: 29 | - nas.internal:2049 30 | -------------------------------------------------------------------------------- /.github/workflows/support.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Support requests" 3 | 4 | on: 5 | issues: 6 | types: 7 | - labeled 8 | - unlabeled 9 | - reopened 10 | 11 | jobs: 12 | support: 13 | runs-on: ubuntu-24.04 14 | steps: 15 | - uses: dessant/support-requests@47d5ea12f6c9e4a081637de9626b7319b415a3bf # v4 16 | with: 17 | github-token: ${{ secrets.GITHUB_TOKEN }} 18 | support-label: "support" 19 | issue-comment: > 20 | :wave: @{issue-author}, we use the issue tracker exclusively 21 | for bug reports and feature requests. However, this issue appears 22 | to be a support request. Please use our support channels 23 | to get help with. 24 | - [Discord](https://discord.gg/sTMX7Vh) 25 | close-issue: true 26 | lock-issue: false 27 | issue-lock-reason: "off-topic" 28 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflare-tunnel/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cloudflare-tunnel 7 | namespace: &namespace network 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | interval: 1h 17 | path: ./kubernetes/apps/network/cloudflare-tunnel 18 | postBuild: 19 | substituteFrom: 20 | - name: cluster-secrets 21 | kind: Secret 22 | prune: true 23 | retryInterval: 2m 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | targetNamespace: *namespace 29 | timeout: 5m 30 | wait: false 31 | -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app atuin 7 | namespace: &namespace default 8 | spec: 9 | targetNamespace: default 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | components: 14 | - ../../../../components/gatus 15 | dependsOn: 16 | - name: external-secrets-stores 17 | namespace: kube-system 18 | path: ./kubernetes/apps/default/atuin/app 19 | postBuild: 20 | substitute: 21 | APP: *app 22 | GATUS_SUBDOMAIN: sh 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: false 29 | interval: 30m 30 | retryInterval: 1m 31 | timeout: 5m 32 | -------------------------------------------------------------------------------- /kubernetes/apps/default/docmost/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app docmost 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../components/volsync 13 | - ../../../../components/gatus 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 1h 20 | path: ./kubernetes/apps/default/docmost/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | GATUS_SUBDOMAIN: nt 25 | VOLSYNC_CAPACITY: 1Gi 26 | prune: true 27 | retryInterval: 2m 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | namespace: flux-system 32 | targetNamespace: default 33 | timeout: 5m 34 | wait: true 35 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app metrics-server 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | interval: 1h 17 | path: ./kubernetes/apps/kube-system/metrics-server/app 18 | postBuild: 19 | substituteFrom: 20 | - name: cluster-secrets 21 | kind: Secret 22 | prune: true 23 | retryInterval: 2m 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | targetNamespace: *namespace 29 | timeout: 5m 30 | wait: false 31 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: rook-ceph-operator 7 | spec: 8 | interval: 1h 9 | timeout: 15m 10 | chartRef: 11 | kind: OCIRepository 12 | name: rook-ceph 13 | install: 14 | remediation: 15 | retries: -1 16 | upgrade: 17 | cleanupOnFail: true 18 | remediation: 19 | retries: 3 20 | values: 21 | csi: 22 | cephFSKernelMountOptions: ms_mode=prefer-crc 23 | enableLiveness: true 24 | serviceMonitor: 25 | enabled: true 26 | monitoring: 27 | enabled: true 28 | resources: 29 | requests: 30 | cpu: 100m # buroa says unchangeable 31 | memory: 128Mi # buroa says unchangeable 32 | limits: {} 33 | -------------------------------------------------------------------------------- /.renovate/customManagers.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customManagers: [ 4 | { 5 | customType: "regex", 6 | description: "Process annotated dependencies", 7 | fileMatch: ["(^|/).+\\.ya?ml(?:\\.j2)?$"], 8 | matchStrings: [ 9 | // # renovate: datasource=github-releases depName=kubernetes/kubernetes 10 | // version: 1.29.1 11 | "datasource=(?\\S+) depName=(?\\S+)\\n.+ (?[v|\\d]\\S+)", 12 | // # renovate: datasource=github-releases depName=rancher/system-upgrade-controller 13 | // https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.2/crd.yaml 14 | "datasource=(?\\S+) depName=(?\\S+)\\n.+/(?[v|\\d][^/]+)", 15 | ], 16 | datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}", 17 | }, 18 | ], 19 | } -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: gatus 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: gatus-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | GATUS_PUSHOVER_APP_TOKEN: "{{ .GATUS_PUSHOVER_TOKEN }}" 17 | GATUS_PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" 18 | INIT_POSTGRES_DBNAME: gatus 19 | INIT_POSTGRES_HOST: db.internal 20 | INIT_POSTGRES_USER: "{{ .GATUS_POSTGRES_USER }}" 21 | INIT_POSTGRES_PASS: "{{ .GATUS_POSTGRES_PASS }}" 22 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 23 | dataFrom: 24 | - extract: 25 | key: pushover 26 | - extract: 27 | key: cloudnative-pg 28 | - extract: 29 | key: gatus 30 | -------------------------------------------------------------------------------- /.renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | labels: ["type/major"], 7 | }, 8 | { 9 | matchUpdateTypes: ["minor"], 10 | labels: ["type/minor"], 11 | }, 12 | { 13 | matchUpdateTypes: ["patch"], 14 | labels: ["type/patch"], 15 | }, 16 | { 17 | matchUpdateTypes: ["digest"], 18 | labels: ["type/digest"], 19 | }, 20 | { 21 | matchDatasources: ["docker"], 22 | addLabels: ["renovate/container"], 23 | }, 24 | { 25 | matchDatasources: ["helm"], 26 | addLabels: ["renovate/helm"], 27 | }, 28 | { 29 | matchManagers: ["github-actions"], 30 | addLabels: ["renovate/github-action"], 31 | }, 32 | { 33 | matchDatasources: ["github-releases"], 34 | addLabels: ["renovate/github-release"], 35 | }, 36 | ], 37 | } 38 | -------------------------------------------------------------------------------- /kubernetes/apps/media/overseerr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app overseerr 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | - ../../../../components/gatus 15 | dependsOn: 16 | - name: rook-ceph-cluster 17 | namespace: rook-ceph 18 | - name: volsync 19 | namespace: volsync-system 20 | interval: 1h 21 | path: ./kubernetes/apps/media/overseerr/app 22 | postBuild: 23 | substitute: 24 | APP: *app 25 | GATUS_SUBDOMAIN: requests 26 | GATUS_PATH: /api/v1/status 27 | VOLSYNC_CAPACITY: 3Gi 28 | prune: true 29 | retryInterval: 2m 30 | sourceRef: 31 | kind: GitRepository 32 | name: flux-system 33 | namespace: flux-system 34 | timeout: 5m 35 | wait: true 36 | -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: atuin 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: atuin-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | ATUIN_DB_URI: |- 17 | postgres://{{ .ATUIN_POSTGRES_USER }}:{{ .ATUIN_POSTGRES_PASS }}@db.internal/atuin 18 | INIT_POSTGRES_DBNAME: atuin 19 | INIT_POSTGRES_HOST: db.internal 20 | INIT_POSTGRES_USER: "{{ .ATUIN_POSTGRES_USER }}" 21 | INIT_POSTGRES_PASS: "{{ .ATUIN_POSTGRES_PASS }}" 22 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 23 | dataFrom: 24 | - extract: 25 | key: atuin 26 | - extract: 27 | key: cloudnative-pg 28 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | configMapGenerator: 7 | # Ref: https://grafana.com/grafana/dashboards/2842 8 | - name: ceph-cluster-dashboard 9 | files: 10 | - ceph-cluster-dashboard.json 11 | # Ref: https://grafana.com/grafana/dashboards/5336 12 | - name: ceph-osd-dashboard 13 | files: 14 | - ceph-osd-dashboard.json 15 | # Ref: https://grafana.com/grafana/dashboards/5342 16 | - name: ceph-pools-dashboard 17 | files: 18 | - ceph-pools-dashboard.json 19 | generatorOptions: 20 | disableNameSuffixHash: true 21 | annotations: 22 | kustomize.toolkit.fluxcd.io/substitute: disabled 23 | labels: 24 | grafana_dashboard: "true" 25 | commonLabels: 26 | app.kubernetes.io/name: rook-ceph 27 | app.kubernetes.io/instance: rook-ceph 28 | -------------------------------------------------------------------------------- /kubernetes/apps/database/pgbackup/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kochhaus-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: pgbackup 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: pgbackup-secret 13 | template: 14 | data: 15 | # S3 16 | S3_HOSTNAME: "{{ .S3_HOSTNAME }}" 17 | S3_SECRET_KEY: "{{ .S3_SECRET_KEY }}" 18 | S3_ACCESS_KEY: "{{ .S3_ACCESS_KEY }}" 19 | # Postgres Init 20 | BACKUP_POSTGRES_HOST: db.internal 21 | BACKUP_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 22 | BACKUP_POSTGRES_DBNAME: "affine atuin authentik docmost gatus prowlarr_main radarr_main sonarr_main" 23 | dataFrom: 24 | - extract: 25 | key: pgbackup 26 | - extract: 27 | key: cloudnative-pg 28 | -------------------------------------------------------------------------------- /scripts/database-manager.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # on macos don't forget to updates bash to 5.x 4 | 5 | DB_HOST="localhost" 6 | DB_PORT="5432" 7 | DB_USER=postgres 8 | 9 | variables=("ROOT_PASSWORD" "DATABASE_NAME" "USERNAME" "PASSWORD") 10 | 11 | declare -A map_of_answers 12 | 13 | for var in ${variables[@]}; do 14 | echo -n "Enter a value for $var: " 15 | read input 16 | 17 | map_of_answers[$var]=$input 18 | done 19 | 20 | export PGPASSWORD=${map_of_answers["ROOT_PASSWORD"]} 21 | 22 | # echo "psql -h $DB_HOST -p $DB_PORT -U $DB_USER -c CREATE USER ${map_of_answers["USERNAME"]} WITH PASSWORD '${map_of_answers["PASSWORD"]}' and db ${map_of_answers["DATABASE_NAME"]}" 23 | psql -h $DB_HOST -p $DB_PORT -U $DB_USER -c "CREATE USER ${map_of_answers["USERNAME"]} WITH PASSWORD '${map_of_answers["PASSWORD"]}';" 24 | psql -h $DB_HOST -p $DB_PORT -U $DB_USER -c "CREATE DATABASE ${map_of_answers["DATABASE_NAME"]} WITH OWNER ${map_of_answers["USERNAME"]};" 25 | 26 | unset PGPASSWORD 27 | -------------------------------------------------------------------------------- /kubernetes/apps/default/paperless/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app paperless 7 | namespace: &namespace default 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | components: 14 | - ../../../../components/volsync 15 | dependsOn: 16 | - name: dragonfly-cluster 17 | namespace: database 18 | - name: external-secrets-stores 19 | namespace: kube-system 20 | path: ./kubernetes/apps/default/paperless/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 5Gi 25 | prune: false 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | wait: true 31 | interval: 1h 32 | retryInterval: 1m 33 | timeout: 5m 34 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-instance 7 | namespace: &namespace flux-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | dependsOn: 17 | - name: flux-operator 18 | namespace: *namespace 19 | interval: 1h 20 | path: ./kubernetes/apps/flux-system/flux-instance/app 21 | postBuild: 22 | substituteFrom: 23 | - name: cluster-secrets 24 | kind: Secret 25 | prune: true 26 | retryInterval: 2m 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: *namespace 32 | timeout: 5m 33 | wait: false 34 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/replicationdestination.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | trigger: 8 | manual: restore-once 9 | restic: 10 | repository: "${APP}-restic-secret" 11 | copyMethod: Snapshot 12 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-blockpool}" 13 | cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:=ceph-block}" 14 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 15 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=2Gi}" 16 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 17 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 18 | capacity: "${VOLSYNC_CAPACITY:=5Gi}" 19 | moverSecurityContext: 20 | runAsUser: ${VOLSYNC_PUID:=1000} 21 | runAsGroup: ${VOLSYNC_PGID:=1000} 22 | fsGroup: ${VOLSYNC_PGID:=1000} 23 | enableFileDeletion: true 24 | cleanupCachePVC: true 25 | cleanupTempPVC: true 26 | -------------------------------------------------------------------------------- /kubernetes/apps/network/echo-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app echo 7 | namespace: &namespace network 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/gatus 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | interval: 1h 19 | path: ./kubernetes/apps/network/echo-server/app 20 | postBuild: 21 | substitute: 22 | APP: *app 23 | GATUS_PATH: /healthz 24 | substituteFrom: 25 | - name: cluster-secrets 26 | kind: Secret 27 | prune: true 28 | retryInterval: 2m 29 | sourceRef: 30 | kind: GitRepository 31 | name: flux-system 32 | namespace: flux-system 33 | targetNamespace: *namespace 34 | timeout: 5m 35 | wait: false 36 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: volsync 7 | spec: 8 | groups: 9 | - name: volsync.rules 10 | rules: 11 | - alert: VolSyncComponentAbsent 12 | annotations: 13 | summary: VolSync component has disappeared from Prometheus target discovery. 14 | expr: | 15 | absent(up{job="volsync-metrics"}) 16 | for: 15m 17 | labels: 18 | severity: critical 19 | - alert: VolSyncVolumeOutOfSync 20 | annotations: 21 | summary: >- 22 | {{ $labels.obj_namespace }}/{{ $labels.obj_name }} volume 23 | is out of sync. 24 | expr: | 25 | volsync_volume_out_of_sync == 1 26 | for: 15m 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: volsync 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | chart: volsync 12 | version: 0.14.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: backube 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | dependsOn: 26 | - name: snapshot-controller 27 | namespace: volsync-system 28 | values: 29 | manageCRDs: true 30 | replicaCount: 2 31 | metrics: 32 | disableAuth: true 33 | podSecurityContext: 34 | runAsNonRoot: true 35 | runAsUser: 65534 36 | runAsGroup: 65534 37 | seccompProfile: { type: RuntimeDefault } 38 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/r2/replicationsource.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | sourcePVC: "${APP}" 8 | trigger: 9 | schedule: "15 */8 * * *" 10 | restic: 11 | copyMethod: "${VOLSYNC_COPYMETHOD:=Snapshot}" 12 | pruneIntervalDays: 14 13 | repository: "${APP}-restic-secret" 14 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-blockpool}" 15 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=2Gi}" 16 | cacheStorageClassName: "${VOLSYNC_CACHE_STORAGECLASS:=ceph-block}" 17 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 18 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 19 | accessModes: ["${VOLSYNC_SNAP_ACCESSMODES:=ReadWriteOnce}"] 20 | moverSecurityContext: 21 | runAsUser: ${VOLSYNC_PUID:=1000} 22 | runAsGroup: ${VOLSYNC_PGID:=1000} 23 | fsGroup: ${VOLSYNC_PGID:=1000} 24 | retain: 25 | hourly: 24 26 | daily: 7 27 | weekly: 5 28 | -------------------------------------------------------------------------------- /.taskfiles/KubernetesTasks.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | vars: 6 | KUBECONFORM_SCRIPT: "{{.ROOT_DIR}}/.taskfiles/scripts/kubeconform.sh" 7 | 8 | tasks: 9 | 10 | resources: 11 | desc: Gather common resources in your cluster, useful when asking for support 12 | cmds: 13 | - for: { var: resource } 14 | cmd: kubectl get {{.ITEM}} {{.CLI_ARGS | default "-A"}} 15 | vars: 16 | resource: >- 17 | nodes 18 | gitrepositories 19 | kustomizations 20 | helmrepositories 21 | helmreleases 22 | certificates 23 | certificaterequests 24 | ingresses 25 | pods 26 | 27 | kubeconform: 28 | desc: Validate Kubernetes manifests with kubeconform 29 | cmd: bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}} 30 | preconditions: 31 | - { msg: "Missing kubeconform script", sh: "test -f {{.KUBECONFORM_SCRIPT}}" } 32 | - { msg: "Missing kubernetes directory", sh: "test -d {{.KUBERNETES_DIR}}" } 33 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-operator 7 | namespace: &namespace flux-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | healthChecks: 17 | - apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | name: *app 20 | namespace: *namespace 21 | interval: 1h 22 | path: ./kubernetes/apps/flux-system/flux-operator/app 23 | postBuild: 24 | substituteFrom: 25 | - name: cluster-secrets 26 | kind: Secret 27 | prune: true 28 | retryInterval: 2m 29 | sourceRef: 30 | kind: GitRepository 31 | name: flux-system 32 | namespace: flux-system 33 | targetNamespace: *namespace 34 | timeout: 5m 35 | wait: false 36 | -------------------------------------------------------------------------------- /kubernetes/apps/default/docmost/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kochhaus-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: docmost 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: docmost-secret 13 | template: 14 | data: 15 | # App 16 | APP_SECRET: "{{ .DOCMOST_APP_SECRET }}" 17 | DATABASE_URL: "postgres://{{ .DOCMOST_POSTGRES_USER }}:{{ .DOCMOST_POSTGRES_PASS }}@db.internal/docmost?sslmode=disable" 18 | # Postgres Init 19 | INIT_POSTGRES_DBNAME: docmost 20 | INIT_POSTGRES_HOST: db.internal 21 | INIT_POSTGRES_USER: "{{ .DOCMOST_POSTGRES_USER }}" 22 | INIT_POSTGRES_PASS: "{{ .DOCMOST_POSTGRES_PASS }}" 23 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 24 | dataFrom: 25 | - extract: 26 | key: docmost 27 | - extract: 28 | key: cloudnative-pg 29 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app plex 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/volsync 14 | - ../../../../components/gatus 15 | - ../../../../components/keda/nfs-scaler 16 | dependsOn: 17 | - name: rook-ceph-cluster 18 | namespace: rook-ceph 19 | - name: volsync 20 | namespace: volsync-system 21 | - name: intel-device-plugin-gpu 22 | namespace: kube-system 23 | interval: 1h 24 | path: ./kubernetes/apps/media/plex/app 25 | postBuild: 26 | substitute: 27 | APP: *app 28 | VOLSYNC_CAPACITY: 20Gi 29 | VOLSYNC_CACHE_CAPACITY: 5Gi 30 | GATUS_PATH: /identity 31 | prune: true 32 | retryInterval: 2m 33 | sourceRef: 34 | kind: GitRepository 35 | name: flux-system 36 | namespace: flux-system 37 | timeout: 5m 38 | wait: true 39 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app sabnzbd 6 | namespace: &namespace media 7 | spec: 8 | targetNamespace: *namespace 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | components: 13 | - ../../../../components/keda/nfs-scaler 14 | decryption: 15 | provider: sops 16 | secretRef: 17 | name: sops-age 18 | dependsOn: 19 | - name: volsync 20 | namespace: volsync-system 21 | - name: rook-ceph-cluster 22 | namespace: rook-ceph 23 | - name: external-secrets-stores 24 | namespace: kube-system 25 | path: ./kubernetes/apps/media/sabnzbd/app 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | substituteFrom: 30 | - name: cluster-secrets 31 | kind: Secret 32 | prune: true 33 | sourceRef: 34 | kind: GitRepository 35 | name: flux-system 36 | namespace: flux-system 37 | wait: true 38 | interval: 30m 39 | retryInterval: 1m 40 | timeout: 5m 41 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fail_fast: false 3 | repos: 4 | - repo: https://github.com/adrienverge/yamllint 5 | rev: v1.35.1 6 | hooks: 7 | - args: 8 | - --config-file 9 | - .github/linters/.yamllint.yaml 10 | id: yamllint 11 | - repo: https://github.com/pre-commit/pre-commit-hooks 12 | rev: v4.6.0 13 | hooks: 14 | - id: check-merge-conflict 15 | - id: end-of-file-fixer 16 | - id: mixed-line-ending 17 | - id: trailing-whitespace 18 | args: [--markdown-linebreak-ext=md] 19 | - repo: https://github.com/Lucas-C/pre-commit-hooks 20 | rev: v1.5.5 21 | hooks: 22 | - id: remove-crlf 23 | - id: remove-tabs 24 | - repo: https://github.com/sirosen/texthooks 25 | rev: 0.6.6 26 | hooks: 27 | - id: fix-smartquotes 28 | # - repo: https://github.com/k8s-at-home/sops-pre-commit 29 | # rev: v2.1.1 30 | # hooks: 31 | # - id: forbid-secrets 32 | - repo: https://github.com/zricethezav/gitleaks 33 | rev: v8.18.3 34 | hooks: 35 | - id: gitleaks 36 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: spegel 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.5.1 14 | url: oci://ghcr.io/spegel-org/helm-charts/spegel 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: spegel 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: spegel 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | valuesFrom: 34 | - kind: ConfigMap 35 | name: spegel-values 36 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/alloy/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: alloy 6 | spec: 7 | interval: 5m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 1.5.0 13 | url: oci://ghcr.io/home-operations/charts-mirror/alloy 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: alloy 19 | spec: 20 | interval: 1h 21 | chartRef: 22 | kind: OCIRepository 23 | name: alloy 24 | install: 25 | remediation: 26 | retries: -1 27 | upgrade: 28 | cleanupOnFail: true 29 | remediation: 30 | retries: 3 31 | values: 32 | fullnameOverride: alloy 33 | serviceMonitor: 34 | enabled: true 35 | alloy: 36 | configMap: 37 | create: false 38 | name: &name alloy-configmap 39 | key: config.alloy 40 | controller: 41 | podAnnotations: 42 | configmap.reloader.stakater.com/reload: *name 43 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: cilium 7 | namespace: kube-system # Required for Renovate lookups 8 | spec: 9 | interval: 1h 10 | url: https://helm.cilium.io 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | name: cilium 17 | spec: 18 | interval: 1h 19 | chart: 20 | spec: 21 | chart: cilium 22 | version: 1.18.4 23 | sourceRef: 24 | kind: HelmRepository 25 | name: cilium 26 | namespace: kube-system 27 | install: 28 | remediation: 29 | retries: -1 30 | upgrade: 31 | cleanupOnFail: true 32 | remediation: 33 | retries: 3 34 | valuesFrom: 35 | - kind: ConfigMap 36 | name: cilium-values 37 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://github.com/datreeio/CRDs-catalog/raw/refs/heads/main/gateway.networking.k8s.io/gateway_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: Gateway 5 | metadata: 6 | name: external 7 | annotations: 8 | external-dns.alpha.kubernetes.io/target: "external.juno.moe" 9 | spec: 10 | gatewayClassName: cilium 11 | addresses: 12 | - type: IPAddress 13 | value: "192.168.69.104" 14 | infrastructure: 15 | annotations: 16 | external-dns.alpha.kubernetes.io/hostname: "external.juno.moe" 17 | listeners: 18 | - name: http 19 | protocol: HTTP 20 | port: 80 21 | hostname: "*.juno.moe" 22 | allowedRoutes: 23 | namespaces: 24 | from: Same 25 | - name: https 26 | protocol: HTTPS 27 | port: 443 28 | hostname: "*.juno.moe" 29 | allowedRoutes: 30 | namespaces: 31 | from: All 32 | tls: 33 | certificateRefs: 34 | - kind: Secret 35 | name: juno-moe-production-tls 36 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/internal.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://github.com/datreeio/CRDs-catalog/raw/refs/heads/main/gateway.networking.k8s.io/gateway_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: Gateway 5 | metadata: 6 | name: internal 7 | annotations: 8 | external-dns.alpha.kubernetes.io/target: "internal.juno.moe" 9 | spec: 10 | gatewayClassName: cilium 11 | addresses: 12 | - type: IPAddress 13 | value: "192.168.69.105" 14 | infrastructure: 15 | annotations: 16 | external-dns.alpha.kubernetes.io/hostname: "internal.juno.moe" 17 | listeners: 18 | - name: http 19 | protocol: HTTP 20 | port: 80 21 | hostname: "*.juno.moe" 22 | allowedRoutes: 23 | namespaces: 24 | from: Same 25 | - name: https 26 | protocol: HTTPS 27 | port: 443 28 | hostname: "*.juno.moe" 29 | allowedRoutes: 30 | namespaces: 31 | from: All 32 | tls: 33 | certificateRefs: 34 | - kind: Secret 35 | name: juno-moe-production-tls 36 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: coredns 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | url: oci://ghcr.io/coredns/charts/coredns 13 | ref: 14 | tag: 1.45.0 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: coredns 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: coredns 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | strategy: rollback 33 | retries: 3 34 | valuesFrom: 35 | - kind: ConfigMap 36 | name: coredns-values 37 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: cert-manager 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: v1.19.2 14 | url: oci://quay.io/jetstack/charts/cert-manager 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: cert-manager 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: cert-manager 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | valuesFrom: 34 | - kind: ConfigMap 35 | name: cert-manager-values 36 | -------------------------------------------------------------------------------- /kubernetes/apps/default/affine/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kochhaus-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: affine 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: affine-secret 13 | template: 14 | data: 15 | REDIS_SERVER_HOST: dragonfly.database.svc.cluster.local 16 | DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@db.internal:5432/affine 17 | INIT_POSTGRES_DBNAME: affine 18 | INIT_POSTGRES_HOST: db.internal 19 | INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" 20 | INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" 21 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 22 | INIT_POSTGRES_ENCODING: "UTF8" 23 | AFFINE_SERVER_HTTPS: "true" 24 | AFFINE_SERVER_HOST: "nt.juno.moe" 25 | dataFrom: 26 | - extract: 27 | key: affine 28 | - extract: 29 | key: cloudnative-pg 30 | -------------------------------------------------------------------------------- /kubernetes/apps/default/karakeep/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: karakeep 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: karakeep-secret 13 | template: 14 | data: 15 | NEXTAUTH_SECRET: "{{ .ENCRYPTION_KEY }}" 16 | MEILI_MASTER_KEY: "{{ .MEILISEARCH_MASTER_KEY }}" 17 | # AI 18 | OPENAI_BASE_URL: "{{ .OPENAI_BASE_URL }}" 19 | OPENAI_API_KEY: "{{ .OPENAI_API_KEY }}" 20 | # OIDC 21 | OAUTH_CLIENT_ID: "{{ .OIDC_CLIENT_ID }}" 22 | OAUTH_CLIENT_SECRET: "{{ .OIDC_CLIENT_SECRET }}" 23 | OAUTH_PROVIDER_NAME: Authentik 24 | OAUTH_WELLKNOWN_URL: https://sso.juno.moe/application/o/karakeep/.well-known/openid-configuration 25 | OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: "true" 26 | dataFrom: 27 | - extract: 28 | key: karakeep 29 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/unlock.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: volsync-unlock-{{ ENV.APP }} 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: minio 15 | image: docker.io/restic/restic:latest 16 | args: ["unlock", "--remove-all"] 17 | envFrom: 18 | - secretRef: 19 | name: {{ ENV.APP }}-volsync-secret 20 | volumeMounts: 21 | - name: repository 22 | mountPath: /repository 23 | resources: {} 24 | - name: r2 25 | image: docker.io/restic/restic:latest 26 | args: ["unlock", "--remove-all"] 27 | envFrom: 28 | - secretRef: 29 | name: {{ ENV.APP }}-volsync-r2-secret 30 | resources: {} 31 | volumes: 32 | - name: repository 33 | nfs: 34 | server: nas.internal 35 | path: /mnt/storage0/volsync 36 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: radarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: radarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | RADARR__AUTH__APIKEY: "{{ .RADARR_API_KEY }}" 17 | RADARR__POSTGRES__HOST: &dbHost db.internal 18 | RADARR__POSTGRES__PORT: "5432" 19 | RADARR__POSTGRES__USER: &dbUser "{{ .RADARR_POSTGRES_USER }}" 20 | RADARR__POSTGRES__PASSWORD: &dbPass "{{ .RADARR_POSTGRES_PASS }}" 21 | RADARR__POSTGRES__MAINDB: radarr_main 22 | RADARR__POSTGRES__LOGDB: radarr_log 23 | INIT_POSTGRES_DBNAME: radarr_main radarr_log 24 | INIT_POSTGRES_HOST: *dbHost 25 | INIT_POSTGRES_USER: *dbUser 26 | INIT_POSTGRES_PASS: *dbPass 27 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 28 | dataFrom: 29 | - extract: 30 | key: cloudnative-pg 31 | - extract: 32 | key: radarr 33 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: sonarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: sonarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | SONARR__AUTH__APIKEY: "{{ .SONARR_API_KEY }}" 17 | SONARR__POSTGRES__HOST: &dbHost db.internal 18 | SONARR__POSTGRES__PORT: "5432" 19 | SONARR__POSTGRES__USER: &dbUser "{{ .SONARR_POSTGRES_USER }}" 20 | SONARR__POSTGRES__PASSWORD: &dbPass "{{ .SONARR_POSTGRES_PASS }}" 21 | SONARR__POSTGRES__MAINDB: sonarr_main 22 | SONARR__POSTGRES__LOGDB: sonarr_log 23 | INIT_POSTGRES_DBNAME: sonarr_main sonarr_log 24 | INIT_POSTGRES_HOST: *dbHost 25 | INIT_POSTGRES_USER: *dbUser 26 | INIT_POSTGRES_PASS: *dbPass 27 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 28 | dataFrom: 29 | - extract: 30 | key: cloudnative-pg 31 | - extract: 32 | key: sonarr 33 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: flux-operator 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.33.0 14 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: flux-operator 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: flux-operator 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | strategy: rollback 33 | retries: 3 34 | valuesFrom: 35 | - kind: ConfigMap 36 | name: flux-operator-values 37 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: external-secrets 7 | namespace: kube-system 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: external-secrets 13 | version: 1.1.1 14 | sourceRef: 15 | kind: HelmRepository 16 | name: external-secrets 17 | namespace: flux-system 18 | interval: 15m 19 | maxHistory: 3 20 | install: 21 | createNamespace: true 22 | remediation: 23 | retries: 3 24 | upgrade: 25 | cleanupOnFail: true 26 | remediation: 27 | retries: 3 28 | uninstall: 29 | keepHistory: false 30 | values: 31 | installCRDs: true 32 | replicaCount: 1 33 | leaderElect: true 34 | serviceMonitor: 35 | enabled: true 36 | interval: 1m 37 | webhook: 38 | serviceMonitor: 39 | enabled: true 40 | interval: 1m 41 | certController: 42 | serviceMonitor: 43 | enabled: true 44 | interval: 1m 45 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: prowlarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: prowlarr-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | PROWLARR__AUTH__APIKEY: "{{ .PROWLARR_API_KEY }}" 17 | PROWLARR__POSTGRES__HOST: &dbHost db.internal 18 | PROWLARR__POSTGRES__PORT: "5432" 19 | PROWLARR__POSTGRES__USER: &dbUser "{{ .PROWLARR_POSTGRES_USER }}" 20 | PROWLARR__POSTGRES__PASSWORD: &dbPass "{{ .PROWLARR_POSTGRES_PASS }}" 21 | PROWLARR__POSTGRES__MAINDB: prowlarr_main 22 | PROWLARR__POSTGRES__LOGDB: prowlarr_log 23 | INIT_POSTGRES_DBNAME: prowlarr_main prowlarr_log 24 | INIT_POSTGRES_HOST: *dbHost 25 | INIT_POSTGRES_USER: *dbUser 26 | INIT_POSTGRES_PASS: *dbPass 27 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 28 | dataFrom: 29 | - extract: 30 | key: cloudnative-pg 31 | - extract: 32 | key: prowlarr 33 | -------------------------------------------------------------------------------- /kubernetes/apps/database/pgbackup/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: postgres-backup 7 | spec: 8 | interval: 1h 9 | chartRef: 10 | kind: OCIRepository 11 | name: app-template 12 | namespace: flux-system 13 | install: 14 | remediation: 15 | retries: 3 16 | upgrade: 17 | cleanupOnFail: true 18 | remediation: 19 | strategy: rollback 20 | retries: 3 21 | values: 22 | controllers: 23 | postgres-backup: 24 | type: cronjob 25 | cronjob: 26 | schedule: "@weekly" 27 | ttlSecondsAfterFinished: 43200 28 | pod: 29 | restartPolicy: OnFailure 30 | containers: 31 | app: 32 | image: 33 | repository: ghcr.io/axeii/pgbackup 34 | tag: v3@sha256:247b274e2603070aae467351106cd3fb3fdfad0edf9185ff77201eaf1b6d907c 35 | envFrom: 36 | - secretRef: 37 | name: pgbackup-secret 38 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: reloader 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 2.2.6 14 | url: oci://ghcr.io/stakater/charts/reloader 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: reloader 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: reloader 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | values: 34 | fullnameOverride: reloader 35 | reloader: 36 | readOnlyRootFileSystem: true 37 | podMonitor: 38 | enabled: true 39 | namespace: "{{ .Release.Namespace }}" 40 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: intel-device-plugins-operator 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.34.0 14 | url: oci://ghcr.io/home-operations/charts-mirror/intel-device-plugins-operator 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: intel-device-plugin-operator 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: intel-device-plugins-operator 26 | install: 27 | crds: CreateReplace 28 | remediation: 29 | retries: -1 30 | upgrade: 31 | cleanupOnFail: true 32 | crds: CreateReplace 33 | remediation: 34 | retries: 3 35 | values: 36 | manager: 37 | devices: 38 | gpu: true 39 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/ocirepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: flux-instance 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.33.0 14 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: flux-instance 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: flux-instance 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | strategy: rollback 33 | retries: 3 34 | dependsOn: 35 | - name: flux-operator 36 | namespace: flux-system 37 | valuesFrom: 38 | - kind: ConfigMap 39 | name: flux-instance-values 40 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin-operator/gpu/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: intel-device-plugins-gpu 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.34.0 14 | url: oci://ghcr.io/home-operations/charts-mirror/intel-device-plugins-gpu 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: intel-device-plugin-gpu 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: intel-device-plugins-gpu 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | values: 34 | name: i915 35 | nodeFeatureRule: false 36 | sharedDevNum: 99 37 | nodeSelector: 38 | intel.feature.node.kubernetes.io/gpu: "true" 39 | -------------------------------------------------------------------------------- /kubernetes/apps/media/flaresolverr/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: flaresolverr 7 | spec: 8 | interval: 30m 9 | chartRef: 10 | kind: OCIRepository 11 | name: app-template 12 | maxHistory: 2 13 | install: 14 | remediation: 15 | retries: -1 16 | upgrade: 17 | cleanupOnFail: true 18 | remediation: 19 | retries: 3 20 | uninstall: 21 | keepHistory: false 22 | values: 23 | controllers: 24 | flaresolverr: 25 | containers: 26 | app: 27 | image: 28 | repository: ghcr.io/flaresolverr/flaresolverr 29 | tag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e 30 | resources: 31 | requests: 32 | cpu: 10m 33 | memory: 300Mi 34 | limits: 35 | memory: 1Gi 36 | service: 37 | app: 38 | controller: flaresolverr 39 | ports: 40 | http: 41 | port: 8191 42 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app dragonfly 6 | namespace: &namespace database 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 1h 12 | path: ./kubernetes/apps/database/dragonfly/app 13 | prune: true 14 | retryInterval: 2m 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: database 20 | timeout: 5m 21 | wait: true 22 | --- 23 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: &app dragonfly-cluster 28 | namespace: &namespace database 29 | spec: 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | dependsOn: 34 | - name: dragonfly 35 | interval: 1h 36 | path: ./kubernetes/apps/database/dragonfly/cluster 37 | prune: true 38 | sourceRef: 39 | kind: GitRepository 40 | name: flux-system 41 | namespace: flux-system 42 | targetNamespace: database 43 | timeout: 5m 44 | wait: true 45 | -------------------------------------------------------------------------------- /kubernetes/components/common/sops/cluster-secrets.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cluster-secrets 5 | stringData: 6 | SECRET_DOMAIN: ENC[AES256_GCM,data:w5O25ZmMMkQ=,iv:pjlQ4ewui8ngKjzyEaPG+9qor2HZHSUZZhjsmSj3up8=,tag:oGK70Wgn9Uuwy+TmizqdLA==,type:str] 7 | sops: 8 | age: 9 | - recipient: age1ryhy9dduzk5hyn33lnm7swtg72r7luklfv397s3wmhqav099w95s3cu3rh 10 | enc: | 11 | -----BEGIN AGE ENCRYPTED FILE----- 12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXR0hwbkhhNjZzWjk5S1Jl 13 | VjZZeXhzdzZraEJvVGo2QWs5NmsvTlRXQWtvCmdabW1lK1NubHJsVGNrVU0wOUpR 14 | WmJLK2M2a2NNREF1em05UWorRklOZkUKLS0tIGM1bU5OTGZGWmE5dVh4SFhiTFdw 15 | UlYxeW5LSzFMNG4wZkhvdG9DNXZCWW8Ku7X8atyZG60bxcgQJ0euV3+M2Lmwg4/R 16 | ZVFTw4VHBIpcPflCiCCAFoaXgjzarXRP6d7LwK/iEciN8y/Lf/ZrHQ== 17 | -----END AGE ENCRYPTED FILE----- 18 | lastmodified: "2025-07-28T00:09:47Z" 19 | mac: ENC[AES256_GCM,data:oi2ZB2NmhnGEdCor3bSKm8xTgYr89mEA+KRtwWZWF0vw/xNZZXbWo0wK6yjTTXkkwkhGZ9CPiBrGELMoNc+u77iE0E6LnETXwe9OX3G0xQOHb4IB9UTXFnOIDSUgUMMynTGX8tur4Q9UX1OiQwGQErba+53tNw330I8H5whRUNg=,iv:RxRcqoJqG7cNuGlHRX71X9rVI4crCDazPjp+45vuA4M=,tag:usEU9qQYfXUTZdg9jJuhPQ==,type:str] 20 | encrypted_regex: ^(data|stringData)$ 21 | mac_only_encrypted: true 22 | version: 3.10.2 23 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | extends: [ 4 | "config:recommended", 5 | "docker:enableMajor", 6 | "helpers:pinGitHubActionDigests", 7 | ":timezone(Europe/Berlin)", 8 | "github>axeII/home-ops//.renovate/allowedVersions.json5", 9 | "github>axeII/home-ops//.renovate/autoMerge.json5", 10 | "github>axeII/home-ops//.renovate/customManagers.json5", 11 | "github>axeII/home-ops//.renovate/grafanaDashboards.json5", 12 | "github>axeII/home-ops//.renovate/minecraft.json5", 13 | "github>axeII/home-ops//.renovate/groups.json5", 14 | "github>axeII/home-ops//.renovate/labels.json5", 15 | "github>axeII/home-ops//.renovate/semanticCommits.json5", 16 | ":automergeBranch", 17 | ":dependencyDashboard", 18 | ":disableRateLimiting", 19 | ":gitSignOff", 20 | ":semanticCommits", 21 | ], 22 | dependencyDashboardTitle: "Renovate Dashboard 🤖", 23 | suppressNotifications: ["prEditedNotification", "prIgnoreNotification"], 24 | ignorePaths: ["**/resources/**"], 25 | flux: { 26 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 27 | }, 28 | "helm-values": { 29 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 30 | }, 31 | kubernetes: { 32 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 33 | }, 34 | } 35 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cert-manager-secret 5 | stringData: 6 | api-token: ENC[AES256_GCM,data:eTBcM011KTwzlpJqQd8dv5Pa5jiEuG+E8d4aRyE0a7DNsjEgNh49ow==,iv:KK2IGf2XVZ/3cP0LreXIphAyY8FPlkviP4qQASvUhTk=,tag:qRVsMbfh/UyIYQPJdEsmPA==,type:str] 7 | sops: 8 | age: 9 | - recipient: age1ryhy9dduzk5hyn33lnm7swtg72r7luklfv397s3wmhqav099w95s3cu3rh 10 | enc: | 11 | -----BEGIN AGE ENCRYPTED FILE----- 12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBQjlZdHpONnJMSmJhOG9l 13 | bUhGMCs0Y3MxK3JmaTdFVlNZbkYyWENRV0NnCjBvUWNGWk5BZmZ1YVdYZ1VXMVlI 14 | OGU3UXo0aDJkVWNVWkM1SHowdkUyeW8KLS0tIEJGNjlxc1F0enNOUG82V21NZ0hB 15 | VDEzTlJTRi83UFJQYm80Sk1TUXNPMGMKFisGfKvl3i7l5V2m5ke+/wYn+RAB4FKt 16 | eiE/xNbnTtTnkFEkq4Rj6LmKvztkxLVdPuJ+WEMK5aAhSTnsI79z2Q== 17 | -----END AGE ENCRYPTED FILE----- 18 | lastmodified: "2025-08-02T17:32:07Z" 19 | mac: ENC[AES256_GCM,data:EpYKJKQaAgc4VT04ZnLNSCWQcsdBtMpmTnx3qFPBfu/dRhbmlfG/GemyuTNDoFmHE5En1VgZcwcry5IUbvDeEl+Cj80Pwo55BDKURP/6FEtaLFVHcYkjA8WsqKYs26l7lW7X55+WrFBkwfUdHC1mMmlV1v0KD16ForXnJkH9jSc=,iv:EuqJJcwldzP9QsjEvbHLRjN+hJjcPDkcN+RLtSvsj7U=,tag:nhrXVHfwBH2QNxBw7NzshA==,type:str] 20 | encrypted_regex: ^(data|stringData)$ 21 | mac_only_encrypted: true 22 | version: 3.10.2 23 | -------------------------------------------------------------------------------- /kubernetes/components/common/sops/sops-age.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: sops-age 5 | stringData: 6 | age.agekey: ENC[AES256_GCM,data:c2XZCHM74oCQ+NoxlvRQQmo9mi0FT0LDdXmg5aI2OuhGQbRiKkm5AgOJbo65G6+r5oNF73iV5xKw4nGnURU5j+303b9B+tcoS5M=,iv:TN/m4RTf3HfRG1svp+qAuuIOKr9biPMmiduusJhsPW4=,tag:DPYIjICZmvJNGty0UAKeZA==,type:str] 7 | sops: 8 | age: 9 | - recipient: age1ryhy9dduzk5hyn33lnm7swtg72r7luklfv397s3wmhqav099w95s3cu3rh 10 | enc: | 11 | -----BEGIN AGE ENCRYPTED FILE----- 12 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvalgweHE3NDY5OWQzL3Y2 13 | T0QxTDVCNVVxQWwwOGNSQ2hTM0FhTzRPQjE0Ck5BMHRlb1FWUTBlVWtjaURiTE5F 14 | WkhENG1uWUxMVllVZGE0V1hrRWhyN0UKLS0tIFpPTlhGa3lxcS9lcGJSWS9ZWXJD 15 | TUxrUWZqQXZGaGR6TzFRQlgxRHQ3V1EKcH/2rIrvVBFIvM/pntD05XdVjrdAO4x8 16 | kSPl6b9lQHIYDMl7v8um/AYfdonRkz5d4XWPml1ONOMZlzCNenz0iQ== 17 | -----END AGE ENCRYPTED FILE----- 18 | lastmodified: "2025-07-28T00:09:47Z" 19 | mac: ENC[AES256_GCM,data:yKGM+edW8Tt9A93k1G/Q2T5UHTj1FzW7Ly4VvS57enFHtKiCnr9qVsjcldjg19dHzxRqHWP30q4A8vl6roVjtaBb1wxYDJiPjlUNKFIQuwqSS1Ag6tqcf/tQ+ns9ipAyZAYcBLUq1WDRVqM+wgCCgPC0aiJP0cYr+TaH7tGf6DM=,iv:ja0Mxrfe6MDYFhgqI7yxgMCs/QM0gC6pONIc5svz/d0=,tag:F03Tpqog29Eklo2Cd9CV3w==,type:str] 20 | encrypted_regex: ^(data|stringData)$ 21 | mac_only_encrypted: true 22 | version: 3.10.2 23 | -------------------------------------------------------------------------------- /kubernetes/apps/default/paperless/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: paperless 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: paperless-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | PAPERLESS_ADMIN_USER: "{{ .PAPERLESS_ADMIN_USER }}" 17 | PAPERLESS_ADMIN_PASSWORD: "{{ .PAPERLESS_ADMIN_PASSWORD }}" 18 | PAPERLESS_SECRET_KEY: "{{ .PAPERLESS_SECRET_KEY }}" 19 | # Database 20 | PAPERLESS_DBPORT: "5432" 21 | PAPERLESS_DBENGINE: postgresql 22 | PAPERLESS_DBNAME: &dbname paperless 23 | PAPERLESS_DBUSER: &dbuser "{{ .PAPERLESS_DBUSER }}" 24 | PAPERLESS_DBPASS: &dbpass "{{ .PAPERLESS_DBPASS }}" 25 | PAPERLESS_DBHOST: &dbhost db.internal 26 | 27 | # Postgres Init 28 | INIT_POSTGRES_DBNAME: *dbname 29 | INIT_POSTGRES_HOST: *dbhost 30 | INIT_POSTGRES_USER: *dbuser 31 | INIT_POSTGRES_PASS: *dbpass 32 | INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" 33 | dataFrom: 34 | - extract: 35 | key: paperless 36 | - extract: 37 | key: cloudnative-pg 38 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/csi-driver-nfs/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: csi-driver-nfs 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 4.12.1 14 | url: oci://ghcr.io/home-operations/charts-mirror/csi-driver-nfs 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: csi-driver-nfs 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: csi-driver-nfs 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | values: 34 | storageClass: 35 | create: true 36 | name: nfs-slow 37 | parameters: 38 | server: nas.internal 39 | share: /mnt/storage0/media 40 | mountOptions: 41 | - nfsvers=4.2 42 | - nconnect=16 43 | - hard 44 | - noatime 45 | reclaimPolicy: Delete 46 | volumeBindingMode: Immediate 47 | -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Areas 3 | - { name: "area/bootstrap", color: "0e8a16" } 4 | - { name: "area/github", color: "0e8a16" } 5 | - { name: "area/kubernetes", color: "0e8a16" } 6 | - { name: "area/minecraft", color: "0e8b16" } 7 | # Renovate Types 8 | - { name: "renovate/container", color: "027fa0" } 9 | - { name: "renovate/github-action", color: "027fa0" } 10 | - { name: "renovate/grafana-dashboard", color: "027fa0" } 11 | - { name: "renovate/github-release", color: "027fa0" } 12 | - { name: "renovate/helm", color: "027fa0" } 13 | - { name: "renovate/pip", color: "027fa0" } 14 | # Semantic Type 15 | - { name: "type/patch", color: "ffec19" } 16 | - { name: "type/minor", color: "ff9800" } 17 | - { name: "type/major", color: "f14183" } 18 | - { name: "type/break", color: "f6412d" } 19 | - { name: "type/digest", color: "ffeC19" } 20 | # Uncategorized 21 | - { name: "do not merge", color: "ee0701" } 22 | # General 23 | - { name: "bug", color: "a4ffae" } 24 | - { name: "deploy", color: "1f6feb" } 25 | - { name: "improvement", color: "ff9800" } 26 | - { name: "broken", color: "ee0701" } 27 | # Status 28 | - { name: "status/priority", color: "519fd0" } 29 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cert-manager 7 | namespace: &namespace cert-manager 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | healthChecks: 17 | - apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | name: *app 20 | namespace: *namespace 21 | - apiVersion: cert-manager.io/v1 22 | kind: ClusterIssuer 23 | name: letsencrypt-production 24 | healthCheckExprs: 25 | - apiVersion: cert-manager.io/v1 26 | kind: ClusterIssuer 27 | failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False') 28 | current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True') 29 | interval: 1h 30 | path: ./kubernetes/apps/cert-manager/cert-manager/app 31 | postBuild: 32 | substituteFrom: 33 | - name: cluster-secrets 34 | kind: Secret 35 | prune: true 36 | retryInterval: 2m 37 | sourceRef: 38 | kind: GitRepository 39 | name: flux-system 40 | namespace: flux-system 41 | targetNamespace: *namespace 42 | timeout: 5m 43 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: metrics-server 7 | namespace: kube-system # Required for Renovate lookups 8 | spec: 9 | interval: 1h 10 | url: https://kubernetes-sigs.github.io/metrics-server 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | name: metrics-server 17 | spec: 18 | interval: 1h 19 | chart: 20 | spec: 21 | chart: metrics-server 22 | version: 3.13.0 23 | sourceRef: 24 | kind: HelmRepository 25 | name: metrics-server 26 | namespace: kube-system 27 | install: 28 | remediation: 29 | retries: -1 30 | upgrade: 31 | cleanupOnFail: true 32 | remediation: 33 | retries: 3 34 | values: 35 | args: 36 | - --kubelet-insecure-tls 37 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 38 | - --kubelet-use-node-status-port 39 | - --metric-resolution=10s 40 | - --kubelet-request-timeout=2s 41 | metrics: 42 | enabled: true 43 | serviceMonitor: 44 | enabled: true 45 | -------------------------------------------------------------------------------- /.renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "Auto-merge trusted container digests", 6 | matchDatasources: ["docker"], 7 | automerge: true, 8 | automergeType: "pr", 9 | matchUpdateTypes: ["digest"], 10 | matchPackageNames: ["/home-operations/"], 11 | ignoreTests: false, 12 | }, 13 | { 14 | description: "Auto-merge OCI Charts", 15 | matchDatasources: ["docker"], 16 | automerge: true, 17 | automergeType: "pr", 18 | matchUpdateTypes: ["minor", "patch"], 19 | matchPackageNames: ["/kube-prometheus-stack/"], 20 | ignoreTests: false, 21 | }, 22 | { 23 | description: "Auto-merge GitHub Actions", 24 | matchManagers: ["github-actions"], 25 | automerge: true, 26 | automergeType: "branch", 27 | matchUpdateTypes: ["minor", "patch", "digest"], 28 | minimumReleaseAge: "3 days", 29 | ignoreTests: true, 30 | }, 31 | { 32 | description: "Auto-merge GitHub Releases", 33 | matchDatasources: ["github-releases"], 34 | automerge: true, 35 | automergeType: "branch", 36 | matchUpdateTypes: ["minor", "patch"], 37 | matchPackageNames: [ 38 | "/external-dns/", 39 | "/gateway-api/", 40 | "/prometheus-operator/", 41 | ], 42 | ignoreTests: true, 43 | }, 44 | ], 45 | } 46 | -------------------------------------------------------------------------------- /.github/scripts/lib/functions.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o nounset 5 | set -o pipefail 6 | shopt -s lastpipe 7 | 8 | check() { 9 | command -v "${1}" >/dev/null 2>&1 || { 10 | echo >&2 "ERROR: ${1} is not installed or not found in \$PATH" >&2 11 | exit 1 12 | } 13 | } 14 | 15 | chart_registry_url() { 16 | local helm_release= 17 | local chart_id= 18 | helm_release="${1}" 19 | chart_id=$(yq eval .spec.chart.spec.sourceRef.name "${helm_release}" 2>/dev/null) 20 | # Discover all HelmRepository 21 | find . -iname '*-charts.yaml' -type f -print0 | while IFS= read -r -d '' file; do 22 | # Skip non HelmRepository 23 | [[ $(yq eval .kind "${file}" 2>/dev/null) != "HelmRepository" ]] && continue 24 | # Skip unrelated HelmRepository 25 | [[ "${chart_id}" != $(yq eval .metadata.name "${file}" 2>/dev/null) ]] && continue 26 | yq eval .spec.url "${file}" 27 | break 28 | done 29 | } 30 | 31 | chart_name() { 32 | local helm_release= 33 | helm_release="${1}" 34 | yq eval .spec.chart.spec.chart "${helm_release}" 2>/dev/null 35 | } 36 | 37 | chart_version() { 38 | local helm_release= 39 | helm_release="${1}" 40 | yq eval .spec.chart.spec.version "${helm_release}" 2>/dev/null 41 | } 42 | 43 | chart_values() { 44 | local helm_release= 45 | helm_release="${1}" 46 | yq eval .spec.values "${helm_release}" 2>/dev/null 47 | } 48 | -------------------------------------------------------------------------------- /kubernetes/flux/cluster/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-meta 7 | namespace: &namespace flux-system 8 | spec: 9 | decryption: 10 | provider: sops 11 | secretRef: 12 | name: sops-age 13 | interval: 1h 14 | path: ./kubernetes/flux/meta 15 | prune: true 16 | retryInterval: 2m 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | # Flux repositories under this need flux-system hardcoded as namespace for Renovate lookups 22 | targetNamespace: *namespace 23 | wait: true 24 | --- 25 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 26 | apiVersion: kustomize.toolkit.fluxcd.io/v1 27 | kind: Kustomization 28 | metadata: 29 | name: cluster-apps 30 | namespace: flux-system 31 | spec: 32 | decryption: 33 | provider: sops 34 | secretRef: 35 | name: sops-age 36 | dependsOn: 37 | - name: cluster-meta 38 | namespace: flux-system 39 | interval: 1h 40 | path: ./kubernetes/apps 41 | prune: true 42 | retryInterval: 2m 43 | sourceRef: 44 | kind: GitRepository 45 | name: flux-system 46 | namespace: flux-system 47 | timeout: 5m 48 | wait: false 49 | -------------------------------------------------------------------------------- /.renovate/grafanaDashboards.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customDatasources: { 4 | "grafana-dashboards": { 5 | defaultRegistryUrlTemplate: "https://grafana.com/api/dashboards/{{packageName}}", 6 | format: "json", 7 | transformTemplates: ['{"releases":[{"version": $string(revision)}]}'], 8 | }, 9 | }, 10 | customManagers: [ 11 | { 12 | customType: "regex", 13 | description: "Process Grafana dashboards", 14 | fileMatch: ["(^|/)kubernetes/.+\\.ya?ml$"], 15 | matchStrings: [ 16 | 'depName="(?.*)"\\n(?\\s+)gnetId: (?\\d+)\\n.+revision: (?\\d+)', 17 | ], 18 | autoReplaceStringTemplate: 'depName="{{{depName}}}"\n{{{indentation}}}gnetId: {{{packageName}}}\n{{{indentation}}}revision: {{{newValue}}}', 19 | datasourceTemplate: "custom.grafana-dashboards", 20 | versioningTemplate: "regex:^(?\\d+)$", 21 | }, 22 | ], 23 | packageRules: [ 24 | { 25 | addLabels: ["renovate/grafana-dashboard"], 26 | automerge: true, 27 | automergeType: "branch", 28 | matchDatasources: ["custom.grafana-dashboards"], 29 | matchUpdateTypes: ["major"], 30 | semanticCommitType: "chore", 31 | semanticCommitScope: "grafana-dashboards", 32 | commitMessageTopic: "dashboard {{depName}}", 33 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 34 | }, 35 | ], 36 | } 37 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app external-dns-cloudflare 6 | namespace: flux-system 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | decryption: 12 | provider: sops 13 | secretRef: 14 | name: sops-age 15 | interval: 1h 16 | postBuild: 17 | substituteFrom: 18 | - name: cluster-secrets 19 | kind: Secret 20 | path: ./kubernetes/apps/network/external-dns/cloudflare 21 | prune: true 22 | retryInterval: 2m 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | targetNamespace: network 28 | timeout: 5m 29 | wait: true 30 | --- 31 | apiVersion: kustomize.toolkit.fluxcd.io/v1 32 | kind: Kustomization 33 | metadata: 34 | name: &app external-dns-unifi 35 | namespace: flux-system 36 | spec: 37 | commonMetadata: 38 | labels: 39 | app.kubernetes.io/name: *app 40 | decryption: 41 | provider: sops 42 | secretRef: 43 | name: sops-age 44 | interval: 1h 45 | postBuild: 46 | substituteFrom: 47 | - name: cluster-secrets 48 | kind: Secret 49 | path: ./kubernetes/apps/network/external-dns/unifi 50 | prune: true 51 | retryInterval: 2m 52 | sourceRef: 53 | kind: GitRepository 54 | name: flux-system 55 | namespace: flux-system 56 | targetNamespace: network 57 | timeout: 5m 58 | wait: true 59 | -------------------------------------------------------------------------------- /.github/workflows/pr-check.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: PR Check 3 | 4 | on: 5 | pull_request: 6 | branches: ["main"] 7 | 8 | jobs: 9 | scan: 10 | name: checks 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 14 | with: 15 | fetch-depth: 0 16 | - name: Get changed files 17 | id: changed-files 18 | uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1 19 | - uses: harupy/find-trailing-whitespace@master 20 | - name: "Gitleaks checks" 21 | uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 22 | env: 23 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 24 | - name: "Copy changed files" 25 | run: | 26 | mkdir testfiles 27 | for file in ${{ steps.changed-files.outputs.all_changed_files }}; do 28 | if [[ "$file" == .github/* ]]; then 29 | continue 30 | fi 31 | if [ -f "$file" ]; then 32 | cp --parents "$file" testfiles 33 | fi 34 | done 35 | - name: "Yamllint checks" 36 | uses: karancode/yamllint-github-action@master 37 | with: 38 | yamllint_config_filepath: .github/linters/.yamllint.yaml 39 | yamllint_file_or_dir: "testfiles" 40 | yamllint_strict: false 41 | yamllint_comment: true 42 | env: 43 | GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} 44 | -------------------------------------------------------------------------------- /kubernetes/apps/database/dragonfly/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: dragonfly-operator 6 | rules: 7 | - apiGroups: ["coordination.k8s.io"] 8 | resources: ["leases"] 9 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 10 | - apiGroups: [""] 11 | resources: ["events"] 12 | verbs: ["create", "patch"] 13 | - apiGroups: [""] 14 | resources: ["pods", "services"] 15 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 16 | - apiGroups: ["apps"] 17 | resources: ["statefulsets"] 18 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 19 | - apiGroups: ["policy"] 20 | resources: ["poddisruptionbudgets"] 21 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 22 | - apiGroups: ["dragonflydb.io"] 23 | resources: ["dragonflies"] 24 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 25 | - apiGroups: ["dragonflydb.io"] 26 | resources: ["dragonflies/finalizers"] 27 | verbs: ["update"] 28 | - apiGroups: ["dragonflydb.io"] 29 | resources: ["dragonflies/status"] 30 | verbs: ["get", "patch", "update"] 31 | --- 32 | apiVersion: rbac.authorization.k8s.io/v1 33 | kind: ClusterRoleBinding 34 | metadata: 35 | name: dragonfly-operator 36 | roleRef: 37 | apiGroup: rbac.authorization.k8s.io 38 | kind: ClusterRole 39 | name: dragonfly-operator 40 | subjects: 41 | - kind: ServiceAccount 42 | name: dragonfly-operator 43 | namespace: database 44 | -------------------------------------------------------------------------------- /.renovate/semanticCommits.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | semanticCommitType: "feat", 7 | commitMessagePrefix: "{{semanticCommitType}}({{semanticCommitScope}})!:", 8 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 9 | }, 10 | { 11 | matchUpdateTypes: ["minor"], 12 | semanticCommitType: "feat", 13 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 14 | }, 15 | { 16 | matchUpdateTypes: ["patch"], 17 | semanticCommitType: "fix", 18 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 19 | }, 20 | { 21 | matchUpdateTypes: ["digest"], 22 | semanticCommitType: "chore", 23 | commitMessageExtra: "({{currentDigestShort}} → {{newDigestShort}})", 24 | }, 25 | { 26 | matchDatasources: ["docker"], 27 | semanticCommitScope: "container", 28 | commitMessageTopic: "image {{depName}}", 29 | }, 30 | { 31 | matchDatasources: ["helm"], 32 | semanticCommitScope: "helm", 33 | commitMessageTopic: "chart {{depName}}", 34 | }, 35 | { 36 | matchManagers: ["github-actions"], 37 | semanticCommitType: "ci", 38 | semanticCommitScope: "github-action", 39 | commitMessageTopic: "action {{depName}}", 40 | }, 41 | { 42 | matchDatasources: ["github-releases"], 43 | semanticCommitScope: "github-release", 44 | commitMessageTopic: "release {{depName}}", 45 | }, 46 | ], 47 | } 48 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: &app external-dns-cloudflare 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: external-dns 11 | version: 1.19.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: external-dns 15 | namespace: flux-system 16 | install: 17 | crds: CreateReplace 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | crds: CreateReplace 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | fullnameOverride: *app 28 | provider: cloudflare 29 | env: 30 | - name: &name CF_API_TOKEN 31 | valueFrom: 32 | secretKeyRef: 33 | name: &secret external-dns-cloudflare-secret 34 | key: *name 35 | - name: &name CF_ZONE_ID 36 | valueFrom: 37 | secretKeyRef: 38 | name: *secret 39 | key: *name 40 | extraArgs: 41 | - --cloudflare-dns-records-per-page=1000 42 | - --cloudflare-proxied 43 | - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 44 | - --crd-source-kind=DNSEndpoint 45 | - --gateway-name=external 46 | policy: sync 47 | sources: ["crd", "gateway-httproute"] 48 | txtPrefix: k8s. 49 | txtOwnerId: default 50 | domainFilters: ["${SECRET_DOMAIN}"] 51 | serviceMonitor: 52 | enabled: true 53 | podAnnotations: 54 | secret.reloader.stakater.com/reload: *secret 55 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | alerting: 3 | pushover: 4 | application-token: ${GATUS_PUSHOVER_APP_TOKEN} 5 | user-key: ${GATUS_PUSHOVER_USER_KEY} 6 | priority: 1 7 | default-alert: 8 | description: healthcheck failed 9 | send-on-resolved: true 10 | failure-threshold: 3 11 | success-threshold: 3 12 | 13 | connectivity: 14 | checker: 15 | target: 1.1.1.1:53 16 | interval: 1m 17 | 18 | metrics: true 19 | 20 | storage: 21 | type: postgres 22 | path: postgres://${INIT_POSTGRES_USER}:${INIT_POSTGRES_PASS}@${INIT_POSTGRES_HOST}:5432/${INIT_POSTGRES_DBNAME}?sslmode=disable 23 | caching: true 24 | 25 | ui: 26 | title: Status | Gatus 27 | header: Status 28 | logo: https://camo.githubusercontent.com/d2689c2c178ad21d7c91c2fd4fe3753643499d34e789d177ece4ed3a2eec2782/68747470733a2f2f692e696d6775722e636f6d2f676476426b4e452e706e67 29 | link: https://github.com/axeII 30 | buttons: 31 | - name: Github 32 | link: https://github.com/axeII 33 | - name: Homelab 34 | link: https://github.com/axeII/home-ops 35 | 36 | endpoints: 37 | - name: blog 38 | group: external 39 | url: https://axell.dev 40 | interval: 1m 41 | client: 42 | dns-resolver: tcp://1.1.1.1:53 43 | conditions: 44 | - "[STATUS] == 200" 45 | alerts: 46 | - type: pushover 47 | - name: flux-webhook 48 | url: https://flux-webhook.juno.moe 49 | interval: 1m 50 | client: 51 | dns-resolver: tcp://8.8.8.8:53 52 | conditions: 53 | - "[STATUS] == 404" 54 | 55 | web: 56 | port: ${GATUS_WEB_PORT} 57 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/external-secrets/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-secrets 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | decryption: 13 | provider: sops 14 | secretRef: 15 | name: sops-age 16 | interval: 1h 17 | path: ./kubernetes/apps/kube-system/external-secrets/app 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | targetNamespace: *namespace 24 | wait: true 25 | retryInterval: 1m 26 | timeout: 5m 27 | --- 28 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 29 | apiVersion: kustomize.toolkit.fluxcd.io/v1 30 | kind: Kustomization 31 | metadata: 32 | name: &app external-secrets-stores 33 | namespace: &namespace kube-system 34 | spec: 35 | commonMetadata: 36 | labels: 37 | app.kubernetes.io/name: *app 38 | decryption: 39 | provider: sops 40 | secretRef: 41 | name: sops-age 42 | interval: 1h 43 | dependsOn: 44 | - name: external-secrets 45 | path: ./kubernetes/apps/kube-system/external-secrets/stores 46 | prune: true 47 | sourceRef: 48 | kind: GitRepository 49 | name: flux-system 50 | namespace: flux-system 51 | targetNamespace: *namespace 52 | wait: true 53 | retryInterval: 1m 54 | timeout: 5m 55 | --------------------------------------------------------------------------------