├── .editorconfig ├── .gitattributes ├── .github ├── labeler.yaml ├── labels.yaml ├── release-drafter.yaml ├── release.yaml ├── renovate.json5 ├── renovate │ ├── autoMerge.json5 │ ├── commitMessage.json5 │ ├── customManagers.json5 │ ├── grafanaDashboards.json5 │ ├── groups.json5 │ ├── labels.json5 │ ├── packageRules.json5 │ └── semanticCommits.json5 └── workflows │ ├── docs.yaml │ ├── flux-diff.yaml │ ├── flux-local.yaml │ ├── label-sync.yaml │ ├── labeler.yaml │ ├── release.yaml │ └── renovate.yaml ├── .gitignore ├── .mise.toml ├── .sops.yaml ├── .taskfiles ├── bootstrap │ └── Taskfile.yaml ├── externalsecrets │ └── Taskfile.yaml ├── misc │ └── Taskfile.yaml ├── talos │ └── Taskfile.yaml └── volsync │ ├── Taskfile.yaml │ ├── scripts │ ├── controller.sh │ └── wait.sh │ └── templates │ ├── list.tmpl.yaml │ ├── replicationdestination.tmpl.yaml │ ├── unlock.tmpl.yaml │ └── wipe.tmpl.yaml ├── .vscode ├── extensions.json └── settings.json ├── LICENSE ├── README.md ├── Taskfile.yaml ├── docs ├── .gitignore ├── book.toml ├── mdbook-admonish.css ├── mermaid-init.js ├── mermaid.min.js └── src │ ├── SUMMARY.md │ ├── assets │ ├── ServerRack_20231214.jpg │ ├── ServerRack_20240326.png │ ├── ServerRack_20240429.jpg │ ├── ServerRack_20250206.jpg │ └── logo.png │ ├── index.md │ ├── introduction.md │ ├── notes │ ├── Commands.md │ ├── MachineDrives.md │ ├── Pikvm.md │ ├── Scripts.md │ ├── SemanticCommits.md │ ├── Teleport.md │ ├── Tools.md │ └── pikvm │ │ └── override.yaml │ └── tools │ ├── inspector.yaml │ └── scripts │ └── clean-orphan-cert-secrets.sh └── kubernetes ├── apps ├── cert-manager │ ├── cert-manager │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── issuers │ │ │ ├── clusterissuers.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── kustomization.yaml │ │ ├── ks.yaml │ │ └── tls │ │ │ ├── certificates.yaml │ │ │ └── kustomization.yaml │ └── kustomization.yaml ├── database │ ├── kustomization.yaml │ ├── mssql-2025 │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── mssql │ │ ├── app │ │ ├── externalsecret.yaml │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── default │ ├── audiobookshelf │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── bazarr │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── discord │ │ ├── ks.yaml │ │ └── phc-high-counsel-ai-bot │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── echo-server │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── emqx │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── frigate │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── resources │ │ │ │ └── config.yaml │ │ └── ks.yaml │ ├── guacamole │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── home-assistant │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── it-tools │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── minio │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── nfs-pvc.yaml │ │ └── ks.yaml │ ├── node-red │ │ ├── app │ │ │ ├── configs │ │ │ │ └── settings.js │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── open-webui │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── overseerr │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── plex │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── prowlarr │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── radarr │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── redis │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── sabnzbd │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── sonarr │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── synology.yaml │ ├── tautulli │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── theme-park │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── zigbee2mqtt │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── zwave-js-ui │ │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── external-secrets │ ├── azure-keyvault │ │ ├── ks.yaml │ │ └── store │ │ │ ├── clustersecretstore.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secrets.sops.yaml │ ├── external-secrets │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ └── ks.yaml │ └── kustomization.yaml ├── flux-system │ ├── flux-operator │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── instance │ │ │ ├── github │ │ │ │ ├── kustomization.yaml │ │ │ │ └── webhooks │ │ │ │ │ ├── ingress.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── receiver.yaml │ │ │ │ │ └── secret.sops.yaml │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ └── ks.yaml │ └── kustomization.yaml ├── kube-system │ ├── cilium │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── config │ │ │ ├── kustomization.yaml │ │ │ ├── l2.yaml │ │ │ └── pool.yaml │ │ └── ks.yaml │ ├── coredns │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ └── ks.yaml │ ├── intel-device-plugin │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── gpu │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── metrics-server │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── node-feature-discovery │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── ks.yaml │ │ └── rules │ │ │ ├── aeotec-zwave-device.yaml │ │ │ ├── google-coral-device.yaml │ │ │ ├── intel-gpu-device.yaml │ │ │ └── kustomization.yaml │ ├── reloader │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── spegel │ │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── network │ ├── external │ │ ├── cloudflared │ │ │ ├── configs │ │ │ │ └── config.yaml │ │ │ ├── dnsendpoint.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secret.sops.yaml │ │ ├── external-dns │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── ingress-nginx │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── internal │ │ ├── external-dns │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── ingress-nginx │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── kustomization.yaml ├── observability │ ├── gatus │ │ ├── app │ │ │ ├── config │ │ │ │ └── config.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── rbac.yaml │ │ └── ks.yaml │ ├── grafana │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kromgo │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── resources │ │ │ │ └── config.yaml │ │ └── ks.yaml │ ├── kube-prometheus-stack │ │ ├── app │ │ │ ├── alertmanagerconfig.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── loki │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── promtail │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── unpoller │ │ ├── app │ │ ├── externalsecret.yaml │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── openebs-system │ ├── kustomization.yaml │ └── openebs │ │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── rook-ceph │ ├── kustomization.yaml │ └── rook-ceph │ │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ ├── cluster │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── teleport │ ├── kustomization.yaml │ ├── teleport-kube-agent │ │ ├── agent │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── teleport │ │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── resources │ │ │ └── token.yaml │ │ └── ks.yaml └── volsync-system │ ├── kustomization.yaml │ ├── snapshot-controller │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ └── ks.yaml │ └── volsync │ ├── app │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── prometheusrule.yaml │ └── ks.yaml ├── bootstrap ├── helmfile.yaml └── talos │ ├── clusterconfig │ └── .gitignore │ ├── patches │ ├── README.md │ ├── controller │ │ ├── admission-controller-patch.yaml │ │ └── cluster.yaml │ └── global │ │ ├── machine-files.yaml │ │ ├── machine-kubelet.yaml │ │ ├── machine-network.yaml │ │ ├── machine-sysctls.yaml │ │ └── machine-time.yaml │ ├── talconfig.yaml │ └── talsecret.sops.yaml └── flux ├── cluster └── ks.yaml ├── components ├── gatus │ ├── external │ │ ├── config.yaml │ │ └── kustomization.yaml │ └── guarded │ │ ├── config.yaml │ │ └── kustomization.yaml ├── namespace │ ├── kustomization.yaml │ └── namespace.yaml ├── sops │ ├── kustomization.yaml │ └── secrets.sops.yaml └── volsync │ ├── kustomization.yaml │ ├── local │ ├── externalsecret.yaml │ ├── kustomization.yaml │ ├── replicationdestination.yaml │ └── replicationsource.yaml │ └── pvc.yaml └── meta ├── kustomization.yaml ├── repositories ├── git │ └── kustomization.yaml ├── helm │ ├── backube.yaml │ ├── bjw-s.yaml │ ├── cilium.yaml │ ├── controlplaneio.yaml │ ├── coredns.yaml │ ├── csi-driver-nfs.yaml │ ├── emberstack.yaml │ ├── emqx.yaml │ ├── external-dns.yaml │ ├── external-secrets.yaml │ ├── grafana.yaml │ ├── ingress-nginx.yaml │ ├── intel.yaml │ ├── jetstack.yaml │ ├── k8s-gateway.yaml │ ├── k8sgpt.yaml │ ├── kubernetes-dashboard.yaml │ ├── kustomization.yaml │ ├── metrics-server.yaml │ ├── node-feature-discovery.yaml │ ├── openebs.yaml │ ├── piraeus.yaml │ ├── postfinance.yaml │ ├── prometheus-community.yaml │ ├── rook-ceph.yaml │ ├── spegel.yaml │ ├── stakater.yaml │ └── teleport.yaml ├── kustomization.yaml └── oci │ └── kustomization.yaml └── settings ├── cluster-secrets.sops.yaml ├── cluster-settings.yaml └── kustomization.yaml /.editorconfig: -------------------------------------------------------------------------------- 1 | # editorconfig.org 2 | root = true 3 | 4 | [*] 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | charset = utf-8 9 | trim_trailing_whitespace = true 10 | insert_final_newline = true 11 | 12 | [*.{bash,py,sh}] 13 | indent_style = space 14 | indent_size = 4 15 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | *.yaml.j2 linguist-language=YAML 3 | *.sops.* diff=sopsdiffer 4 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Areas 3 | area/docs: 4 | - changed-files: 5 | - any-glob-to-any-file: 6 | - "docs/**/*" 7 | - "README.md" 8 | area/github: 9 | - changed-files: 10 | - any-glob-to-any-file: ".github/**/*" 11 | area/kubernetes: 12 | - changed-files: 13 | - any-glob-to-any-file: "kubernetes/**/*" 14 | area/taskfile: 15 | - changed-files: 16 | - any-glob-to-any-file: 17 | - ".taskfiles/**/*" 18 | - "Taskfile.yaml" -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Areas 3 | - { name: "area/docs", color: "0e8a16" } 4 | - { name: "area/github", color: "0e8a16" } 5 | - { name: "area/kubernetes", color: "0e8a16" } 6 | - { name: "area/taskfile", color: "0e8a16" } 7 | # Renovate Types 8 | - { name: "renovate/container", color: "027fa0" } 9 | - { name: "renovate/grafana-dashboard", color: "027fa0" } 10 | - { name: "renovate/github-release", color: "027fa0" } 11 | - { name: "renovate/helm", color: "027fa0" } 12 | # Semantic Types 13 | - { name: "type/digest", color: "ffeC19" } 14 | - { name: "type/patch", color: "ffeC19" } 15 | - { name: "type/minor", color: "ff9800" } 16 | - { name: "type/major", color: "f6412d" } 17 | # Uncategorized 18 | - { name: "community", color: "370fb2" } 19 | - { name: "hold", color: "ee0701" } 20 | -------------------------------------------------------------------------------- /.github/release-drafter.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name-template: "Release v$RESOLVED_VERSION" 3 | tag-template: "v$RESOLVED_VERSION" 4 | change-template: "- $TITLE @$AUTHOR (#$NUMBER)" 5 | change-title-escapes: '\<*_&' 6 | categories: 7 | - title: "Community Contributions" 8 | labels: ["community"] 9 | - title: "Kubernetes" 10 | labels: ["area/kubernetes"] 11 | - title: "Github" 12 | labels: ["area/github"] 13 | - title: "Maintenance" 14 | labels: ["docs"] 15 | version-resolver: 16 | major: 17 | labels: ["type/break"] 18 | minor: 19 | labels: ["type/major", "type/minor"] 20 | patch: 21 | labels: ["type/patch"] 22 | default: patch 23 | template: | 24 | ## What's Changed 25 | 26 | $CHANGES 27 | 28 | **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION 29 | -------------------------------------------------------------------------------- /.github/release.yaml: -------------------------------------------------------------------------------- 1 | changelog: 2 | exclude: 3 | authors: 4 | - unsc-oni-ancilla 5 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:recommended", 5 | "docker:enableMajor", 6 | "replacements:k8s-registry-move", 7 | ":automergeBranch", 8 | ":disableRateLimiting", 9 | ":dependencyDashboard", 10 | ":semanticCommits", 11 | ":skipStatusChecks", 12 | ":timezone(America/New_York)", 13 | "github>binaryn3xus/HomeOps//.github/renovate/autoMerge.json5", 14 | "github>binaryn3xus/HomeOps//.github/renovate/commitMessage.json5", 15 | "github>binaryn3xus/HomeOps//.github/renovate/customManagers.json5", 16 | "github>binaryn3xus/HomeOps//.github/renovate/grafanaDashboards.json5", 17 | "github>binaryn3xus/HomeOps//.github/renovate/groups.json5", 18 | "github>binaryn3xus/HomeOps//.github/renovate/labels.json5", 19 | "github>binaryn3xus/HomeOps//.github/renovate/packageRules.json5", 20 | "github>binaryn3xus/HomeOps//.github/renovate/semanticCommits.json5" 21 | ], 22 | "dependencyDashboardTitle": "Renovate Dashboard 🤖", 23 | "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"], 24 | "onboarding": false, 25 | "rebaseWhen": "conflicted", 26 | "requireConfig": "ignored", 27 | "ignorePaths": ["**/archive/**", "**/*.sops.*", "**/.archive/**", "**/resources/**"], 28 | "ignoreDeps": ["ghcr.io/binaryn3xus/phc-highcounsel-bot"], 29 | "flux": { 30 | "fileMatch": ["(^|/)kubernetes/.+\\.ya?ml$"] 31 | }, 32 | "helm-values": { 33 | "fileMatch": ["(^|/)kubernetes/.+\\.ya?ml$"] 34 | }, 35 | "kubernetes": { 36 | "fileMatch": ["(^|/)\\.taskfiles/.+\\.ya?ml$", "(^|/)kubernetes/.+\\.ya?ml$"] 37 | } 38 | } -------------------------------------------------------------------------------- /.github/renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "description": ["Auto-merge container digests updates for trusted containers"], 6 | "matchDatasources": ["docker"], 7 | "automerge": true, 8 | "automergeType": "branch", 9 | "matchUpdateTypes": ["digest"], 10 | "matchPackagePatterns": ["ghcr.io/bjw-s", "ghcr.io/onedr0p"] 11 | }, 12 | { 13 | "description": ["Auto-merge GitHub Actions for minor and patch"], 14 | "matchManagers": ["github-actions"], 15 | "matchDatasources": ["github-tags"], 16 | "automerge": true, 17 | "automergeType": "branch", 18 | "matchUpdateTypes": ["minor", "patch"] 19 | } 20 | ] 21 | } -------------------------------------------------------------------------------- /.github/renovate/commitMessage.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "commitMessageTopic": "{{depName}}", 4 | "commitMessageExtra": "to {{newVersion}}", 5 | "commitMessageSuffix": "", 6 | "packageRules": [ 7 | { 8 | "matchDatasources": ["helm"], 9 | "commitMessageTopic": "chart {{depName}}" 10 | }, 11 | { 12 | "matchDatasources": ["docker"], 13 | "commitMessageTopic": "image {{depName}}" 14 | } 15 | ] 16 | } -------------------------------------------------------------------------------- /.github/renovate/customManagers.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "customManagers": [ 4 | { 5 | "customType": "regex", 6 | "description": "Process custom dependencies", 7 | "fileMatch": [ "(^|/)kubernetes/.+\\.ya?ml$" ], 8 | "matchStrings": [ 9 | "datasource=(?\\S+) depName=(?\\S+)( repository=(?\\S+))?\\n.+(:\\s|=)(&\\S+\\s)?(?\\S+)", 10 | "datasource=(?\\S+) depName=(?\\S+)\\n.+/(?(v|\\d)[^/]+)", 11 | "datasource=(?\\S+) depName=(?\\S+)( repository=(?\\S+))?\n.+?\"(?\\S+)\"" 12 | ], 13 | "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}" 14 | } 15 | ] 16 | } -------------------------------------------------------------------------------- /.github/renovate/grafanaDashboards.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "customDatasources": { 4 | "grafana-dashboards": { 5 | "defaultRegistryUrlTemplate": "https://grafana.com/api/dashboards/{{packageName}}", 6 | "format": "json", 7 | "transformTemplates": ["{\"releases\":[{\"version\": $string(revision)}]}"] 8 | } 9 | }, 10 | "customManagers": [ 11 | { 12 | "customType": "regex", 13 | "description": ["Process Grafana dashboards"], 14 | "fileMatch": ["(^|/)kubernetes/.+\\.ya?ml$"], 15 | "matchStrings": ["depName=\"(?.*)\"\\n(?\\s+)gnetId: (?\\d+)\\n.+revision: (?\\d+)"], 16 | "autoReplaceStringTemplate": "depName=\"{{{depName}}}\"\n{{{indentation}}}gnetId: {{{packageName}}}\n{{{indentation}}}revision: {{{newValue}}}", 17 | "datasourceTemplate": "custom.grafana-dashboards", 18 | "versioningTemplate": "regex:^(?\\d+)$" 19 | } 20 | ], 21 | "packageRules": [ 22 | { 23 | "addLabels": ["renovate/grafana-dashboard"], 24 | "automerge": true, 25 | "automergeType": "branch", 26 | "matchDatasources": ["custom.grafana-dashboards"], 27 | "matchUpdateTypes": ["major"], 28 | "semanticCommitType": "chore", 29 | "semanticCommitScope": "grafana-dashboards", 30 | "commitMessageTopic": "dashboard {{depName}}", 31 | "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )" 32 | } 33 | ] 34 | } -------------------------------------------------------------------------------- /.github/renovate/groups.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "description": ["Intel Device Plugins Group"], 6 | "groupName": "Intel-Device-Plugins", 7 | "matchPackagePatterns": ["intel-device-plugins"], 8 | "matchDatasources": ["helm"], 9 | "group": { 10 | "commitMessageTopic": "{{{groupName}}} group" 11 | }, 12 | "separateMinorPatch": true 13 | }, 14 | { 15 | "description": ["Rook-Ceph Group"], 16 | "groupName": "Rook-Ceph", 17 | "matchPackagePatterns": ["rook.ceph"], 18 | "matchDatasources": ["helm"], 19 | "group": { 20 | "commitMessageTopic": "{{{groupName}}} group" 21 | }, 22 | "separateMinorPatch": true 23 | }, 24 | { 25 | "description": ["Flux Operator Group"], 26 | "groupName": "Flux Operator", 27 | "matchPackagePatterns": ["flux-operator", "flux-instance"], 28 | "matchDatasources": ["docker"], 29 | "group": { 30 | "commitMessageTopic": "{{{groupName}}} group" 31 | } 32 | }, 33 | { 34 | "description": ["Talos Group"], 35 | "groupName": "Talos", 36 | "matchPackagePatterns": ["siderolabs/talosctl", "siderolabs/installer"], 37 | "matchDatasources": ["docker"], 38 | "group": { 39 | "commitMessageTopic": "{{{groupName}}} group" 40 | }, 41 | "separateMinorPatch": true 42 | }, 43 | { 44 | "description": "Teleport Group", 45 | "groupName": "Teleport", 46 | "matchPackagePatterns": ["teleport-cluster", "teleport-kube-agent"], 47 | "matchDatasources": ["helm"], 48 | "group": { 49 | "commitMessageTopic": "{{{groupName}}} group" 50 | }, 51 | "separateMinorPatch": true 52 | } 53 | ] 54 | } 55 | -------------------------------------------------------------------------------- /.github/renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "matchUpdateTypes": ["major"], 6 | "labels": ["type/major"] 7 | }, 8 | { 9 | "matchUpdateTypes": ["minor"], 10 | "labels": ["type/minor"] 11 | }, 12 | { 13 | "matchUpdateTypes": ["patch"], 14 | "labels": ["type/patch"] 15 | }, 16 | { 17 | "matchUpdateTypes": ["digest"], 18 | "labels": ["type/digest"] 19 | }, 20 | { 21 | "matchDatasources": ["docker"], 22 | "addLabels": ["renovate/container"] 23 | }, 24 | { 25 | "matchDatasources": ["helm"], 26 | "addLabels": ["renovate/helm"] 27 | }, 28 | { 29 | "matchDatasources": ["github-releases", "github-tags"], 30 | "addLabels": ["renovate/github-release"] 31 | } 32 | ] 33 | } -------------------------------------------------------------------------------- /.github/renovate/packageRules.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "description": ["Loose versioning for non-semver containers"], 6 | "matchDatasources": ["docker"], 7 | "matchPackagePatterns": ["plex"], 8 | "versioning": "loose" 9 | }, 10 | { 11 | "description": "Custom versioning for minio", 12 | "matchDatasources": ["docker"], 13 | "versioning": "regex:^RELEASE\\.(?\\d+)-(?\\d+)-(?\\d+)T.*Z$", 14 | "matchPackagePatterns": ["minio"] 15 | } 16 | ] 17 | } -------------------------------------------------------------------------------- /.github/workflows/label-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: "Label Sync" 4 | 5 | on: 6 | workflow_dispatch: 7 | push: 8 | branches: ["main"] 9 | paths: [".github/labels.yaml"] 10 | schedule: 11 | - cron: "0 0 * * *" # Every day at midnight 12 | 13 | permissions: 14 | issues: write 15 | 16 | jobs: 17 | label-sync: 18 | name: Label Sync 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Checkout 22 | uses: actions/checkout@v4 23 | with: 24 | sparse-checkout: .github/labels.yaml 25 | 26 | - name: Sync Labels 27 | uses: EndBug/label-sync@v2 28 | with: 29 | config-file: .github/labels.yaml 30 | delete-other-labels: true -------------------------------------------------------------------------------- /.github/workflows/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: "Labeler" 4 | 5 | on: 6 | workflow_dispatch: 7 | pull_request_target: 8 | branches: ["main"] 9 | 10 | jobs: 11 | labeler: 12 | name: Labeler 13 | runs-on: ubuntu-latest 14 | if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} 15 | steps: 16 | - name: Generate Token 17 | uses: actions/create-github-app-token@v2 18 | id: app-token 19 | with: 20 | app-id: "${{ secrets.BOT_APP_ID }}" 21 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 22 | 23 | - name: Labeler 24 | uses: actions/labeler@v5 25 | with: 26 | repo-token: "${{ steps.app-token.outputs.token }}" 27 | configuration-path: .github/labeler.yaml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Trash 2 | .DS_Store 3 | Thumbs.db 4 | # k8s 5 | kubeconfig 6 | talosconfig 7 | .decrypted~*.yaml 8 | .config.env 9 | *.agekey 10 | *.pub 11 | *.key 12 | # Private 13 | .private 14 | .bin 15 | # Ansible 16 | .venv* 17 | # Taskfile 18 | .task 19 | # Brew 20 | Brewfile.lock.json 21 | # intellij 22 | .idea 23 | # wiki 24 | wiki 25 | # Bootstrap 26 | /config.yaml 27 | 28 | -------------------------------------------------------------------------------- /.mise.toml: -------------------------------------------------------------------------------- 1 | [env] 2 | _.python.venv = { path = "{{config_root}}/.venv", create = true } 3 | KUBECONFIG = "{{config_root}}/kubeconfig" 4 | SOPS_AGE_KEY_FILE = "{{config_root}}/age.key" 5 | TALOSCONFIG = "{{config_root}}/kubernetes/bootstrap/talos/clusterconfig/talosconfig" 6 | 7 | [tasks.deps] 8 | description = "Install dependencies" 9 | run = "uv pip install -r requirements.txt" 10 | 11 | [tools] 12 | # Template tools 13 | python = "3.13" 14 | uv = "0.7.12" 15 | # Operations tools 16 | "aqua:budimanjojo/talhelper" = "3.0.28" 17 | "aqua:cloudflare/cloudflared" = "2025.5.0" 18 | "aqua:FiloSottile/age" = "1.2.1" 19 | "aqua:fluxcd/flux2" = "2.6.1" 20 | "aqua:getsops/sops" = "3.10.2" 21 | "aqua:go-task/task" = "3.43.3" 22 | "aqua:helm/helm" = "3.18.2" 23 | "aqua:helmfile/helmfile" = "1.1.1" 24 | "aqua:jqlang/jq" = "1.8.0" 25 | "aqua:kubernetes-sigs/kustomize" = "5.6.0" 26 | "aqua:kubernetes/kubectl" = "1.33.1" 27 | "aqua:mikefarah/yq" = "4.45.4" 28 | "aqua:siderolabs/talos" = "1.10.3" 29 | "aqua:yannh/kubeconform" = "0.7.0" 30 | "aqua:derailed/k9s" = "0.50.6" 31 | "aqua:stern/stern" = "1.32.0" 32 | "aqua:hidetatz/kubecolor" = "0.0.25" 33 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - # IMPORTANT: This rule MUST be above the others 4 | path_regex: talos/.*\.sops\.ya?ml 5 | mac_only_encrypted: true 6 | key_groups: 7 | - age: 8 | - "age1scvdjv7h3s38cqtq4gsnj6cpsvh62zuhu8dy72uye4jksz2w39ds0skqm5" 9 | - path_regex: kubernetes/.*\.sops\.ya?ml 10 | encrypted_regex: "^(data|stringData)$" 11 | mac_only_encrypted: true 12 | key_groups: 13 | - age: 14 | - "age1scvdjv7h3s38cqtq4gsnj6cpsvh62zuhu8dy72uye4jksz2w39ds0skqm5" 15 | stores: 16 | yaml: 17 | indent: 2 18 | -------------------------------------------------------------------------------- /.taskfiles/externalsecrets/Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | tasks: 6 | 7 | sync: 8 | desc: Sync an ExternalSecret for a cluster 9 | summary: | 10 | Args: 11 | ns: Namespace the externalsecret is in (default: default) 12 | secret: Secret to sync (required) 13 | cmd: kubectl -n {{.ns}} annotate externalsecret {{.secret}} force-sync=$(date +%s) --overwrite 14 | env: 15 | KUBECONFIG: "{{.KUBERNETES_DIR}}/kubeconfig" 16 | requires: 17 | vars: ["secret"] 18 | vars: 19 | ns: '{{.ns | default "default"}}' 20 | preconditions: 21 | - kubectl -n {{.ns}} get externalsecret {{.secret}} 22 | 23 | sync-all: 24 | desc: Sync all ExternalSecrets for a cluster 25 | cmds: 26 | - for: { var: secrets, split: '' } 27 | task: sync 28 | vars: 29 | ns: '{{$a := split "|" .ITEM}}{{$a._0}}' 30 | secret: '{{$a := split "|" .ITEM}}{{$a._1}}' 31 | env: 32 | KUBECONFIG: "{{.KUBERNETES_DIR}}/kubeconfig" 33 | vars: 34 | secrets: 35 | sh: kubectl get externalsecret --all-namespaces --no-headers -A | awk '{print $1 "|" $2}' 36 | -------------------------------------------------------------------------------- /.taskfiles/misc/Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | tasks: 6 | 7 | pikvm-backup: 8 | desc: Backup PiKVM Override File 9 | cmds: 10 | - scp root@10.0.30.5:/etc/kvmd/override.yaml ./docs/src/notes/pikvm/override.yaml 11 | 12 | # Disabled - Not sure if this breaks the PiKVM database somehow 13 | # pikvm-restore: 14 | # desc: Restore PiKVM Override File from backup 15 | # cmds: 16 | # - ssh root@10.0.30.5 "rw" 17 | # - scp ./docs/src/notes/pikvm/override.yaml root@10.0.30.5:/etc/kvmd/override.yaml 18 | # - ssh root@10.0.30.5 "reboot" 19 | 20 | configuration-backup: 21 | desc: Backup Configuration Files 22 | vars: 23 | backup_datetime: 24 | sh: date +%Y%m%d-%H%M 25 | cmds: 26 | # Create a local backup folder with a timestamp under .private 27 | - mkdir -p ./.private/backups/{{.backup_datetime}} 28 | 29 | # Copy the entire clusterconfig directory to the local backup folder 30 | - cp -r /workspaces/HomeOps/kubernetes/bootstrap/talos/clusterconfig ./.private/backups/{{.backup_datetime}}/ 31 | 32 | # Copy individual additional files to the local backup folder 33 | - cp /workspaces/HomeOps/kubernetes/kubeconfig ./.private/backups/{{.backup_datetime}}/ 34 | - cp /workspaces/HomeOps/age.key ./.private/backups/{{.backup_datetime}}/ 35 | -------------------------------------------------------------------------------- /.taskfiles/volsync/scripts/controller.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | APP=$1 4 | NAMESPACE="${2:-default}" 5 | 6 | is_deployment() { 7 | kubectl -n "${NAMESPACE}" get deployment "${APP}" >/dev/null 2>&1 8 | } 9 | 10 | is_statefulset() { 11 | kubectl -n "${NAMESPACE}" get statefulset "${APP}" >/dev/null 2>&1 12 | } 13 | 14 | if is_deployment; then 15 | echo "deployment.apps/${APP}" 16 | elif is_statefulset; then 17 | echo "statefulset.apps/${APP}" 18 | else 19 | echo "No deployment or statefulset found for ${APP}" 20 | exit 1 21 | fi 22 | -------------------------------------------------------------------------------- /.taskfiles/volsync/scripts/wait.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | JOB=$1 4 | NAMESPACE="${2:-default}" 5 | 6 | [[ -z "${JOB}" ]] && echo "Job name not specified" && exit 1 7 | while true; do 8 | STATUS="$(kubectl -n "${NAMESPACE}" get pod -l job-name="${JOB}" -o jsonpath='{.items[*].status.phase}')" 9 | if [ "${STATUS}" == "Pending" ]; then 10 | break 11 | fi 12 | sleep 1 13 | done 14 | -------------------------------------------------------------------------------- /.taskfiles/volsync/templates/list.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: "list-${app}-${ts}" 6 | namespace: "${ns}" 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: list 15 | image: docker.io/restic/restic:0.18.0 16 | args: ["snapshots"] 17 | envFrom: 18 | - secretRef: 19 | name: "${app}-volsync-secret" 20 | -------------------------------------------------------------------------------- /.taskfiles/volsync/templates/replicationdestination.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: "${app}-${ts}" 6 | namespace: "${ns}" 7 | spec: 8 | trigger: 9 | manual: restore-once 10 | restic: 11 | repository: "${app}-volsync-secret" 12 | destinationPVC: "${claim}" 13 | copyMethod: Direct 14 | storageClassName: ceph-block 15 | # storageClassName: ceph-filesystem 16 | # accessModes: ["ReadWriteMany"] 17 | # IMPORTANT NOTE: 18 | # Set to the last X number of snapshots to restore from 19 | previous: ${previous} 20 | # OR; 21 | # IMPORTANT NOTE: 22 | # On bootstrap set `restoreAsOf` to the time the old cluster was destroyed. 23 | # This will essentially prevent volsync from trying to restore a backup 24 | # from a application that started with default data in the PVC. 25 | # Do not restore snapshots made after the following RFC3339 Timestamp. 26 | # date --rfc-3339=seconds (--utc) 27 | # restoreAsOf: "2022-12-10T16:00:00-05:00" 28 | moverSecurityContext: 29 | runAsUser: ${puid} 30 | runAsGroup: ${pgid} 31 | fsGroup: ${pgid} 32 | -------------------------------------------------------------------------------- /.taskfiles/volsync/templates/unlock.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: "unlock-${app}-${ts}" 6 | namespace: "${ns}" 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: unlock 15 | image: docker.io/restic/restic:0.18.0 16 | args: ["unlock", "--remove-all"] 17 | envFrom: 18 | - secretRef: 19 | name: "${app}-volsync-secret" 20 | -------------------------------------------------------------------------------- /.taskfiles/volsync/templates/wipe.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: "wipe-${app}-${ts}" 6 | namespace: "${ns}" 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: wipe 15 | image: public.ecr.aws/docker/library/busybox:latest 16 | command: ["/bin/sh", "-c", "cd /config; find . -delete"] 17 | volumeMounts: 18 | - name: config 19 | mountPath: /config 20 | securityContext: 21 | privileged: true 22 | volumes: 23 | - name: config 24 | persistentVolumeClaim: 25 | claimName: "${claim}" 26 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "albert.TabOut", 4 | "britesnow.vscode-toggle-quotes", 5 | "fcrespo82.markdown-table-formatter", 6 | "mikestead.dotenv", 7 | "mitchdenny.ecdc", 8 | "signageos.signageos-vscode-sops", 9 | "will-stone.in-any-case", 10 | "EditorConfig.editorconfig", 11 | "PKief.material-icon-theme", 12 | "Gruntfuggly.todo-tree" 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "*.json5": "jsonc" 4 | }, 5 | "sops.defaults.ageKeyFile": "age.key", 6 | "yaml.schemas": { 7 | "Kubernetes": "./kubernetes/*.yaml" 8 | }, 9 | "vs-kubernetes": { 10 | "vs-kubernetes.kubeconfig": "./kubeconfig", 11 | "vs-kubernetes.knownKubeconfigs": [ 12 | "./kubeconfig" 13 | ] 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 binaryn3xus 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: '3' 4 | 5 | set: [pipefail] 6 | shopt: [globstar] 7 | 8 | vars: 9 | KUBERNETES_DIR: '{{.ROOT_DIR}}/kubernetes' 10 | PRIVATE_DIR: '{{.ROOT_DIR}}/.private' 11 | TALHELPER_DIR: '{{.ROOT_DIR}}/kubernetes/bootstrap/talos' 12 | TALOSCONFIG: '{{.ROOT_DIR}}/kubernetes/bootstrap/talos/clusterconfig/talosconfig' 13 | 14 | env: 15 | KUBECONFIG: '{{.ROOT_DIR}}/kubeconfig' 16 | SOPS_AGE_KEY_FILE: '{{.ROOT_DIR}}/age.key' 17 | TALOSCONFIG: '{{.TALOSCONFIG}}' 18 | 19 | includes: 20 | bootstrap: .taskfiles/bootstrap 21 | external-secrets: .taskfiles/externalsecrets 22 | misc: .taskfiles/misc 23 | talos: .taskfiles/talos 24 | volsync: .taskfiles/volsync 25 | 26 | tasks: 27 | 28 | default: task --list 29 | 30 | reconcile: 31 | desc: Force Flux to pull in changes from your Git repository 32 | cmd: flux --namespace flux-system reconcile kustomization flux-system --with-source 33 | preconditions: 34 | - test -f {{.KUBECONFIG}} 35 | - which flux 36 | -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | book -------------------------------------------------------------------------------- /docs/book.toml: -------------------------------------------------------------------------------- 1 | [book] 2 | authors = ["Joshua Garrison"] 3 | language = "en" 4 | multilingual = false 5 | src = "src" 6 | title = "Home Operations" 7 | 8 | [output.html] 9 | default-theme = "navy" 10 | preferred-dark-theme = "navy" 11 | git-repository-url = "https://github.com/binaryn3xus/HomeOps" 12 | git-repository-icon = "fa-github" 13 | no-section-label = true 14 | additional-js = ["mermaid.min.js", "mermaid-init.js"] 15 | additional-css = ["mdbook-admonish.css"] 16 | git-branch = "main" 17 | 18 | [output.html.fold] 19 | enable = true 20 | level = 1 21 | 22 | [output.html.playground] 23 | copyable = false 24 | 25 | [output.html.search] 26 | limit-results = 15 27 | 28 | ## Does not play nice with embedding my README.md 29 | # [output.linkcheck] 30 | 31 | [preprocessor] 32 | 33 | [preprocessor.admonish] 34 | command = "mdbook-admonish" 35 | assets_version = "3.0.0" # do not edit: managed by `mdbook-admonish install` 36 | 37 | [preprocessor.emojicodes] 38 | after = [ "links" ] 39 | 40 | [preprocessor.mermaid] 41 | command = "mdbook-mermaid" -------------------------------------------------------------------------------- /docs/mermaid-init.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binaryn3xus/HomeOps/b451ffa8939108bc22a04b9e780883ab4ba080fb/docs/mermaid-init.js -------------------------------------------------------------------------------- /docs/src/SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | --- 4 | 5 | # Welcome 6 | 7 | - [Introduction](introduction.md) 8 | 9 | # Notes 10 | 11 | --- 12 | 13 | - [Commands](./notes/Commands.md) 14 | - [Scripts](./notes/Scripts.md) 15 | - [PiKVM](./notes/Pikvm.md) 16 | - [Teleport](./notes/Teleport.md) 17 | - [Tools](./notes/Tools.md) 18 | 19 | # Guidelines 20 | 21 | --- 22 | 23 | - [SemanticCommits](./notes/SemanticCommits.md) 24 | -------------------------------------------------------------------------------- /docs/src/assets/ServerRack_20231214.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binaryn3xus/HomeOps/b451ffa8939108bc22a04b9e780883ab4ba080fb/docs/src/assets/ServerRack_20231214.jpg -------------------------------------------------------------------------------- /docs/src/assets/ServerRack_20240326.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binaryn3xus/HomeOps/b451ffa8939108bc22a04b9e780883ab4ba080fb/docs/src/assets/ServerRack_20240326.png -------------------------------------------------------------------------------- /docs/src/assets/ServerRack_20240429.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binaryn3xus/HomeOps/b451ffa8939108bc22a04b9e780883ab4ba080fb/docs/src/assets/ServerRack_20240429.jpg -------------------------------------------------------------------------------- /docs/src/assets/ServerRack_20250206.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binaryn3xus/HomeOps/b451ffa8939108bc22a04b9e780883ab4ba080fb/docs/src/assets/ServerRack_20250206.jpg -------------------------------------------------------------------------------- /docs/src/assets/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binaryn3xus/HomeOps/b451ffa8939108bc22a04b9e780883ab4ba080fb/docs/src/assets/logo.png -------------------------------------------------------------------------------- /docs/src/introduction.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | ```admonish warning 4 | These docs contain information that relates to my setup. They may or may not work for you. 5 | ``` 6 | 7 | --- 8 |
9 | 10 | {{#include ../../README.md}} -------------------------------------------------------------------------------- /docs/src/notes/MachineDrives.md: -------------------------------------------------------------------------------- 1 | # Device Information 2 | 3 | | **Node** | **Model** | **Serial** | **Size** | **Path** | 4 | |----------------|-------------------|----------------------|----------|--------------| 5 | | Fleetcom-Node1 | SPCC M.2 PCIe SSD | 009E074C130600231951 | 1 TB | /dev/nvme0n1 | 6 | | Fleetcom-Node1 | SPCC M.2 PCIe SSD | AA221223NV01KG03817 | 1 TB | /dev/nvme1n1 | 7 | | Fleetcom-Node2 | Samsung SSD 980 | S64ANJ0RA71998K | 1 TB | /dev/nvme0n1 | 8 | | Fleetcom-Node2 | Samsung SSD 980 | S64ANJ0RA66136P | 1 TB | /dev/nvme1n1 | 9 | | Fleetcom-Node3 | SPCC M.2 PCIe SSD | YT20230100813 | 1 TB | /dev/nvme0n1 | 10 | | Fleetcom-Node3 | Samsung SSD 980 | S64ANJ0RA72021K | 1 TB | /dev/nvme1n1 | 11 | -------------------------------------------------------------------------------- /docs/src/notes/Pikvm.md: -------------------------------------------------------------------------------- 1 | # PiKVM 2 | 3 | ## Update PiKVM 4 | 5 | To update, run following commands under the `root` user: 6 | 7 | ```sh 8 | pikvm-update 9 | ``` 10 | 11 | If for some reason that command does not work, try this one... 12 | 13 | ```sh 14 | curl https://files.pikvm.org/update-os.sh | bash 15 | ``` 16 | 17 | ## Load TESmart KVM 18 | 19 | 1. Enter Read/Write Mode 20 | 21 | ```sh 22 | rw 23 | ``` 24 | 25 | 2. Add or replace the file `/etc/kvmd/override.yaml` 26 | 27 | See repo's [override.yaml](./pikvm/override.yaml) 28 | 29 | 30 | 3. Restart kvmd 31 | ```sh 32 | systemctl restart kvmd.service 33 | ``` 34 | 35 | -------------------------------------------------------------------------------- /docs/src/notes/Scripts.md: -------------------------------------------------------------------------------- 1 | # Scripts 2 | 3 | ## Clean Orphaned Secrets Cert Manager 4 | 5 | Path to Script: `scripts/clean-orphan-cert-secrets.sh` 6 | 7 | ### Reason 8 | 9 | Error: `unable to fetch certificate that owns the secret` 10 | 11 | This script will find TLS secrets in a given namespace which have no matching certificate resource and delete them. 12 | 13 | ### Usage 14 | `./clean-orphans.sh ` 15 | 16 | Specifying no namespace will check the default. You will be prompted before anything is deleted. 17 | 18 | --- 19 | 20 | ## Stern 21 | 22 | Project Link: [stern](https://github.com/stern/stern) 23 | 24 | examples: 25 | - `stern -n kube-system coredns` 26 | -------------------------------------------------------------------------------- /docs/src/notes/SemanticCommits.md: -------------------------------------------------------------------------------- 1 | # Semantic Commit Messages 2 | 3 | See how a minor change to your commit message style can make you a better programmer. 4 | 5 | Format: `(): ` 6 | 7 | `` is optional 8 | 9 | ## Example 10 | 11 | ``` 12 | feat: add hat wobble 13 | ^--^ ^------------^ 14 | | | 15 | | +-> Summary in present tense. 16 | | 17 | +-------> Type: chore, docs, feat, fix, refactor, style, or test. 18 | ``` 19 | 20 | More Examples: 21 | 22 | - `feat`: (new feature for the user, not a new feature for build script) 23 | - `fix`: (bug fix for the user, not a fix to a build script) 24 | - `docs`: (changes to the documentation) 25 | - `style`: (formatting, missing semi colons, etc; no production code change) 26 | - `refactor`: (refactoring production code, eg. renaming a variable) 27 | - `test`: (adding missing tests, refactoring tests; no production code change) 28 | - `chore`: (updating grunt tasks etc; no production code change) 29 | 30 | Credit: [joshbuchea](https://gist.github.com/joshbuchea/6f47e86d2510bce28f8e7f42ae84c716) 31 | -------------------------------------------------------------------------------- /docs/src/notes/Tools.md: -------------------------------------------------------------------------------- 1 | # Tools for Kubernetes 2 | 3 | ## K9s 4 | 5 | Project Link: [K9s CLI](https://k9scli.io/) 6 | 7 | Configuration File Location: `~/.config/k9s/config.yml` 8 | 9 | --- 10 | 11 | ## Stern 12 | 13 | Project Link: [stern](https://github.com/stern/stern) 14 | 15 | examples: 16 | - `stern -n kube-system coredns` 17 | -------------------------------------------------------------------------------- /docs/src/tools/inspector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pvc-inspector 5 | spec: 6 | containers: 7 | - image: busybox 8 | name: pvc-inspector 9 | command: ["tail"] 10 | args: ["-f", "/dev/null"] 11 | volumeMounts: 12 | - mountPath: /pvc 13 | name: pvc-mount 14 | volumes: 15 | - name: pvc-mount 16 | persistentVolumeClaim: 17 | claimName: node-red 18 | -------------------------------------------------------------------------------- /docs/src/tools/scripts/clean-orphan-cert-secrets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #./clean-orphans.sh 3 | # Fixes error "unable to fetch certificate that owns the secret" in cert-manager 4 | set -e 5 | NAMESPACE=$1 6 | 7 | # If no namespace specified, set it to default 8 | if [[ $# -lt 1 ]] ; then 9 | NAMESPACE="default" 10 | fi 11 | 12 | # TODO: whitelist certs that should never be removed? i.e. default le-cert? For now we'll just prompt before deleting to be safe 13 | 14 | SECRETS=($(kubectl --namespace $NAMESPACE get secrets | grep tls | awk '{print $1}')) # Array of all secrets in the namespace 15 | CERTS=($(kubectl --namespace $NAMESPACE get certs | grep True | awk '{print $1}')) # Array of all certs in the namespace 16 | 17 | echo "Listing (cert-manager) certs:" 18 | for i in ${CERTS[@]}; do 19 | echo $i 20 | done 21 | echo 22 | 23 | echo "Listing TLS secrets:" 24 | for i in ${SECRETS[@]}; do 25 | echo $i 26 | done 27 | echo 28 | 29 | # Check if any orphaned secrets were detected 30 | ORPHANS=($(comm -23 <(for x in "${SECRETS[@]}"; do echo "$x"; done | sort) <(for x in "${CERTS[@]}"; do echo "$x"; done | sort))) 31 | 32 | if [ ${#ORPHANS[@]} -eq 0 ]; then 33 | echo "No orphaned secrets detected." 34 | exit 0 35 | fi 36 | 37 | echo "Detected orphaned secrets:" 38 | for i in ${ORPHANS[@]}; do 39 | echo $i 40 | done 41 | # comm -23 \ 42 | # <(for x in "${SECRETS[@]}"; do echo "$x"; done | sort) \ 43 | # <(for x in "${CERTS[@]}"; do echo "$x"; done | sort) 44 | echo 45 | 46 | # Prompt to cleanup 47 | read -p "Would you like to delete the orphaned secrets listed above?" -n 1 -r 48 | echo 49 | if [[ ! $REPLY =~ ^[Yy]$ ]] 50 | then 51 | [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 52 | fi 53 | echo 54 | 55 | for i in ${ORPHANS[@]}; do 56 | echo "Deleting orphaned secret $i" 57 | kubectl -n $NAMESPACE delete secret $i 58 | done 59 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | crds: 3 | enabled: true 4 | replicaCount: 1 5 | dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query 6 | dns01RecursiveNameserversOnly: true 7 | prometheus: 8 | enabled: true 9 | servicemonitor: 10 | enabled: true 11 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: cert-manager 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: cert-manager 12 | version: v1.17.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: jetstack 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | valuesFrom: 25 | - kind: ConfigMap 26 | name: cert-manager-helm-values 27 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: cert-manager-helm-values 9 | files: 10 | - values.yaml=./helm-values.yaml 11 | configurations: 12 | - kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/clusterissuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: letsencrypt-production 7 | spec: 8 | acme: 9 | server: https://acme-v02.api.letsencrypt.org/directory 10 | email: "joshuagarrison27@gmail.com" 11 | privateKeySecretRef: 12 | name: letsencrypt-production 13 | solvers: 14 | - dns01: 15 | cloudflare: 16 | apiTokenSecretRef: 17 | name: cloudflare-issuer-secret 18 | key: CLOUDFLARE_DNS_TOKEN 19 | selector: 20 | dnsZones: 21 | - "unscfleet.com" 22 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: cloudflare-issuer 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: cloudflare-issuer-secret 16 | creationPolicy: Owner 17 | deletionPolicy: Delete 18 | 19 | data: 20 | - secretKey: CLOUDFLARE_DNS_TOKEN 21 | remoteRef: 22 | key: Cloudflare-Api-Token 23 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./clusterissuers.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/tls/certificates.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: "unscfleet-com-production" 7 | spec: 8 | secretName: "unscfleet-com-production-tls" 9 | issuerRef: 10 | name: letsencrypt-production 11 | kind: ClusterIssuer 12 | commonName: "unscfleet.com" 13 | dnsNames: ["unscfleet.com", "*.unscfleet.com"] 14 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/tls/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./certificates.yaml -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | resources: 7 | - ./cert-manager/ks.yaml 8 | components: 9 | - ../../flux/components/namespace 10 | - ../../flux/components/sops -------------------------------------------------------------------------------- /kubernetes/apps/database/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: database 6 | resources: 7 | # Apps 8 | - ./mssql/ks.yaml 9 | - ./mssql-2025/ks.yaml 10 | components: 11 | - ../../flux/components/namespace 12 | - ../../flux/components/sops 13 | patches: 14 | - # Add the name to the namespace 15 | patch: | 16 | - op: add 17 | path: /metadata/name 18 | value: database 19 | target: 20 | kind: Namespace 21 | -------------------------------------------------------------------------------- /kubernetes/apps/database/mssql-2025/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: mssql-2025 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: mssql-2025-secret 16 | creationPolicy: Owner 17 | 18 | data: 19 | - secretKey: MSSQL_SA_PASSWORD 20 | remoteRef: 21 | key: MSSQL-2025-SA-Password 22 | -------------------------------------------------------------------------------- /kubernetes/apps/database/mssql-2025/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | generatorOptions: 9 | disableNameSuffixHash: true 10 | -------------------------------------------------------------------------------- /kubernetes/apps/database/mssql-2025/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app mssql-2025 6 | namespace: &namespace database 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/volsync 13 | dependsOn: 14 | - name: rook-ceph-cluster 15 | namespace: rook-ceph 16 | - name: external-secrets-azure 17 | namespace: external-secrets 18 | - name: volsync 19 | namespace: volsync-system 20 | interval: 30m 21 | path: ./kubernetes/apps/database/mssql-2025/app 22 | postBuild: 23 | substitute: 24 | APP: *app 25 | VOLSYNC_CAPACITY: 100Gi 26 | VOLSYNC_CACHE_CAPACITY: 100Gi 27 | prune: true 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | namespace: flux-system 32 | targetNamespace: *namespace 33 | timeout: 5m 34 | wait: false 35 | 36 | -------------------------------------------------------------------------------- /kubernetes/apps/database/mssql/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: mssql 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: mssql-secret 16 | creationPolicy: Owner 17 | 18 | data: 19 | - secretKey: MSSQL_SA_PASSWORD 20 | remoteRef: 21 | key: MSSQL-SA-Password 22 | -------------------------------------------------------------------------------- /kubernetes/apps/database/mssql/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | generatorOptions: 9 | disableNameSuffixHash: true 10 | -------------------------------------------------------------------------------- /kubernetes/apps/database/mssql/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app mssql 6 | namespace: &namespace database 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/volsync 13 | dependsOn: 14 | - name: rook-ceph-cluster 15 | namespace: rook-ceph 16 | - name: external-secrets-azure 17 | namespace: external-secrets 18 | - name: volsync 19 | namespace: volsync-system 20 | interval: 30m 21 | path: ./kubernetes/apps/database/mssql/app 22 | postBuild: 23 | substitute: 24 | APP: *app 25 | VOLSYNC_CACHE_CAPACITY: 20Gi 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: *namespace 32 | timeout: 5m 33 | wait: false 34 | 35 | -------------------------------------------------------------------------------- /kubernetes/apps/default/audiobookshelf/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | generatorOptions: 9 | disableNameSuffixHash: true 10 | annotations: 11 | kustomize.toolkit.fluxcd.io/substitute: disabled -------------------------------------------------------------------------------- /kubernetes/apps/default/audiobookshelf/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app audiobookshelf 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/external 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: external-secrets-azure 16 | namespace: external-secrets 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/audiobookshelf/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 2Gi 25 | GATUS_SUBDOMAIN: audiobooks 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: *namespace 32 | timeout: 5m 33 | wait: false 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/bazarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/bazarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app bazarr 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: external-secrets-azure 16 | namespace: external-secrets 17 | - name: volsync 18 | namespace: volsync-system 19 | - name: rook-ceph-cluster 20 | namespace: rook-ceph 21 | interval: 30m 22 | path: ./kubernetes/apps/default/bazarr/app 23 | postBuild: 24 | substitute: 25 | APP: *app 26 | VOLSYNC_CAPACITY: 2Gi 27 | prune: true 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | namespace: flux-system 32 | targetNamespace: *namespace 33 | timeout: 5m 34 | wait: false 35 | -------------------------------------------------------------------------------- /kubernetes/apps/default/discord/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app phc-high-counsel-ai-bot 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | dependsOn: 12 | - name: external-secrets-azure 13 | namespace: external-secrets 14 | interval: 30m 15 | path: ./kubernetes/apps/default/discord/phc-high-counsel-ai-bot 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | targetNamespace: *namespace 22 | timeout: 5m 23 | wait: false 24 | -------------------------------------------------------------------------------- /kubernetes/apps/default/discord/phc-high-counsel-ai-bot/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: phc-hc-ai-bot 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: phc-hc-ai-bot-secret 16 | creationPolicy: Owner 17 | deletionPolicy: Delete 18 | 19 | data: 20 | - secretKey: BOT_DISCORD__TOKEN 21 | remoteRef: 22 | key: Discord-Bot-PHC-HighCounsel-AI-Token 23 | -------------------------------------------------------------------------------- /kubernetes/apps/default/discord/phc-high-counsel-ai-bot/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/echo-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/echo-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app echo-server 7 | namespace: &namespace default 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/default/echo-server/app 14 | postBuild: 15 | substitute: 16 | APP: *app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: *namespace 23 | timeout: 5m 24 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/default/emqx/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: emqx 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: emqx-secret 16 | creationPolicy: Owner 17 | deletionPolicy: Delete 18 | 19 | data: 20 | - secretKey: admin_password 21 | remoteRef: 22 | key: EMQX-admin-password 23 | 24 | - secretKey: user_1_username 25 | remoteRef: 26 | key: EMQX-user-1-username 27 | 28 | - secretKey: user_1_password 29 | remoteRef: 30 | key: EMQX-user-1-password 31 | 32 | - secretKey: user_2_username 33 | remoteRef: 34 | key: EMQX-user-2-username 35 | 36 | - secretKey: user_2_password 37 | remoteRef: 38 | key: EMQX-user-2-password 39 | 40 | - secretKey: user_3_username 41 | remoteRef: 42 | key: EMQX-user-3-username 43 | 44 | - secretKey: user_3_password 45 | remoteRef: 46 | key: EMQX-user-3-password 47 | 48 | - secretKey: user_4_username 49 | remoteRef: 50 | key: EMQX-user-4-username 51 | 52 | - secretKey: user_4_password 53 | remoteRef: 54 | key: EMQX-user-4-password 55 | -------------------------------------------------------------------------------- /kubernetes/apps/default/emqx/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/emqx/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app emqx 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | dependsOn: 12 | - name: rook-ceph-cluster 13 | namespace: rook-ceph 14 | - name: external-secrets-azure 15 | namespace: external-secrets 16 | interval: 30m 17 | path: ./kubernetes/apps/default/emqx/app 18 | postBuild: 19 | substitute: 20 | APP: *app 21 | GATUS_SUBDOMAIN: mqtt 22 | prune: true 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | targetNamespace: *namespace 28 | timeout: 5m 29 | wait: false 30 | 31 | -------------------------------------------------------------------------------- /kubernetes/apps/default/frigate/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: frigate 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: frigate-secret 16 | creationPolicy: Owner 17 | 18 | data: 19 | - secretKey: FRIGATE_MQTT_USER 20 | remoteRef: 21 | key: EMQX-user-4-username 22 | 23 | - secretKey: FRIGATE_MQTT_PASSWORD 24 | remoteRef: 25 | key: EMQX-user-4-password 26 | 27 | - secretKey: FRIGATE_RTSP_USER 28 | remoteRef: 29 | key: Camera-Rtsp-User 30 | 31 | - secretKey: FRIGATE_RTSP_PASSWORD 32 | remoteRef: 33 | key: Camera-Rtsp-Password 34 | 35 | - secretKey: FN_ALERTS_PUSHOVER_TOKEN 36 | remoteRef: 37 | key: Frigate-Pushover-API-Token 38 | 39 | - secretKey: FN_ALERTS_PUSHOVER_USERKEY 40 | remoteRef: 41 | key: Pushover-User-Key 42 | -------------------------------------------------------------------------------- /kubernetes/apps/default/frigate/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: frigate-configmap 10 | files: 11 | - config.yaml=./resources/config.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /kubernetes/apps/default/frigate/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app frigate 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | dependsOn: 12 | - name: emqx 13 | namespace: default 14 | - name: rook-ceph-cluster 15 | namespace: rook-ceph 16 | - name: volsync 17 | namespace: volsync-system 18 | - name: intel-device-plugin-gpu 19 | namespace: kube-system 20 | interval: 30m 21 | path: ./kubernetes/apps/default/frigate/app 22 | postBuild: 23 | substitute: 24 | APP: *app 25 | prune: true 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | targetNamespace: *namespace 31 | timeout: 5m 32 | wait: false 33 | -------------------------------------------------------------------------------- /kubernetes/apps/default/guacamole/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/guacamole/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app guacamole 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/external 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/guacamole/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 1Gi 25 | GATUS_SUBDOMAIN: remote 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: *namespace 32 | timeout: 5m 33 | wait: false 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/home-assistant/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/home-assistant/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app home-assistant 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/external 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: emqx 16 | namespace: default 17 | - name: rook-ceph-cluster 18 | namespace: rook-ceph 19 | - name: volsync 20 | namespace: volsync-system 21 | interval: 30m 22 | path: ./kubernetes/apps/default/home-assistant/app 23 | postBuild: 24 | substitute: 25 | APP: *app 26 | VOLSYNC_CAPACITY: 5Gi 27 | GATUS_SUBDOMAIN: hass 28 | prune: true 29 | sourceRef: 30 | kind: GitRepository 31 | name: flux-system 32 | namespace: flux-system 33 | targetNamespace: *namespace 34 | timeout: 5m 35 | wait: false 36 | -------------------------------------------------------------------------------- /kubernetes/apps/default/it-tools/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: &app it-tools 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 3.7.3 13 | sourceRef: 14 | kind: HelmRepository 15 | name: bjw-s 16 | namespace: flux-system 17 | maxHistory: 2 18 | install: 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | uninstall: 27 | keepHistory: false 28 | values: 29 | controllers: 30 | it-tools: 31 | containers: 32 | app: 33 | image: 34 | repository: ghcr.io/corentinth/it-tools 35 | tag: latest@sha256:8b8128748339583ca951af03dfe02a9a4d7363f61a216226fc28030731a5a61f 36 | env: 37 | TZ: "America/New_York" 38 | resources: 39 | requests: 40 | cpu: 100m 41 | memory: 500Mi 42 | limits: 43 | memory: 1500Mi 44 | service: 45 | app: 46 | controller: it-tools 47 | annotations: 48 | teleport.dev/name: *app 49 | labels: 50 | teleport: enabled 51 | ports: 52 | http: 53 | port: 80 54 | ingress: 55 | it-tools: 56 | className: external 57 | hosts: 58 | - host: &host "{{ .Release.Name }}.unscfleet.com" 59 | paths: 60 | - path: / 61 | service: 62 | identifier: app 63 | port: http 64 | tls: 65 | - hosts: 66 | - *host 67 | -------------------------------------------------------------------------------- /kubernetes/apps/default/it-tools/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/it-tools/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app it-tools 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/external 13 | path: ./kubernetes/apps/default/it-tools/app 14 | postBuild: 15 | substitute: 16 | APP: *app 17 | GATUS_SUBDOMAIN: it-tools 18 | interval: 30m 19 | prune: true 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | targetNamespace: *namespace 25 | timeout: 5m 26 | wait: false 27 | -------------------------------------------------------------------------------- /kubernetes/apps/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | # Shared PVCs 8 | - ./synology.yaml 9 | # Apps 10 | - ./audiobookshelf/ks.yaml 11 | - ./bazarr/ks.yaml 12 | - ./discord/ks.yaml 13 | - ./emqx/ks.yaml 14 | - ./frigate/ks.yaml 15 | - ./guacamole/ks.yaml 16 | - ./home-assistant/ks.yaml 17 | - ./it-tools/ks.yaml 18 | - ./minio/ks.yaml 19 | - ./node-red/ks.yaml 20 | - ./open-webui/ks.yaml 21 | - ./overseerr/ks.yaml 22 | - ./plex/ks.yaml 23 | - ./prowlarr/ks.yaml 24 | - ./radarr/ks.yaml 25 | - ./redis/ks.yaml 26 | - ./sabnzbd/ks.yaml 27 | - ./sonarr/ks.yaml 28 | - ./tautulli/ks.yaml 29 | - ./theme-park/ks.yaml 30 | - ./zigbee2mqtt/ks.yaml 31 | - ./zwave-js-ui/ks.yaml 32 | components: 33 | - ../../flux/components/namespace 34 | - ../../flux/components/sops 35 | patches: 36 | - # Add the name to the namespace 37 | patch: | 38 | - op: add 39 | path: /metadata/name 40 | value: default 41 | target: 42 | kind: Namespace 43 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minio/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: minio 7 | namespace: default 8 | spec: 9 | refreshInterval: "12h" 10 | 11 | secretStoreRef: 12 | name: azure-keyvault 13 | kind: ClusterSecretStore 14 | 15 | target: 16 | name: minio-secret 17 | creationPolicy: Owner 18 | 19 | data: 20 | - secretKey: MINIO_ROOT_USER 21 | remoteRef: 22 | key: Minio-Root-User 23 | 24 | - secretKey: MINIO_ROOT_PASSWORD 25 | remoteRef: 26 | key: Minio-Root-Password 27 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minio/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./nfs-pvc.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minio/app/nfs-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: minio-nfs 6 | spec: 7 | capacity: 8 | storage: 1Mi # Size does not matter 9 | accessModes: ["ReadWriteMany"] 10 | storageClassName: minio-nfs 11 | persistentVolumeReclaimPolicy: Retain 12 | nfs: 13 | server: "10.0.30.4" 14 | path: /volume1/Kubernetes/MinIO 15 | mountOptions: ["nfsvers=4.1","nconnect=8","hard","noatime"] 16 | --- 17 | apiVersion: v1 18 | kind: PersistentVolumeClaim 19 | metadata: 20 | name: minio-nfs 21 | namespace: default 22 | spec: 23 | accessModes: ["ReadWriteMany"] 24 | storageClassName: minio-nfs 25 | resources: 26 | requests: 27 | storage: 1Mi # Size does not matter 28 | -------------------------------------------------------------------------------- /kubernetes/apps/default/minio/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app minio 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | dependsOn: 12 | - name: external-secrets-azure 13 | namespace: external-secrets 14 | interval: 30m 15 | path: ./kubernetes/apps/default/minio/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | targetNamespace: *namespace 22 | timeout: 5m 23 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/default/node-red/app/configs/settings.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | flowFile: 'flows.json', 3 | flowFilePretty: true, 4 | uiPort: process.env.PORT || 1880, 5 | 6 | diagnostics: { 7 | enabled: true, 8 | ui: true, 9 | }, 10 | 11 | runtimeState: { 12 | enabled: false, 13 | ui: false, 14 | }, 15 | 16 | logging: { 17 | console: { 18 | level: "trace", 19 | metrics: false, 20 | audit: false 21 | } 22 | }, 23 | 24 | exportGlobalContextKeys: false, 25 | 26 | externalModules: {}, 27 | 28 | editorTheme: { 29 | tours: false, 30 | theme: "dark", 31 | projects: { 32 | enabled: true, 33 | workflow: { 34 | mode: "auto" 35 | } 36 | }, 37 | 38 | codeEditor: { 39 | lib: "monaco", 40 | options: {} 41 | } 42 | }, 43 | 44 | functionExternalModules: true, 45 | functionGlobalContext: {}, 46 | 47 | debugMaxLength: 1000, 48 | 49 | mqttReconnectTime: 15000, 50 | serialReconnectTime: 15000, 51 | } 52 | -------------------------------------------------------------------------------- /kubernetes/apps/default/node-red/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: node-red 7 | namespace: default 8 | spec: 9 | refreshInterval: "12h" 10 | 11 | secretStoreRef: 12 | name: azure-keyvault 13 | kind: ClusterSecretStore 14 | 15 | target: 16 | name: node-red-secret 17 | creationPolicy: Owner 18 | 19 | data: 20 | - secretKey: NODERED-SSH-PRIVATE-KEY 21 | remoteRef: 22 | key: SSH-NodeRed-Private-Key 23 | 24 | - secretKey: NODERED-SSH-PUBLIC-KEY 25 | remoteRef: 26 | key: SSH-NodeRed-Public-Key 27 | -------------------------------------------------------------------------------- /kubernetes/apps/default/node-red/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: node-red-configmap 10 | files: 11 | - ./configs/settings.js 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /kubernetes/apps/default/node-red/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app node-red 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: emqx 16 | namespace: default 17 | - name: rook-ceph-cluster 18 | namespace: rook-ceph 19 | - name: volsync 20 | namespace: volsync-system 21 | interval: 30m 22 | path: ./kubernetes/apps/default/node-red/app 23 | postBuild: 24 | substitute: 25 | APP: *app 26 | VOLSYNC_CAPACITY: 1Gi 27 | prune: true 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | namespace: flux-system 32 | targetNamespace: *namespace 33 | timeout: 5m 34 | wait: false 35 | -------------------------------------------------------------------------------- /kubernetes/apps/default/open-webui/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/open-webui/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app open-webui 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/volsync 13 | - ../../../../flux/components/gatus/external 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/open-webui/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 2Gi 25 | GATUS_SUBDOMAIN: ai 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: *namespace 32 | timeout: 5m 33 | wait: false 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/overseerr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/overseerr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app overseerr 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/external 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/overseerr/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 1Gi 25 | GATUS_SUBDOMAIN: requests 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: *namespace 32 | timeout: 5m 33 | wait: false 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/plex/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | generatorOptions: 8 | disableNameSuffixHash: true -------------------------------------------------------------------------------- /kubernetes/apps/default/plex/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app plex 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/external 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | - name: intel-device-plugin-gpu 20 | namespace: kube-system 21 | interval: 30m 22 | path: ./kubernetes/apps/default/plex/app 23 | postBuild: 24 | substitute: 25 | APP: *app 26 | GATUS_PATH: /web/index.html 27 | VOLSYNC_CACHE_CAPACITY: 50Gi 28 | VOLSYNC_CAPACITY: 100Gi 29 | prune: true 30 | sourceRef: 31 | kind: GitRepository 32 | name: flux-system 33 | namespace: flux-system 34 | targetNamespace: *namespace 35 | timeout: 5m 36 | wait: false 37 | -------------------------------------------------------------------------------- /kubernetes/apps/default/prowlarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/prowlarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app prowlarr 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/prowlarr/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 2Gi 25 | prune: true 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | targetNamespace: *namespace 31 | timeout: 5m 32 | wait: false 33 | -------------------------------------------------------------------------------- /kubernetes/apps/default/radarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/radarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app radarr 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/radarr/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 5Gi 25 | prune: true 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | targetNamespace: *namespace 31 | timeout: 5m 32 | wait: false 33 | -------------------------------------------------------------------------------- /kubernetes/apps/default/redis/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/default/redis/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app redis 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | interval: 30m 15 | path: ./kubernetes/apps/default/redis/app 16 | postBuild: 17 | substitute: 18 | APP: *app 19 | VOLSYNC_CAPACITY: 5Gi 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: *namespace 26 | timeout: 5m 27 | wait: false 28 | -------------------------------------------------------------------------------- /kubernetes/apps/default/sabnzbd/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml -------------------------------------------------------------------------------- /kubernetes/apps/default/sabnzbd/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app sabnzbd 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/sabnzbd/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 1Gi 25 | prune: true 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | targetNamespace: *namespace 31 | timeout: 5m 32 | wait: false 33 | -------------------------------------------------------------------------------- /kubernetes/apps/default/sonarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/sonarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app sonarr 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/sonarr/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 2Gi 25 | prune: true 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | targetNamespace: *namespace 31 | timeout: 5m 32 | wait: false 33 | -------------------------------------------------------------------------------- /kubernetes/apps/default/synology.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: storage.k8s.io/v1 3 | kind: StorageClass 4 | metadata: 5 | name: synology-nfs 6 | provisioner: nfs 7 | parameters: 8 | archiveOnDelete: "false" 9 | --- 10 | # General Media PV 11 | apiVersion: v1 12 | kind: PersistentVolume 13 | metadata: 14 | name: synology-media 15 | spec: 16 | storageClassName: synology-nfs 17 | capacity: 18 | storage: 1Mi 19 | accessModes: ["ReadWriteMany"] 20 | persistentVolumeReclaimPolicy: Retain 21 | nfs: 22 | server: "10.0.30.4" 23 | path: /volume1/Media 24 | mountOptions: 25 | - nfsvers=4.1 26 | - nconnect=8 27 | - hard 28 | - noatime 29 | - rsize=131072 30 | - wsize=131072 31 | --- 32 | # General Media PVC 33 | apiVersion: v1 34 | kind: PersistentVolumeClaim 35 | metadata: 36 | name: synology-media 37 | namespace: default 38 | spec: 39 | accessModes: ["ReadWriteMany"] 40 | storageClassName: synology-nfs 41 | resources: 42 | requests: 43 | storage: 1Mi 44 | --- 45 | # Frigate specific PV 46 | apiVersion: v1 47 | kind: PersistentVolume 48 | metadata: 49 | name: synology-media-frigate 50 | spec: 51 | storageClassName: synology-nfs 52 | capacity: 53 | storage: 1Mi 54 | accessModes: ["ReadWriteMany"] 55 | persistentVolumeReclaimPolicy: Retain 56 | nfs: 57 | server: "10.0.30.4" 58 | path: /volume1/Media/Frigate 59 | mountOptions: 60 | - nfsvers=4.1 61 | - nconnect=8 62 | - hard 63 | - noatime 64 | - rsize=131072 65 | - wsize=131072 66 | --- 67 | # Frigate specific PVC 68 | apiVersion: v1 69 | kind: PersistentVolumeClaim 70 | metadata: 71 | name: synology-media-frigate 72 | namespace: default 73 | spec: 74 | accessModes: ["ReadWriteMany"] 75 | storageClassName: synology-nfs 76 | resources: 77 | requests: 78 | storage: 1Mi 79 | -------------------------------------------------------------------------------- /kubernetes/apps/default/tautulli/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/default/tautulli/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app tautulli 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: volsync 18 | namespace: volsync-system 19 | interval: 30m 20 | path: ./kubernetes/apps/default/tautulli/app 21 | postBuild: 22 | substitute: 23 | APP: *app 24 | VOLSYNC_CAPACITY: 5Gi 25 | GATUS_PATH: /status 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: *namespace 32 | timeout: 5m 33 | wait: false 34 | -------------------------------------------------------------------------------- /kubernetes/apps/default/theme-park/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/theme-park/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app theme-park 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 30m 12 | path: ./kubernetes/apps/default/theme-park/app 13 | postBuild: 14 | substitute: 15 | APP: *app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | targetNamespace: *namespace 22 | timeout: 5m 23 | wait: false 24 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zigbee2mqtt/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: zigbee 7 | namespace: default 8 | spec: 9 | refreshInterval: "12h" 10 | 11 | secretStoreRef: 12 | name: azure-keyvault 13 | kind: ClusterSecretStore 14 | 15 | target: 16 | name: zigbee-secret 17 | creationPolicy: Owner 18 | 19 | data: 20 | - secretKey: ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID 21 | remoteRef: 22 | key: Zigbee-Extended-Id 23 | 24 | - secretKey: ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID 25 | remoteRef: 26 | key: Zigbee-Pan-Id 27 | 28 | - secretKey: ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY 29 | remoteRef: 30 | key: Zigbee-Network-Key 31 | 32 | - secretKey: ZIGBEE2MQTT_CONFIG_MQTT_USER 33 | remoteRef: 34 | key: EMQX-user-2-username 35 | 36 | - secretKey: ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD 37 | remoteRef: 38 | key: EMQX-user-2-password 39 | 40 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | generatorOptions: 9 | disableNameSuffixHash: true 10 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zigbee2mqtt/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app zigbee2mqtt 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: node-feature-discovery 16 | namespace: kube-system 17 | - name: rook-ceph-cluster 18 | namespace: rook-ceph 19 | - name: volsync 20 | namespace: volsync-system 21 | - name: emqx 22 | namespace: default 23 | interval: 30m 24 | path: ./kubernetes/apps/default/zigbee2mqtt/app 25 | postBuild: 26 | substitute: 27 | APP: *app 28 | VOLSYNC_CAPACITY: 1Gi 29 | GATUS_PATH: /#/ 30 | prune: true 31 | sourceRef: 32 | kind: GitRepository 33 | name: flux-system 34 | namespace: flux-system 35 | targetNamespace: *namespace 36 | timeout: 5m 37 | wait: false 38 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | generatorOptions: 8 | disableNameSuffixHash: true -------------------------------------------------------------------------------- /kubernetes/apps/default/zwave-js-ui/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app zwave-js-ui 6 | namespace: &namespace default 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: node-feature-discovery 16 | namespace: kube-system 17 | - name: rook-ceph-cluster 18 | namespace: rook-ceph 19 | - name: volsync 20 | namespace: volsync-system 21 | - name: emqx 22 | namespace: default 23 | interval: 30m 24 | path: ./kubernetes/apps/default/zwave-js-ui/app 25 | postBuild: 26 | substitute: 27 | APP: *app 28 | VOLSYNC_CAPACITY: 1Gi 29 | prune: true 30 | sourceRef: 31 | kind: GitRepository 32 | name: flux-system 33 | namespace: flux-system 34 | targetNamespace: *namespace 35 | timeout: 5m 36 | wait: false 37 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/azure-keyvault/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app external-secrets-azure 6 | namespace: &namespace external-secrets 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 30m 12 | path: ./kubernetes/apps/external-secrets/azure-keyvault/store 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | targetNamespace: *namespace 19 | timeout: 5m 20 | wait: true 21 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/azure-keyvault/store/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/clustersecretstore_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ClusterSecretStore 5 | metadata: 6 | name: azure-keyvault 7 | namespace: external-secrets 8 | spec: 9 | provider: 10 | azurekv: 11 | tenantId: "ed154276-131a-4f6b-8d1f-18ca21c85897" 12 | vaultUrl: "https://k8shomeopskeyvault.vault.azure.net/" 13 | authSecretRef: 14 | clientId: 15 | name: azure-keyvault-secret 16 | key: ClientID 17 | namespace: external-secrets 18 | clientSecret: 19 | name: azure-keyvault-secret 20 | key: ClientSecret 21 | namespace: external-secrets 22 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/azure-keyvault/store/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./clustersecretstore.yaml 7 | - ./secrets.sops.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/azure-keyvault/store/secrets.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: azure-keyvault-secret 5 | namespace: external-secrets 6 | stringData: 7 | ClientID: ENC[AES256_GCM,data:cMKPWeN7fYm8TA3PMZ+nVZOfZWNkwMeEW2Qw5u4X+OXPWq6j,iv:1nacog8J3sdDhtT/nPT5B/jBXzoaACRnLedNcBHCYcI=,tag:4JhkLsxlG0WXyC1H32Ca3A==,type:str] 8 | ClientSecret: ENC[AES256_GCM,data:I0bheAIT2Ge9KcDnBDmVBnGC15cx0DoKGyUblbLmoL4RUdiyL3eaZg==,iv:LRyqC2scC5hyOH80ziHxLhP63KZ7yUtU7gUTt1PpPsw=,tag:yXchC3GxFpQ1qbVCynVDnA==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1scvdjv7h3s38cqtq4gsnj6cpsvh62zuhu8dy72uye4jksz2w39ds0skqm5 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVUU4MWZRU3JDY2xEaWJZ 19 | Yjc0bnhaRTM3S1pmMUl3WGpCWGFqbHRhSFFjCmZKbkp4ZjN6b1lxQkFTd09nWUVF 20 | YXcwNG9wOUo3eFcxZzRtc3NMS3RVUE0KLS0tIGZVQm5YcUtxdVVObXdTTjhuQzdm 21 | RW96UkpYbjhrZEk4M3cxMmNWNG1ObEkKWMGIOrBdDAIq0Bu19TVKfbxkCJpVUcph 22 | AttXqm1VQlqmN2gRcnUx9L+w08sv3aq1HaWZqCFpRqmGaEYFrUaktQ== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2025-01-26T18:47:00Z" 25 | mac: ENC[AES256_GCM,data:6YsuUpexNdVoJQQzv9gPXjd3LkhCyFXF9f6rp6jI1lx/fBHaIhu2YvvABUxdN7UaWqXh7KyTvA8E9Zn5m9sDU98h3MlwEk2us45QOVd0SudslPqsggzaE4Ic6PVcYeKWkDnhzzRLd2Q8SiUpCuHwBjcX9unpxqKc3H7A19hCi1U=,iv:mvwGnpMtN21ckUfAVjmkmicSVGYXaQRsOJNxOgIMF5I=,tag:sG1LWM9g01zEIj4ZocmAhQ==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | version: 3.9.3 29 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | installCRDs: true 3 | replicaCount: 1 4 | leaderElect: true 5 | image: 6 | repository: ghcr.io/external-secrets/external-secrets 7 | webhook: 8 | image: 9 | repository: ghcr.io/external-secrets/external-secrets 10 | serviceMonitor: 11 | enabled: true 12 | interval: 1m 13 | certController: 14 | image: 15 | repository: ghcr.io/external-secrets/external-secrets 16 | serviceMonitor: 17 | enabled: true 18 | interval: 1m 19 | serviceMonitor: 20 | enabled: true 21 | interval: 1m -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: external-secrets 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: external-secrets 12 | version: 0.17.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: external-secrets 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | valuesFrom: 26 | - kind: ConfigMap 27 | name: external-secrets-helm-values -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: external-secrets-helm-values 9 | files: 10 | - values.yaml=./helm-values.yaml 11 | configurations: 12 | - kustomizeconfig.yaml -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-secrets 7 | namespace: &namespace external-secrets 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/external-secrets/external-secrets/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-secrets 6 | resources: 7 | - ./external-secrets/ks.yaml 8 | - ./azure-keyvault/ks.yaml 9 | components: 10 | - ../../flux/components/namespace 11 | - ../../flux/components/sops -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | serviceMonitor: 3 | create: true 4 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: flux-operator 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: flux-operator 12 | version: 0.22.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: controlplaneio 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | valuesFrom: 26 | - kind: ConfigMap 27 | name: flux-operator-helm-values 28 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: flux-operator-helm-values 9 | files: 10 | - values.yaml=./helm-values.yaml 11 | configurations: 12 | - kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./webhooks 7 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: flux-webhook 6 | spec: 7 | ingressClassName: external 8 | rules: 9 | - host: "flux-webhook.unscfleet.com" 10 | http: 11 | paths: 12 | - path: /hook/ 13 | pathType: Prefix 14 | backend: 15 | service: 16 | name: webhook-receiver 17 | port: 18 | number: 80 19 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./secret.sops.yaml 7 | - ./ingress.yaml 8 | - ./receiver.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/receiver-notification-v1.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1 4 | kind: Receiver 5 | metadata: 6 | name: github-receiver 7 | spec: 8 | type: github 9 | events: 10 | - ping 11 | - push 12 | secretRef: 13 | name: github-webhook-token-secret 14 | resources: 15 | - apiVersion: source.toolkit.fluxcd.io/v1 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | name: flux-system 22 | namespace: flux-system 23 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetesjsonschema.dev/v1.18.1-standalone-strict/secret-v1.json 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: github-webhook-token-secret 6 | stringData: 7 | token: ENC[AES256_GCM,data:Xb7FihpqglXay72ZqjNeLgtYq6WBijUpMo4yyCuwPNE=,iv:XODAoZGR8p8gktpwObtcHkmEDRIa/la8Xt+lu54FP24=,tag:NVeGvtkaSihaD3I/DNMShg==,type:str] 8 | sops: 9 | kms: [] 10 | gcp_kms: [] 11 | azure_kv: [] 12 | hc_vault: [] 13 | age: 14 | - recipient: age1scvdjv7h3s38cqtq4gsnj6cpsvh62zuhu8dy72uye4jksz2w39ds0skqm5 15 | enc: | 16 | -----BEGIN AGE ENCRYPTED FILE----- 17 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2N3pRZGpmNS9RTzZ6UHhR 18 | TE5FSTZCM3hQaC9waFU4Z283RVJ0QXZHcUhFCkVSc2d6ZkVMUEI1NGdMTnpRK0FS 19 | cWlaMTIzcStoa0hPVWwrUzhGMjhtcTQKLS0tIFF3VlRXaFQ3UEVMN2Y4Qm5TS1lJ 20 | ZnNnV0Z2Z3JNV05FOCtKSnIwTVpoSlEKggy0aWxKUP6p33Ks6gI3HvpJPlQZgxHm 21 | CVP3eWyV+2BWWbHeexbPnnFO2ndnimbpfNTVPDddaD/QjtotdPG/og== 22 | -----END AGE ENCRYPTED FILE----- 23 | lastmodified: "2025-01-31T05:43:08Z" 24 | mac: ENC[AES256_GCM,data:8z1GEw1JJJjkudeNJGofU0pfPC/XXMdc5hxe3AIq0YrOQfXR0y3GN1dCHw6GomvZJgIOFZ2gLohZWZhwhVdGuxq24zHRJuoIvIlbMfuRbSTjxU8BVWtLp1DXJW7nkr8fLIH2jYpy6hCo83mhg2ubIQqsTgy8jiAimD7KltSMI+U=,iv:MeuDnB839nM/frmDKln//vWAT3M1ZgCTDSt62pXjryg=,tag:lgfACg0N6tLCb7LcRU7t/g==,type:str] 25 | pgp: [] 26 | encrypted_regex: ^(data|stringData)$ 27 | mac_only_encrypted: true 28 | version: 3.9.4 29 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | instance: 3 | cluster: 4 | networkPolicy: false 5 | components: 6 | - source-controller 7 | - kustomize-controller 8 | - helm-controller 9 | - notification-controller 10 | sync: 11 | kind: GitRepository 12 | url: "https://github.com/binaryn3xus/HomeOps.git" 13 | ref: "refs/heads/main" 14 | path: kubernetes/flux/cluster 15 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: flux-instance 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: flux-instance 12 | version: 0.22.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: controlplaneio 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | dependsOn: 26 | - name: flux-operator 27 | namespace: flux-system 28 | valuesFrom: 29 | - kind: ConfigMap 30 | name: flux-instance-helm-values 31 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./github 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: flux-instance-helm-values 10 | files: 11 | - values.yaml=./helm-values.yaml 12 | configurations: 13 | - kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-operator 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: flux-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/flux-system/flux-operator/app 14 | prune: false # never should be deleted 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | timeout: 5m 21 | --- 22 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 23 | apiVersion: kustomize.toolkit.fluxcd.io/v1 24 | kind: Kustomization 25 | metadata: 26 | name: &app flux-instance 27 | namespace: flux-system 28 | spec: 29 | targetNamespace: flux-system 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | path: ./kubernetes/apps/flux-system/flux-operator/instance 34 | prune: false # never should be deleted 35 | sourceRef: 36 | kind: GitRepository 37 | name: flux-system 38 | wait: false 39 | interval: 30m 40 | timeout: 5m 41 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./flux-operator/ks.yaml 7 | components: 8 | - ../../flux/components/namespace 9 | patches: 10 | - # Add the name to the namespace 11 | patch: | 12 | - op: add 13 | path: /metadata/name 14 | value: flux-system 15 | target: 16 | kind: Namespace 17 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | autoDirectNodeRoutes: true 3 | bpf: 4 | masquerade: true 5 | # Ref: https://github.com/siderolabs/talos/issues/10002 6 | hostLegacyRouting: true 7 | cni: 8 | # Required for pairing with Multus CNI 9 | exclusive: false 10 | cgroup: 11 | automount: 12 | enabled: false 13 | hostRoot: /sys/fs/cgroup 14 | # NOTE: devices might need to be set if you have more than one active NIC on your hosts 15 | # devices: eno+ eth+ 16 | endpointRoutes: 17 | enabled: true 18 | envoy: 19 | enabled: false 20 | dashboards: 21 | enabled: true 22 | hubble: 23 | enabled: false 24 | ipam: 25 | mode: kubernetes 26 | ipv4NativeRoutingCIDR: "10.69.0.0/16" 27 | k8sServiceHost: 127.0.0.1 28 | k8sServicePort: 7445 29 | kubeProxyReplacement: true 30 | kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 31 | l2announcements: 32 | enabled: true 33 | loadBalancer: 34 | algorithm: maglev 35 | mode: "dsr" 36 | localRedirectPolicy: true 37 | operator: 38 | replicas: 1 39 | rollOutPods: true 40 | prometheus: 41 | enabled: true 42 | serviceMonitor: 43 | enabled: true 44 | dashboards: 45 | enabled: true 46 | prometheus: 47 | enabled: true 48 | serviceMonitor: 49 | enabled: true 50 | trustCRDsExist: true 51 | rollOutCiliumPods: true 52 | routingMode: native 53 | securityContext: 54 | capabilities: 55 | ciliumAgent: 56 | - CHOWN 57 | - KILL 58 | - NET_ADMIN 59 | - NET_RAW 60 | - IPC_LOCK 61 | - SYS_ADMIN 62 | - SYS_RESOURCE 63 | - PERFMON 64 | - BPF 65 | - DAC_OVERRIDE 66 | - FOWNER 67 | - SETGID 68 | - SETUID 69 | cleanCiliumState: 70 | - NET_ADMIN 71 | - SYS_ADMIN 72 | - SYS_RESOURCE 73 | socketLB: 74 | hostNamespaceOnly: true 75 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: cilium 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: cilium 12 | version: 1.17.4 13 | sourceRef: 14 | kind: HelmRepository 15 | name: cilium 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | valuesFrom: 25 | - kind: ConfigMap 26 | name: cilium-helm-values 27 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: cilium-helm-values 9 | files: 10 | - values.yaml=./helm-values.yaml 11 | configurations: 12 | - kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./l2.yaml 7 | - ./pool.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/l2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://datreeio.github.io/CRDs-catalog/cilium.io/ciliuml2announcementpolicy_v2alpha1.json 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumL2AnnouncementPolicy 5 | metadata: 6 | name: l2-policy 7 | spec: 8 | loadBalancerIPs: true 9 | # NOTE: interfaces might need to be set if you have more than one active NIC on your hosts 10 | # interfaces: 11 | # - ^eno[0-9]+ 12 | # - ^eth[0-9]+ 13 | nodeSelector: 14 | matchLabels: 15 | kubernetes.io/os: linux 16 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://datreeio.github.io/CRDs-catalog/cilium.io/ciliumloadbalancerippool_v2alpha1.json 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumLoadBalancerIPPool 5 | metadata: 6 | name: pool 7 | spec: 8 | allowFirstLastIPs: "No" 9 | blocks: 10 | - cidr: "10.0.30.0/24" 11 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cilium 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/kube-system/cilium/app 14 | prune: false 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: true 22 | --- 23 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: &app cilium-config 28 | namespace: &namespace kube-system 29 | spec: 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | dependsOn: 34 | - name: cilium 35 | namespace: kube-system 36 | interval: 30m 37 | path: ./kubernetes/apps/kube-system/cilium/config 38 | prune: false 39 | sourceRef: 40 | kind: GitRepository 41 | name: flux-system 42 | namespace: flux-system 43 | targetNamespace: *namespace 44 | timeout: 5m 45 | wait: false 46 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fullnameOverride: coredns 3 | k8sAppLabelOverride: kube-dns 4 | serviceAccount: 5 | create: true 6 | service: 7 | name: kube-dns 8 | clusterIP: "10.96.0.10" 9 | replicaCount: 2 10 | servers: 11 | - zones: 12 | - zone: . 13 | scheme: dns:// 14 | use_tcp: true 15 | port: 53 16 | plugins: 17 | - name: errors 18 | - name: health 19 | configBlock: |- 20 | lameduck 5s 21 | - name: ready 22 | - name: log 23 | configBlock: |- 24 | class error 25 | - name: prometheus 26 | parameters: 0.0.0.0:9153 27 | - name: kubernetes 28 | parameters: cluster.local in-addr.arpa ip6.arpa 29 | configBlock: |- 30 | pods insecure 31 | fallthrough in-addr.arpa ip6.arpa 32 | - name: forward 33 | parameters: . /etc/resolv.conf 34 | - name: cache 35 | parameters: 30 36 | - name: loop 37 | - name: reload 38 | - name: loadbalance 39 | affinity: 40 | nodeAffinity: 41 | requiredDuringSchedulingIgnoredDuringExecution: 42 | nodeSelectorTerms: 43 | - matchExpressions: 44 | - key: node-role.kubernetes.io/control-plane 45 | operator: Exists 46 | tolerations: 47 | - key: CriticalAddonsOnly 48 | operator: Exists 49 | - key: node-role.kubernetes.io/control-plane 50 | operator: Exists 51 | effect: NoSchedule 52 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: coredns 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: coredns 12 | version: 1.42.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: coredns 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | valuesFrom: 26 | - kind: ConfigMap 27 | name: coredns-helm-values 28 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: coredns-helm-values 9 | files: 10 | - values.yaml=./helm-values.yaml 11 | configurations: 12 | - kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app coredns 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/kube-system/coredns/app 14 | prune: false 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: intel-device-plugin-operator 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: intel-device-plugins-operator 12 | version: 0.32.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: intel 16 | namespace: flux-system 17 | install: 18 | crds: CreateReplace 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | crds: CreateReplace 24 | remediation: 25 | strategy: rollback 26 | retries: 3 27 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - ./helmrelease.yaml 7 | labels: 8 | - pairs: 9 | app.kubernetes.io/name: intel-gpu-exporter 10 | app.kubernetes.io/instance: intel-gpu-exporter 11 | app.kubernetes.io/part-of: intel-device-plugin -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin/gpu/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: intel-device-plugin-gpu 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: intel-device-plugins-gpu 12 | version: 0.32.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: intel 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | values: 26 | name: intel-gpu-plugin 27 | sharedDevNum: 3 28 | nodeFeatureRule: false 29 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin/gpu/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - ./helmrelease.yaml 7 | labels: 8 | - pairs: 9 | app.kubernetes.io/name: intel-device-plugin-gpu 10 | app.kubernetes.io/instance: intel-device-plugin-gpu 11 | app.kubernetes.io/part-of: intel-device-plugin -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-device-plugin/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: intel-device-plugin-operator 6 | namespace: &namespace kube-system 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: intel-device-plugin-operator 11 | dependsOn: 12 | - name: node-feature-discovery 13 | namespace: kube-system 14 | interval: 30m 15 | path: ./kubernetes/apps/kube-system/intel-device-plugin/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | targetNamespace: *namespace 22 | timeout: 5m 23 | wait: true 24 | --- 25 | apiVersion: kustomize.toolkit.fluxcd.io/v1 26 | kind: Kustomization 27 | metadata: 28 | name: intel-device-plugin-gpu 29 | namespace: &namespace kube-system 30 | spec: 31 | commonMetadata: 32 | labels: 33 | app.kubernetes.io/name: intel-device-plugin-gpu 34 | dependsOn: 35 | - name: intel-device-plugin-operator 36 | namespace: kube-system 37 | interval: 30m 38 | path: ./kubernetes/apps/kube-system/intel-device-plugin/gpu 39 | prune: true 40 | sourceRef: 41 | kind: GitRepository 42 | name: flux-system 43 | namespace: flux-system 44 | targetNamespace: *namespace 45 | timeout: 5m 46 | wait: true 47 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./cilium/ks.yaml 8 | - ./coredns/ks.yaml 9 | - ./intel-device-plugin/ks.yaml 10 | - ./metrics-server/ks.yaml 11 | - ./node-feature-discovery/ks.yaml 12 | - ./reloader/ks.yaml 13 | - ./spegel/ks.yaml 14 | components: 15 | - ../../flux/components/namespace 16 | - ../../flux/components/sops 17 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: metrics-server 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: metrics-server 12 | version: 3.12.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: metrics-server 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | values: 25 | args: 26 | - --kubelet-insecure-tls 27 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 28 | - --kubelet-use-node-status-port 29 | - --metric-resolution=10s 30 | - --kubelet-request-timeout=2s 31 | metrics: 32 | enabled: true 33 | serviceMonitor: 34 | enabled: true 35 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app metrics-server 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/kube-system/metrics-server/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/node-feature-discovery/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: node-feature-discovery 7 | namespace: kube-system 8 | spec: 9 | interval: 15m 10 | chart: 11 | spec: 12 | chart: node-feature-discovery 13 | version: 0.17.3 14 | sourceRef: 15 | kind: HelmRepository 16 | name: node-feature-discovery 17 | namespace: flux-system 18 | maxHistory: 3 19 | install: 20 | createNamespace: true 21 | crds: CreateReplace 22 | remediation: 23 | retries: 3 24 | upgrade: 25 | cleanupOnFail: true 26 | crds: CreateReplace 27 | remediation: 28 | retries: 3 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | master: 33 | replicaCount: 1 34 | worker: 35 | config: 36 | core: 37 | labelSources: ["pci", "system", "usb"] 38 | prometheus: 39 | enable: true -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/node-feature-discovery/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/node-feature-discovery/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app node-feature-discovery 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/kube-system/node-feature-discovery/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: true 22 | --- 23 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: &app node-feature-discovery-rules 28 | namespace: &namespace kube-system 29 | spec: 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | interval: 30m 34 | dependsOn: 35 | - name: node-feature-discovery 36 | namespace: kube-system 37 | path: ./kubernetes/apps/kube-system/node-feature-discovery/rules 38 | prune: true 39 | sourceRef: 40 | kind: GitRepository 41 | name: flux-system 42 | namespace: flux-system 43 | targetNamespace: *namespace 44 | timeout: 5m 45 | wait: true 46 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/node-feature-discovery/rules/aeotec-zwave-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: aeotec-zwave-device 6 | spec: 7 | rules: 8 | - # Aeotec Z-Stick Gen5+ 9 | name: aeotec.zwave 10 | labels: 11 | aeotec.feature.node.kubernetes.io/zwave: "true" 12 | matchFeatures: 13 | - feature: usb.device 14 | matchExpressions: 15 | class: { op: In, value: ["02"] } 16 | vendor: { op: In, value: ["0658"] } 17 | device: { op: In, value: ["0200"] } 18 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/node-feature-discovery/rules/google-coral-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: google-coral-device 6 | spec: 7 | rules: 8 | - # Google Coral USB Accelerator 9 | name: google.coral 10 | labels: 11 | google.feature.node.kubernetes.io/coral: "true" 12 | matchFeatures: 13 | - feature: usb.device 14 | matchExpressions: 15 | vendor: { op: In, value: ["1a6e", "18d1"] } 16 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/node-feature-discovery/rules/intel-gpu-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json 3 | apiVersion: nfd.k8s-sigs.io/v1alpha1 4 | kind: NodeFeatureRule 5 | metadata: 6 | name: intel-gpu-device 7 | spec: 8 | rules: 9 | - name: intel.gpu 10 | labels: 11 | intel.feature.node.kubernetes.io/gpu: "true" 12 | intel.feature.node.kubernetes.io/gpu.model: "iris-xe" 13 | intel.feature.node.kubernetes.io/gpu.generation: "alderlake" 14 | matchFeatures: 15 | - feature: pci.device 16 | matchExpressions: 17 | class: { op: In, value: ["0300"] } # From class_id: "0x03" and subclass_id: "0x00" 18 | vendor: { op: In, value: ["8086"] } # From vendor_id: "0x8086" 19 | device: { op: In, value: ["46a6"] } # From product_id: "0x46a6" -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/node-feature-discovery/rules/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./aeotec-zwave-device.yaml 6 | - ./google-coral-device.yaml 7 | - ./intel-gpu-device.yaml 8 | 9 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: reloader 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: reloader 12 | version: 2.1.3 13 | sourceRef: 14 | kind: HelmRepository 15 | name: stakater 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | values: 25 | fullnameOverride: reloader 26 | reloader: 27 | readOnlyRootFileSystem: true 28 | podMonitor: 29 | enabled: true 30 | namespace: "{{ .Release.Namespace }}" 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app reloader 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/kube-system/reloader/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: spegel 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: spegel 12 | version: 0.3.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: spegel 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | values: 25 | grafanaDashboard: 26 | enabled: true 27 | service: 28 | registry: 29 | hostPort: 29999 30 | serviceMonitor: 31 | enabled: true 32 | spegel: 33 | containerdSock: /run/containerd/containerd.sock 34 | containerdRegistryConfigPath: /etc/cri/conf.d/hosts 35 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app spegel 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/kube-system/spegel/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/network/external/cloudflared/configs/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | originRequest: 3 | originServerName: "external.unscfleet.com" 4 | 5 | ingress: 6 | - hostname: "unscfleet.com" 7 | service: https://external-ingress-nginx-controller.network.svc.cluster.local:443 8 | originRequest: 9 | noTLSVerify: true 10 | - hostname: "*.unscfleet.com" 11 | service: https://external-ingress-nginx-controller.network.svc.cluster.local:443 12 | originRequest: 13 | noTLSVerify: true 14 | - service: http_status:404 15 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external/cloudflared/dnsendpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/externaldns.k8s.io/dnsendpoint_v1alpha1.json 3 | apiVersion: externaldns.k8s.io/v1alpha1 4 | kind: DNSEndpoint 5 | metadata: 6 | name: cloudflared 7 | spec: 8 | endpoints: 9 | - dnsName: "external.unscfleet.com" 10 | recordType: CNAME 11 | targets: ["b9d1e81f-c1e0-4538-b153-bfe3cc327d2f.cfargotunnel.com"] 12 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external/cloudflared/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./dnsendpoint.yaml 7 | - ./secret.sops.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: cloudflared-configmap 11 | files: 12 | - ./configs/config.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external/cloudflared/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetesjsonschema.dev/v1.18.1-standalone-strict/secret-v1.json 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: cloudflared-secret 6 | stringData: 7 | TUNNEL_ID: ENC[AES256_GCM,data:byt4NBZEUchWauCLJWromQ6LVRHQe+Jw0ya7wnysEHD/i6+Z,iv:dz8+kncugoC0zmykhInG3oerP3PUVvVRuc5ZKtIxx30=,tag:bG4I7zZyiWrKmFiB49JVDQ==,type:str] 8 | credentials.json: ENC[AES256_GCM,data:gSdSZixM7MY0H4ff0BIv+jrF8RVZZxPiqbB+X5GPAGRkfzSOPUkY81IycxRkzj9+dEBAv3jwopkZAm2MYoK5a+/b6BgXvrvZdUyxpu/KwhAcoPI/Kb7IUvCoxqQ7LoPJABqLNCiABhcwwyuoSbcL3OElDhmPq/RfqrNd4DeupZWK7fscAFV584FQ2P4488fTcP5NegM6h5Ri1u2HzB7RiM7otJx3MZ6Di6z5K9H62Q==,iv:6q1f9u1ayXAJ54+7IX6AwTWWplmijR5tKNjpNpNkBE8=,tag:H1/C778i3K2yM4MZNUHzgw==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age1scvdjv7h3s38cqtq4gsnj6cpsvh62zuhu8dy72uye4jksz2w39ds0skqm5 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVGc1cmwvUjBMaThjdDRL 19 | MUtUQVBRL0Q4empINFZlVjVrUUdZUTA2Tmp3CkszYU8yOVVmUlhUY24wWDNHaDJE 20 | QUt6NTRqU2t5SEN6YkxabDA2bzNRUkkKLS0tIDhoT01TU3VmRGZQVlBRNHIvTmlx 21 | OXU4OWlzbzdOWWNvMEE5amk0YnlvQ0kKJ4iIjyNBmvn3L5ly3QyGcd8Ify6EtaWs 22 | af7r/1CIxv6NOnrt7j9oJzN05DkSMWYpB9NQvgnmFEmXouT9s/c8Ow== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2025-01-31T05:43:08Z" 25 | mac: ENC[AES256_GCM,data:aIM3BZ/Z2nevr5xvYB4eB3Cq1/Q14aXnynKJ5fGeytVPSBYsqlAso6W6GflULN+zknquW+VkVVQ1MPS65FJXFCL8sZlW6PKirLUHzaGfRqxVCEcG1FmEtXtr6hmZuBkCJDo9KFe1mcTPM5ashxMXUS19RqwgJ/H0+8t/S9yUa0E=,iv:oJIJaguLrkYZumpeyRDv4N19n/sEwpu6bZBz3S1bw7I=,tag:/6J7icnJVkdtOaLRJbpgdA==,type:str] 26 | pgp: [] 27 | encrypted_regex: ^(data|stringData)$ 28 | mac_only_encrypted: true 29 | version: 3.9.4 30 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external/external-dns/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: external-external-dns 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: external-external-dns-secret 16 | creationPolicy: Owner 17 | deletionPolicy: Delete 18 | 19 | data: 20 | - secretKey: CF_API_TOKEN 21 | remoteRef: 22 | key: Cloudflare-Api-Token 23 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external/external-dns/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: &app external-dns 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: external-dns 12 | version: 1.16.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: external-dns 16 | namespace: flux-system 17 | install: 18 | crds: CreateReplace 19 | disableSchemaValidation: true # Ref: https://github.com/kubernetes-sigs/external-dns/issues/5206 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | cleanupOnFail: true 24 | disableSchemaValidation: true # Ref: https://github.com/kubernetes-sigs/external-dns/issues/5206 25 | crds: CreateReplace 26 | remediation: 27 | strategy: rollback 28 | retries: 3 29 | values: 30 | fullnameOverride: *app 31 | provider: 32 | name: cloudflare 33 | env: 34 | - name: &name CF_API_TOKEN 35 | valueFrom: 36 | secretKeyRef: 37 | name: &secret external-external-dns-secret 38 | key: *name 39 | extraArgs: 40 | - --cloudflare-dns-records-per-page=1000 41 | - --cloudflare-proxied 42 | - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 43 | - --crd-source-kind=DNSEndpoint 44 | - --ignore-ingress-tls-spec 45 | - --ingress-class=external 46 | triggerLoopOnEvent: true 47 | policy: sync 48 | sources: ["crd", "ingress"] 49 | txtOwnerId: default 50 | txtPrefix: k8s. 51 | domainFilters: ["unscfleet.com"] 52 | serviceMonitor: 53 | enabled: true 54 | podAnnotations: 55 | secret.reloader.stakater.com/reload: *secret 56 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/internal/external-dns/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: external-dns-unifi-secret 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: external-dns-unifi-secret 16 | creationPolicy: Owner 17 | 18 | data: 19 | - secretKey: EXTERNAL_DNS_UNIFI_USER 20 | remoteRef: 21 | key: Unifi-External-DNS-Username 22 | 23 | - secretKey: EXTERNAL_DNS_UNIFI_PASS 24 | remoteRef: 25 | key: Unifi-External-DNS-Password 26 | -------------------------------------------------------------------------------- /kubernetes/apps/network/internal/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml -------------------------------------------------------------------------------- /kubernetes/apps/network/internal/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/internal/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app internal-external-dns 7 | namespace: &namespace network 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: external-secrets-azure 14 | namespace: external-secrets 15 | interval: 30m 16 | path: ./kubernetes/apps/network/internal/external-dns 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: *namespace 23 | timeout: 5m 24 | wait: false 25 | --- 26 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 27 | apiVersion: kustomize.toolkit.fluxcd.io/v1 28 | kind: Kustomization 29 | metadata: 30 | name: &app internal-ingress-nginx 31 | namespace: &namespace network 32 | spec: 33 | commonMetadata: 34 | labels: 35 | app.kubernetes.io/name: *app 36 | dependsOn: 37 | - name: cert-manager-tls 38 | namespace: cert-manager 39 | interval: 30m 40 | path: ./kubernetes/apps/network/internal/ingress-nginx 41 | prune: true 42 | sourceRef: 43 | kind: GitRepository 44 | name: flux-system 45 | namespace: flux-system 46 | targetNamespace: *namespace 47 | timeout: 5m 48 | wait: false 49 | -------------------------------------------------------------------------------- /kubernetes/apps/network/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: network 6 | resources: 7 | - ./external/ks.yaml 8 | - ./internal/ks.yaml 9 | components: 10 | - ../../flux/components/namespace 11 | - ../../flux/components/sops 12 | patches: 13 | - # Add the name to the namespace 14 | patch: | 15 | - op: add 16 | path: /metadata/name 17 | value: network 18 | target: 19 | kind: Namespace 20 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/config/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | web: 3 | port: ${WEB_PORT} 4 | storage: 5 | type: sqlite 6 | path: /config/sqlite.db 7 | caching: true 8 | metrics: true 9 | debug: false 10 | ui: 11 | title: Status | Gatus 12 | header: Status 13 | alerting: 14 | discord: 15 | webhook-url: ${DISCORD_WEBHOOK} 16 | default-alert: 17 | description: healthcheck failed 18 | send-on-resolved: true 19 | failure-threshold: 5 20 | success-threshold: 3 21 | connectivity: 22 | checker: 23 | target: 1.1.1.1:53 24 | interval: 1m 25 | endpoints: 26 | - name: flux-webhook 27 | group: external 28 | url: https://flux-webhook.unscfleet.com 29 | interval: 1m 30 | client: 31 | dns-resolver: tcp://1.1.1.1:53 32 | conditions: 33 | - "[STATUS] == 404" 34 | alerts: 35 | - type: discord -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: gatus-secret 7 | namespace: observability 8 | spec: 9 | refreshInterval: "12h" 10 | 11 | secretStoreRef: 12 | name: azure-keyvault 13 | kind: ClusterSecretStore 14 | 15 | target: 16 | name: gatus-secret 17 | creationPolicy: Owner 18 | template: 19 | engineVersion: v2 20 | data: 21 | DISCORD_WEBHOOK: "{{ .DiscordWebhook }}" 22 | 23 | data: 24 | - secretKey: DiscordWebhook 25 | remoteRef: 26 | key: Gatus-Discord-Webhook 27 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./pvc.yaml 8 | - ./rbac.yaml 9 | - ./helmrelease.yaml 10 | configMapGenerator: 11 | - name: gatus-configmap 12 | files: 13 | - config.yaml=./config/config.yaml 14 | generatorOptions: 15 | disableNameSuffixHash: true 16 | annotations: 17 | kustomize.toolkit.fluxcd.io/substitute: disabled -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: gatus 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 5Gi 11 | storageClassName: ceph-block -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: gatus 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["configmaps", "secrets"] 9 | verbs: ["get", "watch", "list"] 10 | --- 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRoleBinding 13 | metadata: 14 | name: gatus 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: gatus 19 | subjects: 20 | - kind: ServiceAccount 21 | name: gatus 22 | namespace: observability -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app gatus 6 | namespace: &namespace observability 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | dependsOn: 12 | - name: external-secrets-azure 13 | namespace: external-secrets 14 | interval: 30m 15 | path: ./kubernetes/apps/observability/gatus/app 16 | postBuild: 17 | substitute: 18 | APP: *app 19 | GATUS_SUBDOMAIN: status 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: *namespace 26 | timeout: 5m 27 | wait: false 28 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: grafana 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: grafana-admin-secret 16 | creationPolicy: Owner 17 | 18 | data: 19 | - secretKey: admin-user 20 | remoteRef: 21 | key: Grafana-Admin-User 22 | 23 | - secretKey: admin-password 24 | remoteRef: 25 | key: Grafana-Admin-Password 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app grafana 6 | namespace: &namespace observability 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/guarded 13 | dependsOn: 14 | - name: external-secrets-azure 15 | namespace: external-secrets 16 | interval: 30m 17 | path: ./kubernetes/apps/observability/grafana/app 18 | postBuild: 19 | substitute: 20 | APP: *app 21 | prune: true 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | targetNamespace: *namespace 27 | timeout: 5m 28 | wait: false 29 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: kromgo-configmap 8 | files: 9 | - config.yaml=./resources/config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app kromgo 7 | namespace: &namespace observability 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/observability/kromgo/app 14 | postBuild: 15 | substitute: 16 | APP: *app 17 | GATUS_PATH: /talos_version 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | targetNamespace: *namespace 24 | timeout: 5m 25 | wait: false 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: alertmanager 7 | spec: 8 | refreshInterval: "12h" 9 | 10 | secretStoreRef: 11 | name: azure-keyvault 12 | kind: ClusterSecretStore 13 | 14 | target: 15 | name: alertmanager-secret 16 | creationPolicy: Owner 17 | deletionPolicy: Delete 18 | 19 | data: 20 | - secretKey: ALERTMANAGER_DISCORD_WEBHOOK_URL 21 | remoteRef: 22 | key: Discord-AlertManager-Webhook-Url 23 | 24 | - secretKey: PUSHOVER_USER_KEY 25 | remoteRef: 26 | key: Pushover-User-Key 27 | 28 | - secretKey: ALERTMANAGER_PUSHOVER_TOKEN 29 | remoteRef: 30 | key: AlertManager-Pushover-Token 31 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./alertmanagerconfig.yaml 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app kube-prometheus-stack 6 | namespace: &namespace observability 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 30m 12 | path: ./kubernetes/apps/observability/kube-prometheus-stack/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | targetNamespace: *namespace 19 | timeout: 5m 20 | wait: false 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: observability 6 | resources: 7 | - ./gatus/ks.yaml 8 | - ./grafana/ks.yaml 9 | - ./kromgo/ks.yaml 10 | - ./kube-prometheus-stack/ks.yaml 11 | - ./loki/ks.yaml 12 | - ./promtail/ks.yaml 13 | - ./unpoller/ks.yaml 14 | components: 15 | - ../../flux/components/namespace 16 | - ../../flux/components/sops 17 | patches: 18 | - # Add the name to the namespace 19 | patch: | 20 | - op: add 21 | path: /metadata/name 22 | value: observability 23 | target: 24 | kind: Namespace 25 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/loki/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml -------------------------------------------------------------------------------- /kubernetes/apps/observability/loki/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app loki 7 | namespace: &namespace observability 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: rook-ceph-cluster 14 | namespace: rook-ceph 15 | interval: 30m 16 | path: ./kubernetes/apps/observability/loki/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: *namespace 23 | timeout: 5m 24 | wait: false 25 | 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/promtail/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: promtail 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: promtail 12 | version: 6.17.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: grafana 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | values: 25 | fullnameOverride: promtail 26 | config: 27 | clients: 28 | - url: http://loki-headless.observability.svc.cluster.local:3100/loki/api/v1/push 29 | serviceMonitor: 30 | enabled: true -------------------------------------------------------------------------------- /kubernetes/apps/observability/promtail/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml -------------------------------------------------------------------------------- /kubernetes/apps/observability/promtail/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app promtail 7 | namespace: &namespace observability 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/observability/promtail/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false 22 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: unpoller 7 | namespace: observability 8 | spec: 9 | refreshInterval: "12h" 10 | 11 | secretStoreRef: 12 | name: azure-keyvault 13 | kind: ClusterSecretStore 14 | 15 | target: 16 | name: unpoller-secret 17 | creationPolicy: Owner 18 | 19 | data: 20 | - secretKey: UP_UNIFI_DEFAULT_USER 21 | remoteRef: 22 | key: Unifi-Unpoller-Username 23 | 24 | - secretKey: UP_UNIFI_DEFAULT_PASS 25 | remoteRef: 26 | key: Unifi-Unpoller-Password 27 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: observability 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app unpoller 7 | namespace: &namespace observability 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/observability/unpoller/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false 22 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./openebs/ks.yaml 7 | components: 8 | - ../../flux/components/namespace 9 | patches: 10 | - # Add the name to the namespace 11 | patch: | 12 | - op: add 13 | path: /metadata/name 14 | value: openebs-system 15 | target: 16 | kind: Namespace 17 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: openebs 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: openebs 12 | version: 4.2.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: openebs 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | values: 25 | engines: 26 | local: 27 | lvm: 28 | enabled: false 29 | zfs: 30 | enabled: false 31 | replicated: 32 | mayastor: 33 | enabled: false 34 | openebs-crds: 35 | csi: 36 | volumeSnapshots: 37 | enabled: false 38 | localpv-provisioner: 39 | localpv: 40 | image: 41 | registry: quay.io/ 42 | helperPod: 43 | image: 44 | registry: quay.io/ 45 | hostpathClass: 46 | enabled: true 47 | name: openebs-hostpath 48 | isDefaultClass: false 49 | basePath: /var/openebs/local 50 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app openebs 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: openebs-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/openebs-system/openebs/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | timeout: 5m 21 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: rook-ceph 5 | resources: 6 | - ./rook-ceph/ks.yaml 7 | components: 8 | - ../../flux/components/namespace 9 | - ../../flux/components/sops -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: rook-ceph-operator 7 | spec: 8 | interval: 30m 9 | timeout: 15m 10 | chart: 11 | spec: 12 | chart: rook-ceph 13 | version: v1.17.4 14 | sourceRef: 15 | kind: HelmRepository 16 | name: rook-ceph 17 | namespace: flux-system 18 | install: 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | strategy: rollback 25 | retries: 3 26 | values: 27 | csi: 28 | cephFSKernelMountOptions: ms_mode=prefer-crc 29 | enableLiveness: true 30 | serviceMonitor: 31 | enabled: true 32 | enableDiscoveryDaemon: true 33 | monitoring: 34 | enabled: true 35 | resources: 36 | requests: 37 | memory: 128Mi # unchangable 38 | cpu: 100m # unchangable 39 | limits: {} 40 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app rook-ceph 6 | namespace: &namespace rook-ceph 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | interval: 30m 12 | path: ./kubernetes/apps/rook-ceph/rook-ceph/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | targetNamespace: *namespace 19 | timeout: 5m 20 | wait: false 21 | --- 22 | apiVersion: kustomize.toolkit.fluxcd.io/v1 23 | kind: Kustomization 24 | metadata: 25 | name: &app rook-ceph-cluster 26 | namespace: &namespace rook-ceph 27 | spec: 28 | commonMetadata: 29 | labels: 30 | app.kubernetes.io/name: *app 31 | interval: 30m 32 | path: ./kubernetes/apps/rook-ceph/rook-ceph/cluster 33 | prune: true 34 | sourceRef: 35 | kind: GitRepository 36 | name: flux-system 37 | namespace: flux-system 38 | targetNamespace: *namespace 39 | timeout: 5m 40 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/teleport/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: teleport 6 | resources: 7 | - ./teleport/ks.yaml 8 | - ./teleport-kube-agent/ks.yaml 9 | components: 10 | - ../../flux/components/namespace 11 | - ../../flux/components/sops 12 | patches: 13 | - # Add the name to the namespace 14 | patch: | 15 | - op: add 16 | path: /metadata/name 17 | value: teleport 18 | target: 19 | kind: Namespace -------------------------------------------------------------------------------- /kubernetes/apps/teleport/teleport-kube-agent/agent/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: teleport-kube-agent 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: teleport-kube-agent 12 | version: 17.5.2 13 | interval: 15m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: teleport 17 | namespace: flux-system 18 | values: 19 | log: 20 | level: DEBUG 21 | roles: kube,app,discovery,node,windowsdesktop 22 | insecureSkipProxyTLSVerify: true 23 | proxyAddr: teleport.unscfleet.com:443 24 | joinParams: 25 | method: kubernetes 26 | tokenName: "kubernetes-token" 27 | kubeClusterName: HomeOpsCluster 28 | teleportConfig: 29 | discovery_service: 30 | kubernetes: 31 | - types: ["app"] 32 | namespaces: [ "default" ] 33 | labels: 34 | teleport: enabled 35 | windows_desktop_service: 36 | enabled: yes 37 | static_hosts: 38 | - name: UNSC-PillarOfAutumn 39 | addr: 10.0.20.10 40 | ad: false 41 | - name: UNSC-AllUnderHeaven 42 | addr: 10.0.20.11 43 | ad: false 44 | - name: UNSC-Rubicon 45 | addr: 10.0.20.14 46 | ad: false 47 | - name: UNSC-GhostFlag 48 | addr: 10.0.20.15 49 | ad: false 50 | app_service: 51 | enabled: "yes" 52 | apps: 53 | - name: pikvm 54 | public_addr: pikvm.teleport.unscfleet.com 55 | uri: https://10.0.30.5/ 56 | rewrite: 57 | headers: 58 | - "Host: pikvm.unscfleet.com" 59 | insecure_skip_verify: true 60 | -------------------------------------------------------------------------------- /kubernetes/apps/teleport/teleport-kube-agent/agent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/teleport/teleport-kube-agent/ks.yaml: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app teleport-kube-agent 7 | namespace: &namespace teleport 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: teleport 14 | namespace: teleport 15 | interval: 30m 16 | path: ./kubernetes/apps/teleport/teleport-kube-agent/agent 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: *namespace 23 | timeout: 5m 24 | wait: false 25 | -------------------------------------------------------------------------------- /kubernetes/apps/teleport/teleport/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helmrelease.yaml 6 | commonLabels: 7 | app.kubernetes.io/name: teleport 8 | app.kubernetes.io/instance: teleport 9 | -------------------------------------------------------------------------------- /kubernetes/apps/teleport/teleport/app/resources/token.yaml: -------------------------------------------------------------------------------- 1 | kind: token 2 | version: v2 3 | metadata: 4 | name: kubernetes-token 5 | # set a long expiry time, the default for tokens is only 30 minutes 6 | expires: "2050-01-01T00:00:00Z" 7 | spec: 8 | # Use the minimal set of system roles required. 9 | roles: [kube,app,discovery,node,windowsdesktop] 10 | 11 | # set the join method allowed for this token 12 | join_method: kubernetes 13 | 14 | kubernetes: 15 | type: in_cluster 16 | allow: 17 | # Service account names follow the format "namespace:serviceaccountname". 18 | - service_account: "teleport:teleport-kube-agent" 19 | -------------------------------------------------------------------------------- /kubernetes/apps/teleport/teleport/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app teleport 6 | namespace: &namespace teleport 7 | spec: 8 | commonMetadata: 9 | labels: 10 | app.kubernetes.io/name: *app 11 | components: 12 | - ../../../../flux/components/gatus/external 13 | - ../../../../flux/components/volsync 14 | dependsOn: 15 | - name: rook-ceph-cluster 16 | namespace: rook-ceph 17 | - name: external-secrets-azure 18 | namespace: external-secrets 19 | - name: volsync 20 | namespace: volsync-system 21 | interval: 30m 22 | path: ./kubernetes/apps/teleport/teleport/app 23 | postBuild: 24 | substitute: 25 | APP: *app 26 | VOLSYNC_CAPACITY: 10Gi 27 | prune: true 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | namespace: flux-system 32 | targetNamespace: *namespace 33 | timeout: 5m 34 | wait: false 35 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: volsync-system 6 | resources: 7 | - ./snapshot-controller/ks.yaml 8 | - ./volsync/ks.yaml 9 | components: 10 | - ../../flux/components/namespace 11 | - ../../flux/components/sops -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: snapshot-controller 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: snapshot-controller 12 | version: 4.0.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: piraeus 16 | namespace: flux-system 17 | install: 18 | crds: CreateReplace 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | crds: CreateReplace 24 | remediation: 25 | strategy: rollback 26 | retries: 3 27 | values: 28 | controller: 29 | replicaCount: 1 30 | serviceMonitor: 31 | create: true -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app snapshot-controller 7 | namespace: &namespace volsync-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/volsync-system/snapshot-controller/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: *namespace 20 | timeout: 5m 21 | wait: false -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: volsync 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: volsync 12 | version: 0.12.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: backube 16 | namespace: flux-system 17 | maxHistory: 3 18 | install: 19 | createNamespace: true 20 | remediation: 21 | retries: 3 22 | upgrade: 23 | cleanupOnFail: true 24 | remediation: 25 | retries: 3 26 | uninstall: 27 | keepHistory: false 28 | values: 29 | manageCRDs: true 30 | metrics: 31 | disableAuth: true 32 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: volsync 7 | spec: 8 | groups: 9 | - name: volsync.rules 10 | rules: 11 | - alert: VolSyncComponentAbsent 12 | annotations: 13 | summary: VolSync component has disappeared from Prometheus target discovery. 14 | expr: | 15 | absent(up{job=~".*volsync.*"} == 1) 16 | for: 15m 17 | labels: 18 | severity: critical 19 | - alert: VolSyncVolumeOutOfSync 20 | annotations: 21 | summary: >- 22 | {{ $labels.obj_namespace }}/{{ $labels.obj_name }} volume 23 | is out of sync. 24 | expr: | 25 | volsync_volume_out_of_sync == 1 26 | for: 15m 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app volsync 7 | namespace: flux-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 30m 13 | path: ./kubernetes/apps/volsync-system/volsync/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: volsync-system 20 | timeout: 5m 21 | wait: false -------------------------------------------------------------------------------- /kubernetes/bootstrap/helmfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/helmfile 3 | 4 | helmDefaults: 5 | timeout: 600 6 | force: true 7 | wait: true 8 | waitForJobs: true 9 | 10 | repositories: 11 | - name: cilium 12 | url: https://helm.cilium.io 13 | 14 | - name: jetstack 15 | url: https://charts.jetstack.io 16 | 17 | releases: 18 | - name: prometheus-operator-crds 19 | namespace: observability 20 | chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds 21 | version: 20.0.1 22 | 23 | - name: cilium 24 | namespace: kube-system 25 | chart: cilium/cilium 26 | version: 1.17.4 27 | values: 28 | - ../apps/kube-system/cilium/app/helm-values.yaml 29 | needs: 30 | - observability/prometheus-operator-crds 31 | 32 | - name: coredns 33 | namespace: kube-system 34 | chart: oci://ghcr.io/coredns/charts/coredns 35 | version: 1.42.2 36 | values: 37 | - ../apps/kube-system/coredns/app/helm-values.yaml 38 | needs: 39 | - kube-system/cilium 40 | 41 | - name: cert-manager 42 | namespace: cert-manager 43 | chart: jetstack/cert-manager 44 | version: v1.17.2 45 | values: 46 | - ../apps/cert-manager/cert-manager/app/helm-values.yaml 47 | needs: 48 | - kube-system/coredns 49 | 50 | - name: flux-operator 51 | namespace: flux-system 52 | chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator 53 | version: 0.22.0 54 | values: 55 | - ../apps/flux-system/flux-operator/app/helm-values.yaml 56 | needs: 57 | - cert-manager/cert-manager 58 | 59 | - name: flux-instance 60 | namespace: flux-system 61 | chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance 62 | version: 0.22.0 63 | wait: false 64 | values: 65 | - ../apps/flux-system/flux-operator/instance/helm-values.yaml 66 | needs: 67 | - flux-system/flux-operator 68 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/clusterconfig/.gitignore: -------------------------------------------------------------------------------- 1 | kubernetes-fleetcom-node1.yaml 2 | kubernetes-fleetcom-node2.yaml 3 | kubernetes-fleetcom-node3.yaml 4 | talosconfig 5 | wipe-rook-node.yaml -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/README.md: -------------------------------------------------------------------------------- 1 | # Talos Patching 2 | 3 | This directory contains Kustomization patches that are added to the talhelper configuration file. 4 | 5 | 6 | 7 | ## Patch Directories 8 | 9 | Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. 10 | Each directory is optional and therefore might not created by default. 11 | 12 | - `global/`: patches that are applied to both the controller and worker configurations 13 | - `controller/`: patches that are applied to the controller configurations 14 | - `worker/`: patches that are applied to the worker configurations 15 | - `${node-hostname}/`: patches that are applied to the node with the specified name 16 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/controller/admission-controller-patch.yaml: -------------------------------------------------------------------------------- 1 | - op: remove 2 | path: /cluster/apiServer/admissionControl 3 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/controller/cluster.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | allowSchedulingOnControlPlanes: true 3 | controllerManager: 4 | extraArgs: 5 | bind-address: 0.0.0.0 6 | coreDNS: 7 | disabled: true 8 | etcd: 9 | extraArgs: 10 | listen-metrics-urls: http://0.0.0.0:2381 11 | advertisedSubnets: 12 | - 10.0.30.0/24 13 | proxy: 14 | disabled: true 15 | scheduler: 16 | extraArgs: 17 | bind-address: 0.0.0.0 18 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/machine-files.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | files: 3 | - op: create 4 | path: /etc/cri/conf.d/20-customization.part 5 | content: |- 6 | [plugins."io.containerd.cri.v1.images"] 7 | discard_unpacked_layers = false 8 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/machine-kubelet.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | kubelet: 3 | extraMounts: 4 | - destination: /var/openebs/local 5 | type: bind 6 | source: /var/openebs/local 7 | options: 8 | - bind 9 | - rshared 10 | - rw 11 | nodeIP: 12 | validSubnets: 13 | - 10.0.30.0/24 14 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/machine-network.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | network: 3 | disableSearchDomain: true 4 | nameservers: 5 | - 1.1.1.1 6 | - 1.0.0.1 7 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/machine-sysctls.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | sysctls: 3 | fs.inotify.max_user_watches: "1048576" # Watchdog 4 | fs.inotify.max_user_instances: "8192" # Watchdog 5 | net.core.rmem_max: "7500000" # Cloudflared | QUIC 6 | net.core.wmem_max: "7500000" # Cloudflared | QUIC 7 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/talos/patches/global/machine-time.yaml: -------------------------------------------------------------------------------- 1 | machine: 2 | time: 3 | disabled: false 4 | servers: 5 | - 162.159.200.1 6 | - 162.159.200.123 7 | -------------------------------------------------------------------------------- /kubernetes/flux/components/gatus/external/config.yaml: -------------------------------------------------------------------------------- 1 | endpoints: 2 | - name: "${APP}" 3 | group: external 4 | url: "https://${GATUS_SUBDOMAIN:=${APP}}.unscfleet.com${GATUS_PATH:=/}" 5 | interval: 1m 6 | client: 7 | dns-resolver: tcp://1.1.1.1:53 8 | conditions: 9 | - "[STATUS] == ${GATUS_STATUS:=200}" -------------------------------------------------------------------------------- /kubernetes/flux/components/gatus/external/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | configMapGenerator: 6 | - name: ${APP}-gatus-ep 7 | files: 8 | - config.yaml=./config.yaml 9 | options: 10 | labels: 11 | gatus.io/enabled: "true" 12 | generatorOptions: 13 | disableNameSuffixHash: true -------------------------------------------------------------------------------- /kubernetes/flux/components/gatus/guarded/config.yaml: -------------------------------------------------------------------------------- 1 | endpoints: 2 | - name: "${APP}" 3 | group: guarded 4 | url: 1.1.1.1 5 | interval: 1m 6 | ui: 7 | hide-hostname: true 8 | hide-url: true 9 | dns: 10 | query-name: "${GATUS_SUBDOMAIN:=${APP}}.unscfleet.com" 11 | query-type: A 12 | conditions: 13 | - "len([BODY]) == 0" 14 | alerts: 15 | - type: discord 16 | -------------------------------------------------------------------------------- /kubernetes/flux/components/gatus/guarded/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | configMapGenerator: 6 | - name: ${APP}-gatus-ep 7 | files: 8 | - config.yaml=./config.yaml 9 | options: 10 | labels: 11 | gatus.io/enabled: "true" 12 | generatorOptions: 13 | disableNameSuffixHash: true -------------------------------------------------------------------------------- /kubernetes/flux/components/namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./namespace.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/flux/components/namespace/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: not-used 6 | annotations: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/flux/components/sops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./secrets.sops.yaml -------------------------------------------------------------------------------- /kubernetes/flux/components/sops/secrets.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: sops-age 5 | stringData: 6 | age.agekey: ENC[AES256_GCM,data:L5YtR0mr0XyZ/Mh+DGi0sljiSNn0qv5VntvOdo2pVVOwGlUgBTjBJWRk4M5dbKXw4x/OQuccjJV/0zmCsc19Mbhi3Ke7aiMOEu4=,iv:U5UZsG43DeL+Hob6poL54ZNvyYbzWZ0w8z9FkD3HDSE=,tag:RJ5umTHPnRPdjWfpaIZu/g==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1scvdjv7h3s38cqtq4gsnj6cpsvh62zuhu8dy72uye4jksz2w39ds0skqm5 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVUU4MWZRU3JDY2xEaWJZ 17 | Yjc0bnhaRTM3S1pmMUl3WGpCWGFqbHRhSFFjCmZKbkp4ZjN6b1lxQkFTd09nWUVF 18 | YXcwNG9wOUo3eFcxZzRtc3NMS3RVUE0KLS0tIGZVQm5YcUtxdVVObXdTTjhuQzdm 19 | RW96UkpYbjhrZEk4M3cxMmNWNG1ObEkKWMGIOrBdDAIq0Bu19TVKfbxkCJpVUcph 20 | AttXqm1VQlqmN2gRcnUx9L+w08sv3aq1HaWZqCFpRqmGaEYFrUaktQ== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2025-02-01T01:31:46Z" 23 | mac: ENC[AES256_GCM,data:IzvPk01MgW7wsXXYaPi/GiKmsKF0SYIY6UohdCrkxJOGHHEq0rmHLBV87kkpCojPoTNonF/Ggv84Nzi7NXkws4WB7dxPEVuerLWIygMkiWVtjAZ5Yk4YslUZJsh5IRPFrryzY8bLDno92/zl3wd9Uhz/USsRh9iCeNwjbGcDQUI=,iv:3xXkdbvnUNm1P5L5WYwyWDGM3vhG7esZ+CWlMIQILZQ=,tag:Z6AiwY8iqsy2jKdD6EdSow==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.9.4 27 | -------------------------------------------------------------------------------- /kubernetes/flux/components/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./local 7 | - ./pvc.yaml -------------------------------------------------------------------------------- /kubernetes/flux/components/volsync/local/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: "${APP}-volsync" 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: azure-keyvault 11 | refreshInterval: "12h" 12 | target: 13 | creationPolicy: Owner 14 | deletionPolicy: Delete 15 | name: "${APP}-volsync-secret" 16 | template: 17 | engineVersion: v2 18 | data: 19 | RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/${APP}" 20 | RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}" 21 | AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" 22 | AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" 23 | data: 24 | - secretKey: REPOSITORY_TEMPLATE 25 | remoteRef: 26 | key: Restic-Repository-Base 27 | - secretKey: RESTIC_PASSWORD 28 | remoteRef: 29 | key: Restic-Password 30 | - secretKey: AWS_ACCESS_KEY_ID 31 | remoteRef: 32 | key: AWS-Acess-Key-Id 33 | - secretKey: AWS_SECRET_ACCESS_KEY 34 | remoteRef: 35 | key: AWS-Secret-Access-Key 36 | -------------------------------------------------------------------------------- /kubernetes/flux/components/volsync/local/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./replicationsource.yaml 8 | - ./replicationdestination.yaml -------------------------------------------------------------------------------- /kubernetes/flux/components/volsync/local/replicationdestination.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationdestination_v1alpha1.json 3 | apiVersion: volsync.backube/v1alpha1 4 | kind: ReplicationDestination 5 | metadata: 6 | name: "${APP}-dst" 7 | labels: 8 | kustomize.toolkit.fluxcd.io/ssa: IfNotPresent 9 | spec: 10 | trigger: 11 | manual: restore-once 12 | restic: 13 | repository: "${APP}-volsync-secret" 14 | copyMethod: Snapshot 15 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-blockpool}" 16 | cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:=ceph-block}" 17 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 18 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=5Gi}" 19 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 20 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 21 | capacity: "${VOLSYNC_CAPACITY:=5Gi}" 22 | moverSecurityContext: 23 | runAsUser: ${VOLSYNC_PUID:=1000} 24 | runAsGroup: ${VOLSYNC_PGID:=1000} 25 | fsGroup: ${VOLSYNC_PGID:=1000} 26 | enableFileDeletion: true 27 | cleanupCachePVC: true 28 | cleanupTempPVC: true -------------------------------------------------------------------------------- /kubernetes/flux/components/volsync/local/replicationsource.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationsource_v1alpha1.json 3 | apiVersion: volsync.backube/v1alpha1 4 | kind: ReplicationSource 5 | metadata: 6 | name: "${APP}" 7 | spec: 8 | sourcePVC: "${APP}" 9 | trigger: 10 | schedule: "0 * * * *" 11 | restic: 12 | copyMethod: "${VOLSYNC_COPYMETHOD:=Snapshot}" 13 | pruneIntervalDays: 14 14 | repository: "${APP}-volsync-secret" 15 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-blockpool}" 16 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=5Gi}" 17 | cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:=ceph-block}" 18 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 19 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 20 | accessModes: ["${VOLSYNC_SNAP_ACCESSMODES:=ReadWriteOnce}"] 21 | moverSecurityContext: 22 | runAsUser: ${VOLSYNC_PUID:=568} 23 | runAsGroup: ${VOLSYNC_PGID:=568} 24 | fsGroup: ${VOLSYNC_PGID:=568} 25 | retain: 26 | hourly: 24 27 | daily: 7 28 | -------------------------------------------------------------------------------- /kubernetes/flux/components/volsync/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 8 | dataSourceRef: 9 | kind: ReplicationDestination 10 | apiGroup: volsync.backube 11 | name: "${APP}-dst" 12 | resources: 13 | requests: 14 | storage: "${VOLSYNC_CAPACITY:=5Gi}" 15 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" -------------------------------------------------------------------------------- /kubernetes/flux/meta/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./repositories 7 | - ./settings 8 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/git/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: [] 6 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/backube.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: backube 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://backube.github.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/bjw-s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: bjw-s 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/bjw-s/helm 12 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: cilium 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://helm.cilium.io 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/controlplaneio.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: controlplaneio 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/controlplaneio-fluxcd/charts 12 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/coredns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: coredns 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/coredns/charts 12 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/csi-driver-nfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: csi-driver-nfs 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/emberstack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: emberstack 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://emberstack.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/emqx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: emqx 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://repos.emqx.io/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/external-dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: external-dns 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://kubernetes-sigs.github.io/external-dns 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: external-secrets 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://charts.external-secrets.io 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: grafana 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://grafana.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: ingress-nginx 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://kubernetes.github.io/ingress-nginx 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/intel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: intel 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://intel.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/jetstack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: jetstack 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://charts.jetstack.io 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/k8s-gateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: k8s-gateway 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://ori-edge.github.io/k8s_gateway 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/k8sgpt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: k8sgpt 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://charts.k8sgpt.ai/ 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: kubernetes-dashboard 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://kubernetes.github.io/dashboard/ 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./backube.yaml 7 | - ./bjw-s.yaml 8 | - ./cilium.yaml 9 | - ./controlplaneio.yaml 10 | - ./coredns.yaml 11 | - ./csi-driver-nfs.yaml 12 | - ./emberstack.yaml 13 | - ./emqx.yaml 14 | - ./external-dns.yaml 15 | - ./external-secrets.yaml 16 | - ./grafana.yaml 17 | - ./ingress-nginx.yaml 18 | - ./intel.yaml 19 | - ./jetstack.yaml 20 | - ./k8s-gateway.yaml 21 | - ./k8sgpt.yaml 22 | - ./kubernetes-dashboard.yaml 23 | - ./metrics-server.yaml 24 | - ./node-feature-discovery.yaml 25 | - ./openebs.yaml 26 | - ./piraeus.yaml 27 | - ./postfinance.yaml 28 | - ./prometheus-community.yaml 29 | - ./rook-ceph.yaml 30 | - ./spegel.yaml 31 | - ./stakater.yaml 32 | - ./teleport.yaml 33 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: metrics-server 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://kubernetes-sigs.github.io/metrics-server 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/node-feature-discovery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: node-feature-discovery 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/openebs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: openebs 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://openebs.github.io/openebs 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/piraeus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: piraeus 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://piraeus.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/postfinance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: postfinance 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://postfinance.github.io/kubelet-csr-approver 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/prometheus-community.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: prometheus-community 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/prometheus-community/charts 12 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: rook-ceph 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://charts.rook.io/release 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: spegel 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/spegel-org/helm-charts 12 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/stakater.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: stakater 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/stakater/charts 12 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/helm/teleport.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: teleport 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://charts.releases.teleport.dev 11 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./git 7 | - ./helm 8 | - ./oci 9 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/repositories/oci/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: [] 6 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/settings/cluster-secrets.sops.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetesjsonschema.dev/v1.18.1-standalone-strict/secret-v1.json 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: cluster-secrets 6 | namespace: flux-system 7 | stringData: 8 | SECRET_DOMAIN: ENC[AES256_GCM,data:4lDOIL6TXc/V53VxGw==,iv:MA663toMQLEEMWGj/6joWy4gAbSWqvwnYq4dcijRjjI=,tag:Zp4JnVz0HUkh24oMi6921A==,type:str] 9 | SECRET_ACME_EMAIL: ENC[AES256_GCM,data:NkVOkEPfnn5eZGTd7MaQRsk/9czOjWb9oiU=,iv:jfc/cEUZONhxCXLP9XLqnhz52P2qXstiNfrsjgDn+O8=,tag:XdgBbkqZIUoo1x0Ag9iU9w==,type:str] 10 | SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:gKt/1lj6DX5UCbs5en+TF/PEkq2RTf/LpOF3jS6708C2eR3v,iv:bBTI3EJ+UBLDton9yI9gvVY3ngtKaR9HDgwlZ5gt2x4=,tag:2QdzjYjxeaR/iHIXgPKjqQ==,type:str] 11 | sops: 12 | kms: [] 13 | gcp_kms: [] 14 | azure_kv: [] 15 | hc_vault: [] 16 | age: 17 | - recipient: age1scvdjv7h3s38cqtq4gsnj6cpsvh62zuhu8dy72uye4jksz2w39ds0skqm5 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYzZZOWNQSWZIc0lBRlZx 21 | K0tzVXVLcDAvWHA3UEhYcFIwdlpURENZbkNFCmhsM3AvclgyMHo4M1lScjVmMDZv 22 | SVg2cWt1TGFOT2ZRTVdnWGJDa1dOT28KLS0tIFNya3FNUmJkVEJYaGk5V3dSSERm 23 | RjVRQXVKZTZnV0o4TlBkRHZ5WENuQUkKXrKR/ZAY9PRYLLAZ/XKMOPb2OxjbDiIx 24 | hHIAg7ORkT6F/DIyCAy1YckHfzaEhX6+NhwxDScxaa6+7KeT2X6kiQ== 25 | -----END AGE ENCRYPTED FILE----- 26 | lastmodified: "2025-01-31T05:43:08Z" 27 | mac: ENC[AES256_GCM,data:qlP7cwRVtOU15MdudHiiHXr5FueBL8irRHLKXwzT0WrF6RUw9rvlogvuu2CKg1FT16KARpNIARF/4xsueHj+62M1wd8/PlkUlTLFqvA56NxCnrdjVhvimQsCtDWRXrQkgHzapPhrmr4DutdskxcmGFpHO3K4zfQ+dLcBkLhNkm8=,iv:c48KisyFturN9ojAnL9rG5gZ8W42uLkIVeh8nmBx3Fw=,tag:B1olV1TtlVjUa4YY3R32NA==,type:str] 28 | pgp: [] 29 | encrypted_regex: ^(data|stringData)$ 30 | mac_only_encrypted: true 31 | version: 3.9.4 32 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/settings/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetesjsonschema.dev/v1.18.1-standalone-strict/configmap-v1.json 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: cluster-settings 7 | namespace: flux-system 8 | data: {} 9 | -------------------------------------------------------------------------------- /kubernetes/flux/meta/settings/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster-settings.yaml 7 | - ./cluster-secrets.sops.yaml 8 | --------------------------------------------------------------------------------