├── .github ├── FUNDING.yml └── workflows │ └── yaml-lint.yaml ├── .gitignore ├── talos ├── kubelet-csr-approver │ ├── values.yaml │ └── kustomization.yaml ├── clusterconfig │ └── .gitignore ├── kustomization.yaml └── cni │ ├── values.yaml │ └── kustomization.yaml ├── cluster ├── apps │ ├── flux-system │ │ ├── flux-operator │ │ │ ├── base │ │ │ │ ├── helm │ │ │ │ │ ├── values.yaml │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── flux-instance │ │ │ ├── base │ │ │ │ ├── helm │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── flux-metrics │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── podmonitor.yaml │ │ │ └── fluxtomization.yaml │ │ ├── flux-webhook │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── httproute.yaml │ │ │ │ ├── github.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── kube-system │ │ ├── cilium │ │ │ ├── operator │ │ │ │ ├── base │ │ │ │ │ ├── helm │ │ │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ │ │ └── values.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── helmrelease.yaml │ │ │ │ └── fluxtomization.yaml │ │ │ └── lb-networks │ │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── ciliumbgppeerconfig.yaml │ │ │ │ ├── ciliumbgpclusterconfig.yaml │ │ │ │ ├── ciliumbgpadvertisement.yaml │ │ │ │ └── ciliumloadbalancerippool.yaml │ │ │ │ └── fluxtomization.yaml │ │ ├── k8tz │ │ │ ├── base │ │ │ │ ├── issuer.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── metrics-server │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── generic-device-plugin │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── kubelet-csr-approver │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── kubernetes-replicator │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── node-feature-discovery │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── snapshot-controller │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── intel-device-plugins │ │ │ ├── gpu │ │ │ │ └── base │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── helmrelease.yaml │ │ │ └── operator │ │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── default │ │ ├── bazarr │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── radarr │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── sonarr │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── autobrr │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── mosquitto │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── prowlarr │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── reloader │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── zigbee2mqtt │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── clusterpolicies │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── jellyfin │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── fluxtomization.yaml │ │ ├── jellyseerr │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── fluxtomization.yaml │ │ ├── tqm │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── firefly-iii │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── radicale │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ ├── immich │ │ │ ├── database │ │ │ │ ├── base │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── init-sql.yaml │ │ │ │ └── fluxtomization.yaml │ │ │ ├── server │ │ │ │ ├── base │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── pvc.yaml │ │ │ │ │ ├── externalsecret.yaml │ │ │ │ │ └── configmap.yaml │ │ │ │ └── fluxtomization.yaml │ │ │ └── machine-learning │ │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ │ └── fluxtomization.yaml │ │ ├── shared │ │ │ ├── redisclusters │ │ │ │ ├── ot-standalone │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── externalsecret.yaml │ │ │ │ └── fluxtomization.yaml │ │ │ └── postgresclusters │ │ │ │ ├── pgo-cluster │ │ │ │ └── kustomization.yaml │ │ │ │ └── fluxtomization.yaml │ │ ├── minio │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ ├── homeassistant │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── pvc.yaml │ │ │ └── fluxtomization.yaml │ │ ├── homepage │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── nextcloud │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ └── httproute.yaml │ │ │ └── fluxtomization.yaml │ │ ├── qbittorrent │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── config │ │ │ │ │ └── Corefile │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ ├── cross-seed │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ └── recyclarr │ │ │ ├── base │ │ │ ├── kustomization.yaml │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ ├── cert-manager │ │ ├── cert-manager │ │ │ ├── issuers │ │ │ │ ├── domain-0 │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── clusterissuer.yaml │ │ │ │ ├── domain-1 │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── clusterissuer.yaml │ │ │ │ └── selfsigned │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── clusterissuer.yaml │ │ │ └── operator │ │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── nfs-system │ │ ├── csi-driver-nfs │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── openebs-system │ │ ├── openebs │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── monitoring-system │ │ ├── keda │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── loki │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── kube-prometheus │ │ │ ├── crds │ │ │ │ ├── base │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── helmrelease.yaml │ │ │ │ └── fluxtomization.yaml │ │ │ └── stack │ │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ │ └── fluxtomization.yaml │ │ ├── blackbox-exporter │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── probe.yaml │ │ │ └── fluxtomization.yaml │ │ ├── grafana │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ ├── smartctl-exporter │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── gatus │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── vector-aggregator │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── redis-operator │ │ ├── ot-operator │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── rook-ceph │ │ ├── rook-ceph │ │ │ ├── operator │ │ │ │ ├── base │ │ │ │ │ └── kustomization.yaml │ │ │ │ └── fluxtomization.yaml │ │ │ └── cluster │ │ │ │ └── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── httproute.yaml │ │ └── kustomization.yaml │ ├── networking-system │ │ ├── echo-server │ │ │ ├── base │ │ │ │ └── kustomization.yaml │ │ │ └── fluxtomization.yaml │ │ ├── envoy-gateway │ │ │ ├── certificates │ │ │ │ ├── domain-0 │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── certificate.yaml │ │ │ │ └── domain-1 │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── certificate.yaml │ │ │ ├── gateways │ │ │ │ ├── external │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── redirect.yaml │ │ │ │ └── internal │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── redirect.yaml │ │ │ └── operator │ │ │ │ └── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── gatewayclass.yaml │ │ ├── adguardhome-external-dns │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ ├── cloudflare-external-dns │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ ├── external-services │ │ │ ├── attic │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── endpoints.yaml │ │ │ │ └── httproute.yaml │ │ │ ├── incus │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── endpoints.yaml │ │ │ ├── tdarr │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── endpoints.yaml │ │ │ │ └── httproute.yaml │ │ │ ├── adguardhome │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── endpoints.yaml │ │ │ │ └── httproute.yaml │ │ │ ├── fullykioskbrowser │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── service.yaml │ │ │ │ ├── endpoints.yaml │ │ │ │ └── httproute.yaml │ │ │ └── omada-controller │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── endpoints.yaml │ │ ├── cloudflared │ │ │ ├── base │ │ │ │ ├── dnsendpoint.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ └── resources │ │ │ │ │ └── config.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── postgres-operator │ │ ├── cdpg-operator │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── backup-system │ │ ├── volsync │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── prometheusrule.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── actions-runner-system │ │ ├── actions-runner-controller │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── helmrelease.yaml │ │ │ └── fluxtomization.yaml │ │ ├── actions-runner-runners │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── home-cluster │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── externalsecret.yaml │ │ │ │ │ └── helmrelease.yaml │ │ │ │ └── ocirepository.yaml │ │ │ └── fluxtomization.yaml │ │ └── kustomization.yaml │ ├── authentication-system │ │ ├── lldap │ │ │ ├── base │ │ │ │ ├── kustomization.yaml │ │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ │ ├── kustomization.yaml │ │ └── authelia │ │ │ ├── base │ │ │ ├── referencegrant.yaml │ │ │ ├── kustomization.yaml │ │ │ └── externalsecret.yaml │ │ │ └── fluxtomization.yaml │ └── external-secrets │ │ ├── external-secrets │ │ ├── store │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── clustersecretstore.yaml │ │ └── operator │ │ │ ├── kustomization.yaml │ │ │ ├── poddisruptionbudget.yaml │ │ │ └── certificate.yaml │ │ └── kustomization.yaml ├── components │ ├── ext-auth │ │ ├── kustomization.yaml │ │ └── authentication.yaml │ ├── common │ │ ├── sops │ │ │ ├── kustomization.yaml │ │ │ └── externalsecret.yaml │ │ ├── ocirepositories │ │ │ ├── kustomization.yaml │ │ │ └── app-template │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ocirepository.yaml │ │ ├── flux-alerts │ │ │ ├── kustomization.yaml │ │ │ ├── discord │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── provider.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ └── alert.yaml │ │ │ └── github │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── alert.yaml │ │ │ │ ├── provider.yaml │ │ │ │ └── externalsecret.yaml │ │ ├── namespace.yaml │ │ └── kustomization.yaml │ ├── keda │ │ └── nfs-scaler │ │ │ ├── kustomization.yaml │ │ │ └── scaledobject.yaml │ ├── volsync │ │ ├── kustomization.yaml │ │ ├── pvc.yaml │ │ ├── externalsecret.yaml │ │ └── replicationsource.yaml │ ├── privileged-namespace │ │ └── kustomization.yaml │ └── envsubst │ │ └── kustomization.yaml ├── bootstrap │ └── kustomization.yaml └── base │ └── fluxtomization.yaml ├── infrastructure └── pulumi │ └── github │ ├── Pulumi.yaml │ └── main.go ├── Taskfile.yaml ├── .envrc ├── flyio └── vaultwarden │ ├── .envrc │ └── flake.nix ├── .taskfiles └── VolSync │ ├── wait-for-job.sh │ ├── ListJob.tmpl.yaml │ ├── UnlockJob.tmpl.yaml │ ├── WipeJob.tmpl.yaml │ └── ReplicationDestination.tmpl.yaml ├── .sops.yaml ├── .yamllint.yaml ├── flux-local.nix └── flake.nix /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: budimanjojo 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | talos/*/charts 2 | .direnv/ 3 | -------------------------------------------------------------------------------- /talos/kubelet-csr-approver/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | providerRegex: ^k(master|worker)\d\d?$ 3 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-operator/base/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | serviceMonitor: 3 | create: true 4 | -------------------------------------------------------------------------------- /talos/clusterconfig/.gitignore: -------------------------------------------------------------------------------- 1 | home-cluster-kmaster1.yaml 2 | home-cluster-kmaster2.yaml 3 | home-cluster-kmaster3.yaml 4 | talosconfig 5 | -------------------------------------------------------------------------------- /infrastructure/pulumi/github/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: pulumi-github 3 | runtime: go 4 | description: Pulumi Go program to manage my repositories IaC 5 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: '3' 3 | 4 | vars: 5 | PROJECT_DIR: 6 | sh: git rev-parse --show-toplevel 7 | 8 | includes: 9 | vs: .taskfiles/VolSync/Tasks.yaml 10 | ks: .taskfiles/Kubernetes/Tasks.yaml 11 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-instance/base/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-operator/base/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/operator/base/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/k8tz/base/issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/issuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Issuer 5 | metadata: 6 | name: k8tz-webhook-issuer 7 | spec: 8 | selfSigned: {} 9 | -------------------------------------------------------------------------------- /talos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - cni 7 | - kubelet-csr-approver 8 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | use_sops() { 2 | local path=${1} 3 | eval "$(sops -d --output-type dotenv "$path" | direnv dotenv bash /dev/stdin)" 4 | watch_file "$path" 5 | } 6 | 7 | if has nix; then 8 | use flake 9 | fi 10 | 11 | if has sops; then 12 | use sops ./restic-secret.sops.yaml 13 | fi 14 | -------------------------------------------------------------------------------- /cluster/components/ext-auth/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./authentication.yaml 7 | -------------------------------------------------------------------------------- /cluster/components/common/sops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | -------------------------------------------------------------------------------- /cluster/components/keda/nfs-scaler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./scaledobject.yaml 7 | -------------------------------------------------------------------------------- /cluster/components/common/ocirepositories/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./app-template 7 | -------------------------------------------------------------------------------- /flyio/vaultwarden/.envrc: -------------------------------------------------------------------------------- 1 | use_sops() { 2 | local path=${1} 3 | eval "$(sops -d --output-type dotenv "$path" | direnv dotenv bash /dev/stdin)" 4 | watch_file "$path" 5 | } 6 | 7 | if has nix; then 8 | use flake 9 | fi 10 | 11 | if has sops; then 12 | use sops ./flyctl-secret.sops.yaml 13 | fi 14 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./discord 7 | - ./github 8 | -------------------------------------------------------------------------------- /cluster/apps/default/bazarr/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/radarr/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/sonarr/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/bootstrap/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - github.com/fluxcd/flux2/manifests/install?ref=v2.7.5 7 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/issuers/domain-0/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./clusterissuer.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/issuers/domain-1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./clusterissuer.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/default/autobrr/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/mosquitto/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/prowlarr/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/reloader/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/zigbee2mqtt/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/components/common/ocirepositories/app-template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./ocirepository.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/default/clusterpolicies/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./delete-cpu-limits.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-metrics/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | resources: 7 | - ./podmonitor.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/nfs-system/csi-driver-nfs/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: nfs-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/openebs-system/openebs/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: openebs-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/metrics-server/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/keda/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/loki/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/redis-operator/ot-operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: redis-operator 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/rook-ceph/rook-ceph/operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/jellyfin/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/default/jellyseerr/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/default/tqm/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./secret.sops.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/generic-device-plugin/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kubelet-csr-approver/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kubernetes-replicator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/node-feature-discovery/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/snapshot-controller/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/echo-server/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/intel-device-plugins/gpu/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/k8tz/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./issuer.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/postgres-operator/cdpg-operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: postgres-operator 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/issuers/selfsigned/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | resources: 7 | - ./clusterissuer.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/firefly-iii/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/default/radicale/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/intel-device-plugins/operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/kube-prometheus/crds/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/kube-prometheus/stack/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/components/common/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.0-standalone-strict/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | # make sure the component called kustomization 7 | # has `namespace` field filled 8 | name: to-be-replaced 9 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/database/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./init-sql.yaml 8 | - ./postgrescluster.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/rook-ceph/rook-ceph/cluster/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./httproute.yaml 9 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/discord/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./alert.yaml 7 | - ./externalsecret.yaml 8 | - ./provider.yaml 9 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./alert.yaml 7 | - ./externalsecret.yaml 8 | - ./provider.yaml 9 | -------------------------------------------------------------------------------- /cluster/components/common/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./flux-alerts 7 | - ./ocirepositories 8 | - ./sops 9 | - ./namespace.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/backup-system/volsync/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: backup-system 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./prometheusrule.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/certificates/domain-0/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./certificate.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/certificates/domain-1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./certificate.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-controller/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | resources: 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/default/shared/redisclusters/ot-standalone/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/blackbox-exporter/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./probe.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/grafana/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/lldap/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: authentication-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/default/minio/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | - ./pvc.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/gateways/external/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./gateway.yaml 8 | - ./redirect.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/gateways/internal/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./gateway.yaml 8 | - ./redirect.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/default/shared/postgresclusters/pgo-cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./clustersecretstore.yaml 8 | - ./postgrescluster.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/smartctl-exporter/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./helmrelease.yaml 8 | - ./prometheusrule.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./gatewayclass.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-runners/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | resources: 7 | - ./home-cluster 8 | - ./ocirepository.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/backup-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: backup-system 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./volsync/fluxtomization.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/default/homeassistant/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | - ./pvc.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/external-secrets/external-secrets/store/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-secrets 6 | resources: 7 | - ./clustersecretstore.yaml 8 | - ./externalsecret.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/adguardhome-external-dns/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflare-external-dns/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-webhook/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./github.yaml 9 | - ./httproute.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/redis-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: redis-operator 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./ot-operator/fluxtomization.yaml 10 | -------------------------------------------------------------------------------- /cluster/components/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./pvc.yaml 8 | - ./replicationdestination.yaml 9 | - ./replicationsource.yaml 10 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/discord/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/notification.toolkit.fluxcd.io/provider_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Provider 5 | metadata: 6 | name: discord 7 | spec: 8 | type: discord 9 | secretRef: 10 | name: discord-notification 11 | channel: fluxcd 12 | -------------------------------------------------------------------------------- /cluster/apps/postgres-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: postgres-operator 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./cdpg-operator/fluxtomization.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/default/homepage/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./configmap.yaml 9 | - ./helmrelease.yaml 10 | - ./rbac.yaml 11 | -------------------------------------------------------------------------------- /cluster/apps/default/nextcloud/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | - ./httproute.yaml 10 | - ./pvc.yaml 11 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/attic/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./endpoints.yaml 8 | - ./httproute.yaml 9 | - ./service.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/incus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./endpoints.yaml 8 | - ./httproute.yaml 9 | - ./service.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/tdarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./endpoints.yaml 8 | - ./httproute.yaml 9 | - ./service.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | - ./prometheusrule.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/server/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./configmap.yaml 8 | - ./externalsecret.yaml 9 | - ./helmrelease.yaml 10 | - ./pvc.yaml 11 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/adguardhome/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./endpoints.yaml 8 | - ./httproute.yaml 9 | - ./service.yaml 10 | -------------------------------------------------------------------------------- /talos/cni/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ipam: 3 | mode: kubernetes 4 | kubeProxyReplacement: disabled 5 | securityContext: 6 | capabilities: 7 | ciliumAgent: [CHOWN, KILL, NET_ADMIN, NET_RAW, IPC_LOCK, SYS_ADMIN, SYS_RESOURCE, DAC_OVERRIDE, FOWNER, SETGID, SETUID] 8 | cleanCiliumState: [NET_ADMIN, SYS_ADMIN, SYS_RESOURCE] 9 | cgroup: 10 | autoMount: 11 | enabled: false 12 | hostRoot: /sys/fs/cgroup 13 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/fullykioskbrowser/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./endpoints.yaml 8 | - ./httproute.yaml 9 | - ./service.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/omada-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./endpoints.yaml 8 | - ./httproute.yaml 9 | - ./service.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/external-secrets/external-secrets/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-secrets 6 | resources: 7 | - ./certificate.yaml 8 | - ./helmrelease.yaml 9 | - ./poddisruptionbudget.yaml 10 | -------------------------------------------------------------------------------- /.taskfiles/VolSync/wait-for-job.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | JOB_NAME=$1 4 | NAMESPACE="${2:-default}" 5 | 6 | [[ -z "${JOB_NAME}" ]] && echo "Job name not specified" && exit 1 7 | 8 | while true; do 9 | STATUS="$(kubectl -n "${NAMESPACE}" get pod -l job-name="${JOB_NAME}" -o jsonpath='{.items[*].status.phase}')" 10 | if [ "${STATUS}" == "Pending" ]; then 11 | break 12 | fi 13 | sleep 1 14 | done 15 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-webhook/base/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: flux-webhook 6 | spec: 7 | hostnames: ["flux-wh.${SECRET_DOMAIN_0}"] 8 | parentRefs: 9 | - name: external 10 | namespace: networking-system 11 | port: 443 12 | rules: 13 | - backendRefs: 14 | - name: webhook-receiver 15 | port: 80 16 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/attic/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/service-v1.json 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: attic 7 | spec: 8 | ports: 9 | - name: http 10 | protocol: TCP 11 | port: 8080 12 | targetPort: http 13 | type: ClusterIP 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/incus/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/service-v1.json 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: incus 7 | spec: 8 | ports: 9 | - name: https 10 | protocol: TCP 11 | port: 8443 12 | targetPort: https 13 | type: ClusterIP 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/tdarr/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/service-v1.json 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: tdarr 7 | spec: 8 | ports: 9 | - name: http 10 | protocol: TCP 11 | port: 8265 12 | targetPort: http 13 | type: ClusterIP 14 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/github/alert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/notification.toolkit.fluxcd.io/alert_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Alert 5 | metadata: 6 | name: github 7 | spec: 8 | providerRef: 9 | name: github 10 | eventSeverity: info 11 | eventSources: 12 | - kind: Kustomization 13 | name: "*" 14 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-runners/base/home-cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | - ./rbac.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-secrets 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | resources: 10 | - ./external-secrets/fluxtomization.yaml 11 | -------------------------------------------------------------------------------- /cluster/apps/openebs-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: openebs-system 6 | components: 7 | - ../../components/common 8 | - ../../components/privileged-namespace 9 | resources: 10 | - ./openebs/fluxtomization.yaml 11 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/github/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/notification.toolkit.fluxcd.io/provider_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Provider 5 | metadata: 6 | name: github 7 | spec: 8 | type: github 9 | address: https://github.com/budimanjojo/home-cluster 10 | secretRef: 11 | name: github-notification-token 12 | -------------------------------------------------------------------------------- /cluster/apps/default/minio/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: minio-nfs 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 500Gi 13 | storageClassName: nfs-csi 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/adguardhome/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/service-v1.json 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: adguardhome 7 | spec: 8 | ports: 9 | - name: http 10 | protocol: TCP 11 | port: 3000 12 | targetPort: http 13 | type: ClusterIP 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/tdarr/endpoints.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/endpoints-v1.json 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | name: tdarr 7 | subsets: 8 | - addresses: 9 | - ip: 10.5.0.20 10 | ports: 11 | - name: http 12 | port: 8265 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /cluster/apps/default/jellyfin/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.0-standalone-strict/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: jellyfin-cache 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 30Gi 13 | storageClassName: nfs-csi 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/attic/endpoints.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/endpoints-v1.json 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | name: attic 7 | subsets: 8 | - addresses: 9 | - ip: 192.168.200.30 10 | ports: 11 | - name: http 12 | port: 8080 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/server/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: immich-data 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 30Gi 13 | storageClassName: nfs-csi 14 | -------------------------------------------------------------------------------- /cluster/apps/default/jellyseerr/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.0-standalone-strict/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: jellyseerr-cache 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: nfs-csi 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/fullykioskbrowser/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/service-v1.json 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: fullykioskbrowser 7 | spec: 8 | ports: 9 | - name: http 10 | protocol: TCP 11 | port: 2323 12 | targetPort: 2323 13 | type: ClusterIP 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/omada-controller/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/service-v1.json 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: omada-controller 7 | spec: 8 | ports: 9 | - name: https 10 | protocol: TCP 11 | port: 8043 12 | targetPort: https 13 | type: ClusterIP 14 | -------------------------------------------------------------------------------- /cluster/apps/default/homeassistant/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: homeassistant-cache 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 3Gi 13 | storageClassName: nfs-csi 14 | -------------------------------------------------------------------------------- /cluster/apps/default/nextcloud/base/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0-standalone-strict/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: nextcloud 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 60Gi 13 | storageClassName: nfs-csi 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/adguardhome/endpoints.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/endpoints-v1.json 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | name: adguardhome 7 | subsets: 8 | - addresses: 9 | - ip: 192.168.10.1 10 | ports: 11 | - name: http 12 | port: 3000 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/incus/endpoints.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/endpoints-v1.json 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | name: incus 7 | subsets: 8 | - addresses: 9 | - ip: ${CONFIG_NFS_SERVER_IP_ADDRESS} 10 | ports: 11 | - name: https 12 | port: 8443 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/lb-networks/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./ciliumbgpadvertisement.yaml 8 | - ./ciliumbgpclusterconfig.yaml 9 | - ./ciliumbgppeerconfig.yaml 10 | - ./ciliumloadbalancerippool.yaml 11 | -------------------------------------------------------------------------------- /cluster/apps/nfs-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: nfs-system 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | - ../../components/privileged-namespace 10 | resources: 11 | - ./csi-driver-nfs/fluxtomization.yaml 12 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: authentication-system 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | resources: 10 | - ./authelia/fluxtomization.yaml 11 | - ./lldap/fluxtomization.yaml 12 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflared/base/dnsendpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/externaldns.k8s.io/dnsendpoint_v1alpha1.json 3 | apiVersion: externaldns.k8s.io/v1alpha1 4 | kind: DNSEndpoint 5 | metadata: 6 | name: cloudflare-tunnel 7 | spec: 8 | endpoints: 9 | - dnsName: external.${SECRET_DOMAIN_1} 10 | recordType: CNAME 11 | targets: ["${SECRET_CLOUDFLARE_K8S_INGRESS_TUNNEL_ID}.cfargotunnel.com"] 12 | -------------------------------------------------------------------------------- /.github/workflows/yaml-lint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: YAML Lint 3 | 4 | on: 5 | workflow_dispatch: 6 | push: 7 | branches: [ '*' ] 8 | pull_request: 9 | 10 | jobs: 11 | yaml-lint: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 15 | with: 16 | fetch-depth: 1 17 | - name: Lint YAML 18 | uses: ibiqlik/action-yamllint@v3 19 | with: 20 | config_file: .yamllint.yaml 21 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | creation_rules: 2 | - encrypted_regex: '^(data|stringData|caBundle)$' 3 | path_regex: 'cluster/.*\.sops\.ya?ml$' 4 | age: >- 5 | age1zeqkpfz7e3s207ynea0z0auc0mrct0pc7w4sh6j3d0c4qac3dahqj9ufdg 6 | - path_regex: 'talos/.*\.sops\.ya?ml$' 7 | age: >- 8 | age1zeqkpfz7e3s207ynea0z0auc0mrct0pc7w4sh6j3d0c4qac3dahqj9ufdg 9 | - path_regex: '.*-secret\.sops\.ya?ml$' 10 | age: >- 11 | age1zeqkpfz7e3s207ynea0z0auc0mrct0pc7w4sh6j3d0c4qac3dahqj9ufdg 12 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | resources: 10 | - ./cert-manager/issuers/fluxtomization.yaml 11 | - ./cert-manager/operator/fluxtomization.yaml 12 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/omada-controller/endpoints.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/endpoints-v1.json 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | name: omada-controller 7 | subsets: 8 | - addresses: 9 | - ip: ${CONFIG_OMADA_CONTROLLER_IP} 10 | ports: 11 | - name: https 12 | port: 8043 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-webhook/base/github.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/notification.toolkit.fluxcd.io/receiver_v1.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1 4 | kind: Receiver 5 | metadata: 6 | name: flux-system 7 | spec: 8 | type: github 9 | events: 10 | - "ping" 11 | - "push" 12 | secretRef: 13 | name: github-webhook-token 14 | resources: 15 | - kind: GitRepository 16 | name: flux-system 17 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/blackbox-exporter/base/probe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/monitoring.coreos.com/probe_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: Probe 5 | metadata: 6 | name: nfs 7 | spec: 8 | module: tcp_connect 9 | prober: 10 | url: blackbox-exporter.monitoring-system.svc.cluster.local:9115 11 | path: /probe 12 | targets: 13 | staticConfig: 14 | static: 15 | - 192.168.200.30:2049 16 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/fullykioskbrowser/endpoints.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/endpoints-v1.json 3 | apiVersion: v1 4 | kind: Endpoints 5 | metadata: 6 | name: fullykioskbrowser 7 | subsets: 8 | - addresses: 9 | - ip: ${CONFIG_DASHBOARD_TABLET_IP_ADDRESS} 10 | ports: 11 | - name: http 12 | port: 2323 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/gateways/internal/redirect.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: https-redirect-internal 6 | annotations: 7 | external-dns.alpha.kubernetes.io/controller: none 8 | spec: 9 | parentRefs: 10 | - name: internal 11 | port: 80 12 | rules: 13 | - filters: 14 | - type: RequestRedirect 15 | requestRedirect: 16 | scheme: https 17 | statusCode: 301 18 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: cilium-values 10 | files: 11 | - values.yaml=./helm/values.yaml 12 | configurations: 13 | - ./helm/kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | components: 7 | - ../../components/common 8 | - ../../components/privileged-namespace 9 | resources: 10 | - ./actions-runner-controller/fluxtomization.yaml 11 | - ./actions-runner-runners/fluxtomization.yaml 12 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/authelia/base/referencegrant.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/referencegrant_v1beta1.json 3 | apiVersion: gateway.networking.k8s.io/v1beta1 4 | kind: ReferenceGrant 5 | metadata: 6 | name: authelia-to-default 7 | spec: 8 | from: 9 | - group: gateway.envoyproxy.io 10 | kind: SecurityPolicy 11 | namespace: default 12 | to: 13 | - group: "" 14 | kind: Service 15 | name: authelia 16 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-instance/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | resources: 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: flux-instance-values 10 | files: 11 | - values.yaml=./helm/values.yaml 12 | configurations: 13 | - ./helm/kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | resources: 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: flux-operator-values 10 | files: 11 | - values.yaml=./helm/values.yaml 12 | configurations: 13 | - ./helm/kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/certificates/domain-1/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: domain-1 7 | spec: 8 | secretName: domain-1-prod-tls 9 | subject: 10 | organizations: 11 | - budimanjojo 12 | issuerRef: 13 | name: domain-1-prod 14 | kind: ClusterIssuer 15 | dnsNames: 16 | - "*.${SECRET_DOMAIN_1}" 17 | -------------------------------------------------------------------------------- /cluster/apps/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | - ../../components/privileged-namespace 10 | resources: 11 | - ./rook-ceph/cluster/fluxtomization.yaml 12 | - ./rook-ceph/operator/fluxtomization.yaml 13 | -------------------------------------------------------------------------------- /cluster/components/privileged-namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | patches: 6 | - target: 7 | group: "" 8 | version: v1 9 | kind: Namespace 10 | patch: |- 11 | - op: add 12 | path: /metadata/labels 13 | value: 14 | pod-security.kubernetes.io/enforce: privileged 15 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/gatus/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: gatus-configmap 10 | files: 11 | - config.yaml=./resources/config.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/tdarr/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: tdarr 7 | spec: 8 | hostnames: ["tdarr.${SECRET_DOMAIN_0}"] 9 | parentRefs: 10 | - name: internal 11 | namespace: networking-system 12 | port: 443 13 | rules: 14 | - backendRefs: 15 | - name: tdarr 16 | port: 8265 17 | -------------------------------------------------------------------------------- /cluster/apps/default/qbittorrent/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: qbittorrent-coredns 11 | files: 12 | - Corefile=./config/Corefile 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/attic/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: attic 7 | spec: 8 | hostnames: ["cachix.${SECRET_DOMAIN_1}"] 9 | parentRefs: 10 | - name: external 11 | namespace: networking-system 12 | port: 443 13 | rules: 14 | - backendRefs: 15 | - name: attic 16 | port: 8080 17 | -------------------------------------------------------------------------------- /cluster/apps/default/cross-seed/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: cross-seed-config-tpl 11 | files: 12 | - config.js=./resources/config.js 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/machine-learning/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | labels: 7 | - pairs: 8 | app.kubernetes.io/name: immich-machine-learning 9 | app.kubernetes.io/instance: immich-machine-learning 10 | app.kubernetes.io/part-of: immich 11 | resources: 12 | - ./helmrelease.yaml 13 | -------------------------------------------------------------------------------- /cluster/apps/default/qbittorrent/base/config/Corefile: -------------------------------------------------------------------------------- 1 | .:53 { 2 | bind 127.0.0.2 3 | rewrite stop type AAAA A 4 | errors 5 | health :8081 { 6 | lameduck 5s 7 | } 8 | log { 9 | class error 10 | } 11 | forward . tls://9.9.9.9 { 12 | tls_servername dns.quad9.net 13 | policy sequential 14 | health_check 5s 15 | } 16 | reload 17 | } 18 | 19 | cluster.local:53 { 20 | bind 127.0.0.2 21 | rewrite stop type AAAA A 22 | errors 23 | log { 24 | class error 25 | } 26 | forward . 10.96.0.10 27 | } 28 | -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | yaml-files: 5 | - '*.yaml' 6 | - '*.yml' 7 | rules: 8 | brackets: 9 | max-spaces-inside: 1 10 | document-start: 11 | ignore: | 12 | *.sops.yaml 13 | *.sops.yml 14 | empty-lines: 15 | max: 1 16 | line-length: disable 17 | indentation: 18 | spaces: 2 19 | indent-sequences: consistent 20 | level: warning 21 | ignore: | 22 | *.sops.yaml 23 | *.sops.yml 24 | new-line-at-end-of-file: disable 25 | truthy: 26 | check-keys: false 27 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/database/base/init-sql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.0-standalone-strict/configmap-v1.json 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: immich-database-init-sql 7 | data: 8 | init.sql: |- 9 | \c immich\\ 10 | BEGIN; 11 | ALTER DATABASE immich OWNER TO immich; 12 | CREATE EXTENSION IF NOT EXISTS vchord CASCADE; 13 | CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE; 14 | COMMIT; 15 | -------------------------------------------------------------------------------- /cluster/apps/default/recyclarr/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: default 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: recyclarr-configmap 11 | files: 12 | - recyclarr.yml=./resources/config.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/certificates/domain-0/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: domain-0 7 | spec: 8 | secretName: domain-0-prod-tls 9 | subject: 10 | organizations: 11 | - budimanjojo 12 | issuerRef: 13 | name: domain-0-prod 14 | kind: ClusterIssuer 15 | dnsNames: 16 | - "${SECRET_DOMAIN_0}" 17 | - "*.${SECRET_DOMAIN_0}" 18 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/adguardhome/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: adguardhome 7 | spec: 8 | hostnames: ["adguard.${SECRET_DOMAIN_0}"] 9 | parentRefs: 10 | - name: internal 11 | namespace: networking-system 12 | port: 443 13 | rules: 14 | - backendRefs: 15 | - name: adguardhome 16 | port: 3000 17 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | resources: 10 | - ./flux-instance/fluxtomization.yaml 11 | - ./flux-metrics/fluxtomization.yaml 12 | - ./flux-operator/fluxtomization.yaml 13 | - ./flux-webhook/fluxtomization.yaml 14 | -------------------------------------------------------------------------------- /cluster/apps/rook-ceph/rook-ceph/cluster/base/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: rook-ceph-dashboard 7 | spec: 8 | hostnames: ["rook.${SECRET_DOMAIN_0}"] 9 | parentRefs: 10 | - name: internal 11 | namespace: networking-system 12 | port: 443 13 | rules: 14 | - backendRefs: 15 | - name: rook-ceph-mgr-dashboard 16 | port: 7000 17 | -------------------------------------------------------------------------------- /cluster/components/common/ocirepositories/app-template/ocirepository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: app-template 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/bjw-s-labs/helm/app-template 11 | ref: 12 | tag: 4.5.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | -------------------------------------------------------------------------------- /cluster/apps/external-secrets/external-secrets/operator/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0-standalone-strict/poddisruptionbudget-policy-v1.json 3 | apiVersion: policy/v1 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: external-secrets-webhook 7 | spec: 8 | minAvailable: 1 9 | selector: 10 | matchLabels: 11 | app.kubernetes.io/instance: external-secrets-operator 12 | app.kubernetes.io/name: external-secrets-webhook 13 | -------------------------------------------------------------------------------- /cluster/components/common/sops/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name sops-age 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | sops.agekey: "{{ .SOPS_AGE_KEY | b64dec }}" 16 | dataFrom: 17 | - extract: 18 | key: sops 19 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/external-services/fullykioskbrowser/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: fullykioskbrowser 7 | spec: 8 | hostnames: ["fully.${SECRET_DOMAIN_0}"] 9 | parentRefs: 10 | - name: internal 11 | namespace: networking-system 12 | port: 443 13 | rules: 14 | - backendRefs: 15 | - name: fullykioskbrowser 16 | port: 2323 17 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/operator/base/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | bgpControlPlane: 3 | enabled: true 4 | ipam: 5 | mode: kubernetes 6 | kubeProxyReplacement: true 7 | k8sServiceHost: 127.0.0.1 8 | k8sServicePort: 7445 9 | securityContext: 10 | capabilities: 11 | ciliumAgent: [CHOWN, KILL, NET_ADMIN, NET_RAW, IPC_LOCK, SYS_ADMIN, SYS_RESOURCE, DAC_OVERRIDE, FOWNER, SETGID, SETUID] 12 | cleanCiliumState: [NET_ADMIN, SYS_ADMIN, SYS_RESOURCE] 13 | cgroup: 14 | autoMount: 15 | enabled: false 16 | hostRoot: /sys/fs/cgroup 17 | envoy: 18 | enabled: false 19 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/vector-aggregator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: vector-aggregator-configmap 11 | files: 12 | - config.yaml=./resources/config.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/authelia/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: authentication-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | - ./referencegrant.yaml 10 | configMapGenerator: 11 | - name: authelia-config-tpl 12 | files: 13 | - ./config/configuration.yaml 14 | generatorOptions: 15 | disableNameSuffixHash: true 16 | -------------------------------------------------------------------------------- /cluster/apps/default/shared/redisclusters/ot-standalone/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name redis-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | redis_password: "{{ .REDIS_PASSWORD }}" 16 | dataFrom: 17 | - extract: 18 | key: redis 19 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-webhook/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name github-webhook-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | token: "{{ .FLUXCD_GITHUB_WEBHOOK_TOKEN }}" 16 | dataFrom: 17 | - extract: 18 | key: fluxcd 19 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/discord/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name discord-notification 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | address: "{{ .FLUXCD_DISCORD_WEBHOOK_URL }}" 16 | dataFrom: 17 | - extract: 18 | key: fluxcd 19 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflared/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | resources: 7 | - ./externalsecret.yaml 8 | - ./dnsendpoint.yaml 9 | - ./helmrelease.yaml 10 | configMapGenerator: 11 | - name: cloudflared-configmap 12 | files: 13 | - config.yaml=./resources/config.yaml 14 | generatorOptions: 15 | disableNameSuffixHash: true 16 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/github/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name github-notification-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | token: "{{ .FLUXCD_GITHUB_NOTIFICATION_TOKEN }}" 16 | dataFrom: 17 | - extract: 18 | key: fluxcd 19 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-runners/base/ocirepository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: gha-runner-scale-set 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set 11 | ref: 12 | tag: 0.13.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/operator/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name cloudflare-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | api-key: "{{ .CLOUDFLARE_CERT_MANAGER_TOKEN }}" 16 | dataFrom: 17 | - extract: 18 | key: cloudflare 19 | -------------------------------------------------------------------------------- /talos/cni/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | helmCharts: 6 | - name: cilium 7 | repo: https://helm.cilium.io 8 | version: 1.18.5 9 | releaseName: cilium 10 | namespace: kube-system 11 | valuesFile: values.yaml 12 | commonAnnotations: 13 | meta.helm.sh/release-name: cilium 14 | meta.helm.sh/release-namespace: kube-system 15 | commonLabels: 16 | app.kubernetes.io/managed-by: Helm 17 | -------------------------------------------------------------------------------- /cluster/apps/default/radicale/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name radicale-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | users: | 16 | {{ .RADICALE_USER_0 }} 17 | {{ .RADICALE_USER_1 }} 18 | dataFrom: 19 | - extract: 20 | key: radicale 21 | -------------------------------------------------------------------------------- /cluster/apps/external-secrets/external-secrets/store/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name bitwarden-access-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | token: '{{ .key }}' 16 | data: 17 | - secretKey: key 18 | remoteRef: 19 | key: bitwarden-eso-machine-key 20 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/lb-networks/base/ciliumbgppeerconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cilium.io/ciliumbgppeerconfig_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumBGPPeerConfig 5 | metadata: 6 | name: main 7 | spec: 8 | timers: 9 | holdTimeSeconds: 9 10 | keepAliveTimeSeconds: 5 11 | gracefulRestart: 12 | enabled: true 13 | restartTimeSeconds: 15 14 | transport: 15 | peerPort: 179 16 | families: 17 | - afi: ipv4 18 | safi: unicast 19 | advertisements: 20 | matchLabels: 21 | advertise: bgp 22 | -------------------------------------------------------------------------------- /cluster/apps/default/recyclarr/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name recyclarr-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | SONARR_API_KEY: "{{ .SONARR_API_KEY }}" 16 | RADARR_API_KEY: "{{ .RADARR_API_KEY }}" 17 | dataFrom: 18 | - extract: 19 | key: starrs 20 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/gateways/external/redirect.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: https-redirect-external 7 | annotations: 8 | external-dns.alpha.kubernetes.io/controller: none 9 | spec: 10 | parentRefs: 11 | - name: external 12 | port: 80 13 | rules: 14 | - filters: 15 | - type: RequestRedirect 16 | requestRedirect: 17 | scheme: https 18 | statusCode: 301 19 | -------------------------------------------------------------------------------- /flyio/vaultwarden/flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "Vaultwarden fly.io devShell"; 3 | 4 | inputs = { 5 | nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; 6 | flake-parts.url = "github:hercules-ci/flake-parts"; 7 | }; 8 | 9 | outputs = { flake-parts, ... }@inputs: 10 | flake-parts.lib.mkFlake {inherit inputs;} { 11 | systems = [ "x86_64-linux" ]; 12 | perSystem = { pkgs, ... }: { 13 | devShells.default = pkgs.mkShell { 14 | packages = [ 15 | pkgs.bashInteractive 16 | pkgs.flyctl 17 | ]; 18 | }; 19 | }; 20 | }; 21 | } 22 | -------------------------------------------------------------------------------- /cluster/apps/default/tqm/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name tqm 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/default/tqm/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | -------------------------------------------------------------------------------- /cluster/components/common/flux-alerts/discord/alert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/notification.toolkit.fluxcd.io/alert_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Alert 5 | metadata: 6 | name: discord 7 | spec: 8 | providerRef: 9 | name: discord 10 | eventSeverity: error 11 | eventSources: 12 | - kind: OCIRepository 13 | name: "*" 14 | - kind: GitRepository 15 | name: "*" 16 | - kind: HelmRepository 17 | name: "*" 18 | - kind: Kustomization 19 | name: "*" 20 | - kind: HelmRelease 21 | name: "*" 22 | -------------------------------------------------------------------------------- /cluster/components/volsync/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.0-standalone-strict/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: ${APP_NAME} 7 | spec: 8 | accessModes: 9 | - ${VOLSYNC_ACCESSMODES:=ReadWriteOnce} 10 | dataSourceRef: 11 | apiGroup: volsync.backube 12 | kind: ReplicationDestination 13 | name: ${APP_NAME}-dst 14 | resources: 15 | requests: 16 | storage: ${VOLSYNC_CAPACITY:=1Gi} 17 | storageClassName: ${VOLSYNC_STORAGECLASS:=rook-ceph-block} 18 | -------------------------------------------------------------------------------- /flux-local.nix: -------------------------------------------------------------------------------- 1 | { 2 | buildPythonPackage, 3 | fetchPypi, 4 | 5 | # propagatedBuildInputs 6 | pyyaml, 7 | gitpython, 8 | aiofiles, 9 | mashumaro, 10 | nest-asyncio, 11 | pytest, 12 | pytest-asyncio, 13 | }: 14 | buildPythonPackage rec { 15 | pname = "flux_local"; 16 | version = "7.5.0"; 17 | 18 | src = fetchPypi { 19 | inherit pname version; 20 | hash = "sha256-fWaZmim6NNGptiiDWkNnvJ5b3Lz0hlojXc25Gc8hYHY="; 21 | }; 22 | 23 | propagatedBuildInputs = [ 24 | pyyaml 25 | gitpython 26 | aiofiles 27 | mashumaro 28 | nest-asyncio 29 | pytest 30 | pytest-asyncio 31 | ]; 32 | } 33 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/lb-networks/base/ciliumbgpclusterconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cilium.io/ciliumbgpclusterconfig_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumBGPClusterConfig 5 | metadata: 6 | name: main 7 | spec: 8 | nodeSelector: 9 | matchLabels: 10 | kubernetes.io/os: linux 11 | bgpInstances: 12 | - name: instance-65401 13 | localASN: 65401 14 | peers: 15 | - name: budimanjojo-firewall 16 | peerAddress: ${CONFIG_VYOS_IP_ADDRESS} 17 | peerASN: 65400 18 | peerConfigRef: 19 | name: main 20 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/grafana/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name grafana-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | gf_security_admin_user: "{{ .ADMIN_USER }}" 16 | gf_security_admin_password: "{{ .ADMIN_PASSWORD }}" 17 | dataFrom: 18 | - extract: 19 | key: grafana 20 | -------------------------------------------------------------------------------- /cluster/apps/default/reloader/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name reloader 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/default/reloader/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/adguardhome-external-dns/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name adguardhome-external-dns-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | ADGUARD_USER: "{{ .ADGUARD_USER }}" 16 | ADGUARD_PASSWORD: "{{ .ADGUARD_PASSWORD }}" 17 | dataFrom: 18 | - extract: 19 | key: adguardhome 20 | -------------------------------------------------------------------------------- /cluster/apps/default/clusterpolicies/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name clusterpolicies 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/default/clusterpolicies/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/vector-aggregator/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name vector-aggregator-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | GEOIPUPDATE_ACCOUNT_ID: "{{ .GEOIPUPDATE_ACCOUNT_ID }}" 16 | GEOIPUPDATE_LICENSE_KEY: "{{ .GEOIPUPDATE_LICENSE_KEY }}" 17 | dataFrom: 18 | - extract: 19 | key: vector-aggregator 20 | -------------------------------------------------------------------------------- /talos/kubelet-csr-approver/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | helmCharts: 6 | - name: kubelet-csr-approver 7 | repo: https://postfinance.github.io/kubelet-csr-approver 8 | version: 1.2.12 9 | releaseName: kubelet-csr-approver 10 | namespace: kube-system 11 | valuesFile: values.yaml 12 | commonAnnotations: 13 | meta.helm.sh/release-name: kubelet-csr-approver 14 | meta.helm.sh/release-namespace: kube-system 15 | commonLabels: 16 | app.kubernetes.io/managed-by: Helm 17 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/lb-networks/base/ciliumbgpadvertisement.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cilium.io/ciliumbgpadvertisement_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumBGPAdvertisement 5 | metadata: 6 | name: main 7 | labels: 8 | advertise: bgp 9 | spec: 10 | advertisements: 11 | - advertisementType: Service 12 | service: 13 | addresses: 14 | - LoadBalancerIP 15 | - ExternalIP 16 | selector: 17 | matchExpressions: 18 | - key: thisFakeSelector 19 | operator: NotIn 20 | values: 21 | - will-match-and-announce-all-services 22 | -------------------------------------------------------------------------------- /.taskfiles/VolSync/ListJob.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/job-batch-v1.json 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: "list-${rsrc}-${ts}" 7 | namespace: "${namespace}" 8 | spec: 9 | ttlSecondsAfterFinished: 3600 10 | template: 11 | spec: 12 | automountServiceAccountToken: false 13 | restartPolicy: OnFailure 14 | containers: 15 | - name: list 16 | image: docker.io/restic/restic:latest 17 | args: ["snapshots"] 18 | envFrom: 19 | - secretRef: 20 | name: "${rsrc}-restic-secret" 21 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/lldap/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name lldap-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | LLDAP_JWT_SECRET: "{{ .LLDAP_JWT_SECRET }}" 16 | LLDAP_LDAP_USER_PASS: "{{ .LLDAP_LDAP_USER_PASS }}" 17 | LLDAP_LDAP_BASE_DN: "{{ .LLDAP_LDAP_BASE_DN }}" 18 | dataFrom: 19 | - extract: 20 | key: lldap 21 | -------------------------------------------------------------------------------- /cluster/apps/default/qbittorrent/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name qbittorrent-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | WIREGUARD_ENDPOINT_IP: "{{ .WIREGUARD_ENDPOINT_IP }}" 16 | WIREGUARD_ENDPOINT_PORT: "51821" 17 | WIREGUARD_PRIVATE_KEY: "{{ .WIREGUARD_PRIVATE_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: qbittorrent 21 | -------------------------------------------------------------------------------- /cluster/apps/external-secrets/external-secrets/operator/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: &name bitwarden-tls-certs 7 | spec: 8 | secretName: *name 9 | dnsNames: 10 | - bitwarden-sdk-server.external-secrets.svc.cluster.local 11 | - localhost 12 | ipAddresses: 13 | - 127.0.0.1 14 | - ::1 15 | privateKey: 16 | algorithm: RSA 17 | encoding: PKCS8 18 | size: 2048 19 | rotationPolicy: Always 20 | issuerRef: 21 | name: cluster-selfsigned 22 | kind: ClusterIssuer 23 | group: cert-manager.io 24 | -------------------------------------------------------------------------------- /cluster/components/envsubst/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./externalsecret.yaml 7 | patches: 8 | - target: 9 | group: kustomize.toolkit.fluxcd.io 10 | kind: Kustomization 11 | patch: |- 12 | apiVersion: kustomize.toolkit.fluxcd.io/v1 13 | kind: Kustomization 14 | metadata: 15 | name: not-used 16 | spec: 17 | postBuild: 18 | substituteFrom: 19 | - kind: Secret 20 | name: cluster-vars 21 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/server/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name immich-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | REDIS_PASSWORD: "{{ .REDIS_PASSWORD }}" 16 | JWT_SECRET: "{{ .JWT_SECRET }}" 17 | TYPESENSE_API_KEY: "{{ .TYPESENSE_API_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: immich 21 | - extract: 22 | key: redis 23 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-metrics/base/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/monitoring.coreos.com/podmonitor_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PodMonitor 5 | metadata: 6 | name: flux-system 7 | labels: 8 | app.kubernetes.io/part-of: flux 9 | spec: 10 | selector: 11 | matchExpressions: 12 | - key: app 13 | operator: In 14 | values: 15 | - helm-controller 16 | - source-controller 17 | - kustomize-controller 18 | - notification-controller 19 | namespaceSelector: 20 | matchNames: 21 | - flux-system 22 | podMetricsEndpoints: 23 | - port: http-prom 24 | -------------------------------------------------------------------------------- /cluster/apps/default/cross-seed/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name cross-seed-config 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | templateFrom: 15 | - target: Data 16 | configMap: 17 | name: cross-seed-config-tpl 18 | items: 19 | - key: config.js 20 | templateAs: Values 21 | dataFrom: 22 | - extract: 23 | key: starrs 24 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflare-external-dns/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name cloudflare-external-dns-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | CF_API_TOKEN: "{{ .EXTERNAL_DNS_TOKEN }}" 16 | DOMAIN_0_ZONE_ID: "{{ .DOMAIN_0_ZONE_ID }}" 17 | DOMAIN_1_ZONE_ID: "{{ .DOMAIN_1_ZONE_ID }}" 18 | dataFrom: 19 | - extract: 20 | key: cloudflare 21 | -------------------------------------------------------------------------------- /cluster/apps/default/homepage/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name homepage 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/default/homepage/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: envoy-gateway-operator 24 | namespace: networking-system 25 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-metrics/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name flux-metrics 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/flux-system/flux-metrics/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: flux-instance 24 | namespace: flux-system 25 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "Home cluster devShell"; 3 | 4 | inputs = { 5 | nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; 6 | flake-parts.url = "github:hercules-ci/flake-parts"; 7 | }; 8 | 9 | outputs = 10 | { flake-parts, ... }@inputs: 11 | flake-parts.lib.mkFlake { inherit inputs; } { 12 | systems = [ "x86_64-linux" ]; 13 | perSystem = 14 | { pkgs, ... }: 15 | { 16 | devShells.default = pkgs.mkShell { 17 | packages = [ 18 | pkgs.bashInteractive 19 | pkgs.restic 20 | pkgs.kubeconform 21 | (pkgs.python3Packages.callPackage ./flux-local.nix { }) 22 | ]; 23 | }; 24 | }; 25 | }; 26 | } 27 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/lb-networks/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cilium-lb-networks 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: cilium 16 | path: ./cluster/apps/kube-system/cilium/lb-networks/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: cilium-operator 24 | namespace: *namespace 25 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflared/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name cloudflared-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | credentials.json: | 16 | { 17 | "AccountTag": "{{ .K8S_INGRESS_TUNNEL_TAG }}", 18 | "TunnelSecret": "{{ .K8S_INGRESS_TUNNEL_SECRET }}", 19 | "TunnelID": "{{ .K8S_INGRESS_TUNNEL_ID }}" 20 | } 21 | dataFrom: 22 | - extract: 23 | key: cloudflare 24 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflared/base/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | - hostname: "${SECRET_DOMAIN_0}" 4 | service: https://envoy-networking-system-external-7066f54d.networking-system.svc.cluster.local:443 5 | originRequest: 6 | originServerName: external.${SECRET_DOMAIN_0} 7 | - hostname: "*.${SECRET_DOMAIN_0}" 8 | service: https://envoy-networking-system-external-7066f54d.networking-system.svc.cluster.local:443 9 | originRequest: 10 | originServerName: external.${SECRET_DOMAIN_0} 11 | - hostname: "*.${SECRET_DOMAIN_1}" 12 | service: https://envoy-networking-system-external-7066f54d.networking-system.svc.cluster.local:443 13 | originRequest: 14 | originServerName: external.${SECRET_DOMAIN_1} 15 | - service: http_status:404 16 | -------------------------------------------------------------------------------- /cluster/components/keda/nfs-scaler/scaledobject.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/keda.sh/scaledobject_v1alpha1.json 3 | apiVersion: keda.sh/v1alpha1 4 | kind: ScaledObject 5 | metadata: 6 | name: ${APP_NAME} 7 | spec: 8 | advanced: 9 | restoreToOriginalReplicaCount: true 10 | cooldownPeriod: 0 11 | minReplicaCount: 0 12 | maxReplicaCount: 1 13 | scaleTargetRef: 14 | apiVersion: apps/v1 15 | name: ${APP_NAME} 16 | kind: ${DEPLOY_TYPE:=Deployment} 17 | triggers: 18 | - type: prometheus 19 | metadata: 20 | serverAddress: http://prometheus-operated.monitoring-system.svc.cluster.local:9090 21 | query: probe_success{instance=~".+:2049"} 22 | threshold: "1" 23 | ignoreNullValues: "0" 24 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-runners/base/home-cluster/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: actions-runner-controller 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: actions-runner-controller-secret 13 | template: 14 | data: 15 | github_app_id: "{{ .GITHUB_APP_ID }}" 16 | github_app_installation_id: "{{ .GITHUB_APP_INSTALLATION_ID }}" 17 | github_app_private_key: "{{ .GITHUB_APP_PRIVATE_KEY | b64dec }}" 18 | dataFrom: 19 | - extract: 20 | key: home-cluster-actions-runner 21 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/keda/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name keda 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/keda/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/openebs-system/openebs/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name openebs 7 | namespace: &namespace openebs-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/openebs-system/openebs/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/components/volsync/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name ${APP_NAME}-volsync-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | RESTIC_REPOSITORY: s3:http://minio.default.svc.cluster.local:9000/restic-repository/${APP_NAME} 16 | RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD_S3 }}" 17 | AWS_ACCESS_KEY_ID: "{{ .MINIO_ACCESS_KEY }}" 18 | AWS_SECRET_ACCESS_KEY: "{{ .MINIO_SECRET_KEY }}" 19 | dataFrom: 20 | - extract: 21 | key: volsync-template 22 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/issuers/domain-0/clusterissuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: domain-0-prod 7 | spec: 8 | acme: 9 | email: "${SECRET_EMAIL_0}" 10 | server: https://acme-v02.api.letsencrypt.org/directory 11 | preferredChain: ISRG Root X1 12 | privateKeySecretRef: 13 | name: domain-0-prod-issuer-account-key 14 | solvers: 15 | - dns01: 16 | cloudflare: 17 | email: "${SECRET_EMAIL_0}" 18 | apiKeySecretRef: 19 | name: cloudflare-secrets 20 | key: api-key 21 | selector: 22 | dnsZones: 23 | - "${SECRET_DOMAIN_0}" 24 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/issuers/domain-1/clusterissuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: domain-1-prod 7 | spec: 8 | acme: 9 | email: "${SECRET_EMAIL_0}" 10 | server: https://acme-v02.api.letsencrypt.org/directory 11 | preferredChain: ISRG Root X1 12 | privateKeySecretRef: 13 | name: domain-1-prod-issuer-account-key 14 | solvers: 15 | - dns01: 16 | cloudflare: 17 | email: "${SECRET_EMAIL_0}" 18 | apiKeySecretRef: 19 | name: cloudflare-secrets 20 | key: api-key 21 | selector: 22 | dnsZones: 23 | - "${SECRET_DOMAIN_1}" 24 | -------------------------------------------------------------------------------- /.taskfiles/VolSync/UnlockJob.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/job-batch-v1.json 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: "unlock-${rsrc}-${ts}" 7 | namespace: "${namespace}" 8 | labels: 9 | app.kubernetes.io/name: "unlock-${rsrc}-${ts}" 10 | spec: 11 | ttlSecondsAfterFinished: 3600 12 | template: 13 | spec: 14 | automountServiceAccountToken: false 15 | restartPolicy: OnFailure 16 | containers: 17 | - name: unlock 18 | image: docker.io/restic/restic:latest 19 | args: 20 | - unlock 21 | - --remove-all 22 | envFrom: 23 | - secretRef: 24 | name: "${rsrc}-restic-secret" 25 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-operator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name flux-operator 7 | namespace: &namespace flux-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/flux-system/flux-operator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/grafana/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name grafana 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/grafana/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/nfs-system/csi-driver-nfs/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name csi-driver-nfs 7 | namespace: &namespace nfs-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/nfs-system/csi-driver-nfs/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/redis-operator/ot-operator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name ot-operator 7 | namespace: &namespace redis-operator 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/redis-operator/ot-operator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/operator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name cilium-operator 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: cilium 16 | path: ./cluster/apps/kube-system/cilium/operator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring-system 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | - ../../components/privileged-namespace 10 | resources: 11 | - ./blackbox-exporter/fluxtomization.yaml 12 | - ./gatus/fluxtomization.yaml 13 | - ./grafana/fluxtomization.yaml 14 | - ./keda/fluxtomization.yaml 15 | - ./kube-prometheus/crds/fluxtomization.yaml 16 | - ./kube-prometheus/stack/fluxtomization.yaml 17 | - ./loki/fluxtomization.yaml 18 | - ./smartctl-exporter/fluxtomization.yaml 19 | - ./vector-aggregator/fluxtomization.yaml 20 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-runners/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name actions-runner-runners 7 | namespace: &namespace actions-runner-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/actions-runner-system/actions-runner-runners/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: actions-runner-controller 24 | namespace: *namespace 25 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-webhook/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name flux-webhook 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/flux-system/flux-webhook/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: flux-instance 24 | namespace: flux-system 25 | - name: envoy-gateway-operator 26 | namespace: networking-system 27 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/snapshot-controller/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name snapshot-controller 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/kube-system/snapshot-controller/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/postgres-operator/cdpg-operator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name cdpg-operator 7 | namespace: &namespace postgres-operator 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/postgres-operator/cdpg-operator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/generic-device-plugin/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name generic-device-plugin 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/kube-system/generic-device-plugin/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kubelet-csr-approver/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name kubelet-csr-approver 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/kube-system/kubelet-csr-approver/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kubernetes-replicator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name kubernetes-replicator 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/kube-system/kubelet-csr-approver/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/envoy-gateway/operator/base/gatewayclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gatewayclass_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: GatewayClass 5 | metadata: 6 | name: envoy-gateway 7 | spec: 8 | controllerName: gateway.envoyproxy.io/gatewayclass-controller 9 | parametersRef: 10 | group: gateway.envoyproxy.io 11 | kind: EnvoyProxy 12 | name: proxy-config 13 | namespace: networking-system 14 | --- 15 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/envoyproxy_v1alpha1.json 16 | apiVersion: gateway.envoyproxy.io/v1alpha1 17 | kind: EnvoyProxy 18 | metadata: 19 | name: proxy-config 20 | spec: 21 | backendTLS: 22 | minVersion: "1.3" 23 | maxVersion: "1.3" 24 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: networking-system 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | - ../../components/privileged-namespace 10 | resources: 11 | - ./adguardhome-external-dns/fluxtomization.yaml 12 | - ./cloudflare-external-dns/fluxtomization.yaml 13 | - ./cloudflared/fluxtomization.yaml 14 | - ./echo-server/fluxtomization.yaml 15 | - ./envoy-gateway/certificates/fluxtomization.yaml 16 | - ./envoy-gateway/gateways/fluxtomization.yaml 17 | - ./envoy-gateway/operator/fluxtomization.yaml 18 | - ./external-services/fluxtomization.yaml 19 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/node-feature-discovery/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name node-feature-discovery 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/kube-system/node-feature-discovery/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/vector-aggregator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name vector-aggregator 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/vector-aggregator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/default/shared/redisclusters/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: shared-rediscluster-ot-standalone 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: ot-standalone 16 | path: ./cluster/apps/default/shared/redisclusters/ot-standalone 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: ot-operator 24 | namespace: redis-operator 25 | - name: rook-ceph-cluster 26 | namespace: rook-ceph 27 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/adguardhome-external-dns/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name adguardhome-external-dns 7 | namespace: &namespace networking-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/networking-system/adguardhome-external-dns/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/kube-prometheus/crds/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name kube-prometheus-crds 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: kube-prometheus-stack 16 | path: ./cluster/apps/monitoring-system/kube-prometheus/crds/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-controller/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name actions-runner-controller 7 | namespace: &namespace actions-runner-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/actions-runner-system/actions-runner-controller/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/k8tz/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name k8tz 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/kube-system/k8tz/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: cert-manager-operator 28 | namespace: cert-manager 29 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/loki/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name loki 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/loki/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: rook-ceph-cluster 28 | namespace: rook-ceph 29 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-instance/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name flux-instance 7 | namespace: &namespace flux-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/flux-system/flux-instance/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: fluxcd.controlplane.io/v1 23 | kind: FluxInstance 24 | name: flux 25 | namespace: *namespace 26 | dependsOn: 27 | - name: flux-operator 28 | namespace: *namespace 29 | -------------------------------------------------------------------------------- /cluster/components/ext-auth/authentication.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/securitypolicy_v1alpha1.json 3 | apiVersion: gateway.envoyproxy.io/v1alpha1 4 | kind: SecurityPolicy 5 | metadata: 6 | name: ${APP_NAME} 7 | spec: 8 | extAuth: 9 | failOpen: false 10 | headersToExtAuth: 11 | - X-Forwarded-For # this is here so we can get the real IP 12 | - X-Forwarded-Proto 13 | - authorization 14 | - proxy-authorization 15 | - accept 16 | - cookie 17 | http: 18 | backendRefs: 19 | - group: "" 20 | kind: Service 21 | name: authelia 22 | namespace: authentication-system 23 | port: 9091 24 | path: /api/authz/ext-authz/ 25 | targetRefs: 26 | - group: gateway.networking.k8s.io 27 | kind: HTTPRoute 28 | name: ${APP_NAME} 29 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/server/base/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/configmap-v1.json 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: immich-config 7 | data: 8 | DISABLE_REVERSE_GEOCODING: "true" 9 | ENABLE_MAPBOX: "false" 10 | LOG_LEVEL: verbose 11 | NODE_ENV: production 12 | REDIS_HOSTNAME: ot-standalone.default.svc.cluster.local 13 | REDIS_PORT: "6379" 14 | IMMICH_WEB_URL: http://immich-web.default.svc.cluster.local:3000 15 | IMMICH_SERVER_URL: http://immich-server.default.svc.cluster.local:3001 16 | IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.default.svc.cluster.local:3003 17 | TYPESENSE_HOST: immich-typesense.default.svc.cluster.local 18 | TYPESENSE_PORT: "8108" 19 | TYPESENSE_PROTOCOL: http 20 | TYPESENSE_DATA_DIR: /config 21 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/metrics-server/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name metrics-server 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/kube-system/metrics-server/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: kube-prometheus-crds 28 | namespace: monitoring-system 29 | -------------------------------------------------------------------------------- /cluster/apps/default/mosquitto/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name mosquitto 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/mosquitto/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: rook-ceph-cluster 29 | namespace: rook-ceph 30 | - name: volsync 31 | namespace: backup-system 32 | -------------------------------------------------------------------------------- /cluster/apps/default/recyclarr/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name recyclarr 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/recyclarr/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: rook-ceph-cluster 29 | namespace: rook-ceph 30 | - name: volsync 31 | namespace: backup-system 32 | -------------------------------------------------------------------------------- /cluster/apps/default/shared/postgresclusters/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: shared-postgrescluster-pgo-cluster 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: pgo-cluster 16 | path: ./cluster/apps/default/shared/postgresclusters/pgo-cluster 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: cdpg-operator 24 | namespace: postgres-operator 25 | - name: openebs 26 | namespace: openebs-system 27 | - name: csi-driver-nfs 28 | namespace: nfs-system 29 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflared/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name cloudflared 7 | namespace: &namespace networking-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/networking-system/cloudflared/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: cloudflare-external-dns 28 | namespace: *namespace 29 | -------------------------------------------------------------------------------- /cluster/apps/default/nextcloud/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name nextcloud-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | nextcloud-username: "{{ .NEXTCLOUD_USERNAME }}" 16 | nextcloud-password: "{{ .NEXTCLOUD_PASSWORD }}" 17 | redis-password: "{{ .REDIS_PASSWORD }}" 18 | smtp-username: budimanjojo 19 | smtp-password: "{{ .SMTP_PASSWORD }}" 20 | smtp-host: smtp.gmail.com 21 | oidc-client-secret: "{{ .OIDC_CLIENT_SECRET }}" 22 | dataFrom: 23 | - extract: 24 | key: nextcloud 25 | - extract: 26 | key: redis 27 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | components: 7 | - ../../components/common 8 | - ../../components/envsubst 9 | resources: 10 | - ./cilium/lb-networks/fluxtomization.yaml 11 | - ./cilium/operator/fluxtomization.yaml 12 | - ./generic-device-plugin/fluxtomization.yaml 13 | - ./intel-device-plugins/operator/fluxtomization.yaml 14 | - ./intel-device-plugins/gpu/fluxtomization.yaml 15 | - ./k8tz/fluxtomization.yaml 16 | - ./kubelet-csr-approver/fluxtomization.yaml 17 | - ./kubernetes-replicator/fluxtomization.yaml 18 | - ./metrics-server/fluxtomization.yaml 19 | - ./node-feature-discovery/fluxtomization.yaml 20 | - ./snapshot-controller/fluxtomization.yaml 21 | -------------------------------------------------------------------------------- /cluster/apps/rook-ceph/rook-ceph/operator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name rook-ceph-operator 7 | namespace: &namespace rook-ceph 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/rook-ceph/rook-ceph/operator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: kube-prometheus-crds 28 | namespace: monitoring-system 29 | -------------------------------------------------------------------------------- /.taskfiles/VolSync/WipeJob.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/job-batch-v1.json 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: "wipe-${rsrc}-${claim}-${ts}" 7 | namespace: "${namespace}" 8 | spec: 9 | ttlSecondsAfterFinished: 3600 10 | template: 11 | spec: 12 | automountServiceAccountToken: false 13 | restartPolicy: OnFailure 14 | containers: 15 | - name: wipe 16 | image: ghcr.io/onedr0p/alpine:latest 17 | command: ["/bin/bash", "-c", "cd /config; find . -delete"] 18 | volumeMounts: 19 | - name: config 20 | mountPath: /config 21 | securityContext: 22 | privileged: true 23 | volumes: 24 | - name: config 25 | persistentVolumeClaim: 26 | claimName: "${claim}" 27 | -------------------------------------------------------------------------------- /cluster/apps/external-secrets/external-secrets/store/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/clustersecretstore_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ClusterSecretStore 5 | metadata: 6 | name: bitwarden-secretsmanager 7 | spec: 8 | provider: 9 | bitwardensecretsmanager: 10 | bitwardenServerSDKURL: https://bitwarden-sdk-server.external-secrets.svc.cluster.local:9998 11 | auth: 12 | secretRef: 13 | credentials: 14 | key: token 15 | name: bitwarden-access-token 16 | namespace: external-secrets 17 | caProvider: 18 | name: bitwarden-tls-certs 19 | type: Secret 20 | namespace: external-secrets 21 | key: ca.crt 22 | organizationID: b0454365-17bc-4e08-93e3-b3a20046988b 23 | projectID: f2ef9f3b-053a-4a04-aa07-b3a200771ce2 24 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/echo-server/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name echo-server 7 | namespace: &namespace networking-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/networking-system/echo-server/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: envoy-gateway-operator 28 | namespace: networking-system 29 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/authelia/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name authelia 7 | namespace: authentication-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/authentication-system/authelia/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: envoy-gateway-operator 24 | namespace: networking-system 25 | - name: shared-postgrescluster-pgo-cluster 26 | namespace: default 27 | - name: shared-rediscluster-ot-standalone 28 | namespace: default 29 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/blackbox-exporter/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name blackbox-exporter 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/blackbox-exporter/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: kube-prometheus-crds 28 | namespace: monitoring-system 29 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/smartctl-exporter/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name smartctl-exporter 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/smartctl-exporter/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: kube-prometheus-crds 28 | namespace: monitoring-system 29 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/operator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name cert-manager-operator 7 | namespace: &namespace cert-manager 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: cert-manager 16 | path: ./cluster/apps/cert-manager/cert-manager/operator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: kube-prometheus-crds 28 | namespace: monitoring-system 29 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/database/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: immich-database 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: immich 16 | app.kubernetes.io/instance: immich 17 | app.kubernetes.io/part-of: immich 18 | path: ./cluster/apps/default/immich/database/base 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | wait: true 24 | dependsOn: 25 | - name: openebs 26 | namespace: openebs-system 27 | - name: csi-driver-nfs 28 | namespace: nfs-system 29 | - name: cdpg-operator 30 | namespace: postgres-operator 31 | -------------------------------------------------------------------------------- /cluster/apps/default/minio/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name minio-secret 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: bitwarden-secretsmanager 11 | target: 12 | name: *name 13 | template: 14 | data: 15 | MINIO_ROOT_USER: "{{ .MINIO_ROOT_USER }}" 16 | MINIO_ROOT_PASSWORD: "{{ .MINIO_ROOT_PASSWORD }}" 17 | MINIO_IDENTITY_OPENID_CONFIG_URL: "{{ .MINIO_IDENTITY_OPENID_CONFIG_URL }}" 18 | MINIO_IDENTITY_OPENID_CLIENT_ID: minio 19 | MINIO_IDENTITY_OPENID_CLIENT_SECRET: "{{ .MINIO_IDENTITY_OPENID_CLIENT_SECRET }}" 20 | MINIO_IDENTITY_OPENID_SCOPES: openid,profile,groups,email 21 | MINIO_IDENTITY_OPENID_CLAIM_NAME: groups 22 | dataFrom: 23 | - extract: 24 | key: minio 25 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/lb-networks/base/ciliumloadbalancerippool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cilium.io/ciliumloadbalancerippool_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumLoadBalancerIPPool 5 | metadata: 6 | name: diff-subnet 7 | spec: 8 | blocks: 9 | - cidr: 192.168.15.0/24 10 | 11 | --- 12 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cilium.io/ciliumloadbalancerippool_v2.json 13 | apiVersion: cilium.io/v2 14 | kind: CiliumLoadBalancerIPPool 15 | metadata: 16 | name: same-subnet 17 | spec: 18 | blocks: 19 | - start: 192.168.200.200 20 | stop: 192.168.200.210 21 | 22 | --- 23 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cilium.io/ciliumloadbalancerippool_v2.json 24 | apiVersion: cilium.io/v2 25 | kind: CiliumLoadBalancerIPPool 26 | metadata: 27 | name: mgmt-subnet 28 | spec: 29 | blocks: 30 | - start: 192.168.10.200 31 | stop: 192.168.10.210 32 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/gatus/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name gatus 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/gatus/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: envoy-gateway-operator 28 | namespace: networking-system 29 | - name: kube-prometheus-stack 30 | namespace: monitoring-system 31 | -------------------------------------------------------------------------------- /infrastructure/pulumi/github/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "pulumi-github/pkg/config" 5 | "pulumi-github/pkg/generate" 6 | 7 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 8 | pulumiCfg "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" 9 | ) 10 | 11 | func main() { 12 | pulumi.Run(func(ctx *pulumi.Context) error { 13 | var cfg config.Config 14 | pulumiCfg.RequireObject(ctx, "repositories", &cfg.Repositories) 15 | if err := pulumiCfg.GetObject(ctx, "botActionSecrets", &cfg.BotActionSecrets); err != nil { 16 | return err 17 | } 18 | if err := pulumiCfg.GetObject(ctx, "defaultLabels", &cfg.DefaultLabels); err != nil { 19 | return err 20 | } 21 | err := config.ValidateConfiguration(&cfg) 22 | if err != nil { 23 | return err 24 | } 25 | 26 | for _, repo := range cfg.Repositories { 27 | err := generate.GenerateGitHubRepository(ctx, &repo) 28 | if err != nil { 29 | return err 30 | } 31 | } 32 | 33 | return nil 34 | }) 35 | } 36 | -------------------------------------------------------------------------------- /cluster/apps/default/zigbee2mqtt/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name zigbee2mqtt 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/zigbee2mqtt/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: envoy-gateway-operator 29 | namespace: networking-system 30 | - name: rook-ceph-cluster 31 | namespace: rook-ceph 32 | - name: volsync 33 | namespace: backup-system 34 | -------------------------------------------------------------------------------- /cluster/apps/networking-system/cloudflare-external-dns/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name cloudflare-external-dns 7 | namespace: &namespace networking-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/networking-system/cloudflare-external-dns/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | - apiVersion: apiextensions.k8s.io/v1 27 | kind: CustomResourceDefinition 28 | name: dnsendpoints.externaldns.k8s.io 29 | -------------------------------------------------------------------------------- /cluster/apps/default/autobrr/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name autobrr 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | - ../../../../components/keda/nfs-scaler 19 | postBuild: 20 | substitute: 21 | APP_NAME: *name 22 | path: ./cluster/apps/default/autobrr/base 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | wait: true 28 | dependsOn: 29 | - name: rook-ceph-cluster 30 | namespace: rook-ceph 31 | - name: volsync 32 | namespace: backup-system 33 | - name: keda 34 | namespace: monitoring-system 35 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/lldap/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name lldap 7 | namespace: authentication-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/authentication-system/lldap/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: envoy-gateway-operator 29 | namespace: networking-system 30 | - name: rook-ceph-cluster 31 | namespace: rook-ceph 32 | - name: volsync 33 | namespace: backup-system 34 | -------------------------------------------------------------------------------- /cluster/apps/backup-system/volsync/base/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: volsync 7 | spec: 8 | groups: 9 | - name: volsync.rules 10 | rules: 11 | - alert: VolSyncComponentAbsent 12 | annotations: 13 | summary: Volsync component has dissapeared from Prometheus target discovery. 14 | expr: | 15 | absent(up{job=~".*volsync.*"} == 1) 16 | for: 15m 17 | labels: 18 | severity: critical 19 | - alert: VolSyncVolumeOutOfSync 20 | annotations: 21 | summary: >- 22 | {{ $labels.obj_namespace }}/{{ $labels.obj_name }} volume 23 | is out of sync. 24 | expr: | 25 | volsync_volume_out_of_sync == 1 26 | for: 15m 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /cluster/apps/default/cross-seed/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name cross-seed 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | - ../../../../components/keda/nfs-scaler 19 | postBuild: 20 | substitute: 21 | APP_NAME: *name 22 | path: ./cluster/apps/default/cross-seed/base 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | wait: true 28 | dependsOn: 29 | - name: rook-ceph-cluster 30 | namespace: rook-ceph 31 | - name: volsync 32 | namespace: backup-system 33 | - name: keda 34 | namespace: monitoring-system 35 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/kube-prometheus/stack/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name kube-prometheus-stack 7 | namespace: &namespace monitoring-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/monitoring-system/kube-prometheus/stack/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: kube-prometheus-crds 28 | namespace: monitoring-system 29 | - name: envoy-gateway-operator 30 | namespace: networking-system 31 | -------------------------------------------------------------------------------- /cluster/base/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps 7 | namespace: flux-system 8 | spec: 9 | decryption: 10 | provider: sops 11 | secretRef: 12 | name: sops-age 13 | interval: 1h 14 | retryInterval: 2m 15 | timeout: 5m 16 | prune: true 17 | path: ./cluster/apps 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | patches: 24 | - patch: |- 25 | apiVersion: kustomize.toolkit.fluxcd.io/v1 26 | kind: Kustomization 27 | metadata: 28 | name: not-used 29 | spec: 30 | decryption: 31 | provider: sops 32 | secretRef: 33 | name: sops-age 34 | target: 35 | group: kustomize.toolkit.fluxcd.io 36 | kind: Kustomization 37 | -------------------------------------------------------------------------------- /cluster/apps/default/prowlarr/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name prowlarr 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/ext-auth 18 | - ../../../../components/volsync 19 | postBuild: 20 | substitute: 21 | APP_NAME: *name 22 | path: ./cluster/apps/default/prowlarr/base 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | wait: true 28 | dependsOn: 29 | - name: envoy-gateway-operator 30 | namespace: networking-system 31 | - name: rook-ceph-cluster 32 | namespace: rook-ceph 33 | - name: volsync 34 | namespace: backup-system 35 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/intel-device-plugins/operator/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name intel-device-plugins-operator 7 | namespace: &namespace kube-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: intel-device-plugins 16 | path: ./cluster/apps/kube-system/intel-device-plugins/operator/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: cert-manager-operator 28 | namespace: cert-manager 29 | - name: node-feature-discovery 30 | namespace: kube-system 31 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/machine-learning/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name immich-machine-learning 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: immich 16 | app.kubernetes.io/instance: immich 17 | app.kubernetes.io/part-of: immich 18 | components: 19 | - ../../../../../components/keda/nfs-scaler 20 | postBuild: 21 | substitute: 22 | APP_NAME: *name 23 | path: ./cluster/apps/default/immich/machine-learning/base 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | dependsOn: 30 | - name: immich-server 31 | namespace: default 32 | - name: keda 33 | namespace: monitoring-system 34 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/keda/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: keda 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/keda 11 | ref: 12 | tag: 2.18.2 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: keda 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: keda 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | values: 36 | enableServiceLinks: false 37 | -------------------------------------------------------------------------------- /cluster/apps/default/minio/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name minio 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/keda/nfs-scaler 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/minio/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: kube-prometheus-crds 29 | namespace: monitoring-system 30 | - name: envoy-gateway-operator 31 | namespace: networking-system 32 | - name: csi-driver-nfs 33 | namespace: nfs-system 34 | - name: keda 35 | namespace: monitoring-system 36 | -------------------------------------------------------------------------------- /cluster/apps/default/radicale/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name radicale 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/radicale/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: envoy-gateway-operator 29 | namespace: networking-system 30 | - name: rook-ceph-cluster 31 | namespace: rook-ceph 32 | - name: shared-postgrescluster-pgo-cluster 33 | namespace: default 34 | - name: volsync 35 | namespace: backup-system 36 | -------------------------------------------------------------------------------- /cluster/apps/default/firefly-iii/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name firefly-iii 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/firefly-iii/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: envoy-gateway-operator 29 | namespace: networking-system 30 | - name: shared-postgrescluster-pgo-cluster 31 | namespace: default 32 | - name: rook-ceph-cluster 33 | namespace: rook-ceph 34 | - name: volsync 35 | namespace: backup-system 36 | -------------------------------------------------------------------------------- /cluster/apps/authentication-system/authelia/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name authelia-config 7 | spec: 8 | target: 9 | name: *name 10 | template: 11 | templateFrom: 12 | - target: Data 13 | configMap: 14 | name: authelia-config-tpl 15 | items: 16 | - key: configuration.yaml 17 | templateAs: Values 18 | dataFrom: 19 | - extract: 20 | key: authelia 21 | sourceRef: 22 | storeRef: 23 | kind: ClusterSecretStore 24 | name: bitwarden-secretsmanager 25 | 26 | - extract: 27 | key: pgo-cluster-pguser-authelia 28 | rewrite: 29 | - transform: 30 | template: 'POSTGRES_{{ .value | replace "-" "_" | upper }}' 31 | sourceRef: 32 | storeRef: 33 | kind: ClusterSecretStore 34 | name: pgo-cluster-users 35 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-runners/base/home-cluster/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: home-cluster 7 | spec: 8 | interval: 1h 9 | timeout: 5m 10 | chartRef: 11 | kind: OCIRepository 12 | name: gha-runner-scale-set 13 | install: 14 | remediation: 15 | retries: -1 16 | upgrade: 17 | cleanupOnFail: true 18 | remediation: 19 | retries: 5 20 | values: 21 | controllerServiceAccount: 22 | name: actions-runner-controller-gha-rs-controller 23 | namespace: actions-runner-system 24 | runnerScaleSetName: arc-runner-set-home-cluster 25 | githubConfigUrl: https://github.com/budimanjojo/home-cluster 26 | minRunners: 1 27 | maxRunners: 3 28 | containerMode: 29 | type: dind 30 | githubConfigSecret: actions-runner-controller-secret 31 | template: 32 | spec: 33 | serviceAccountName: home-cluster 34 | -------------------------------------------------------------------------------- /cluster/apps/backup-system/volsync/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name volsync 7 | namespace: &namespace backup-system 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | path: ./cluster/apps/backup-system/volsync/base 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | healthChecks: 22 | - apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | name: *name 25 | namespace: *namespace 26 | dependsOn: 27 | - name: minio 28 | namespace: default 29 | - name: rook-ceph-cluster 30 | namespace: rook-ceph 31 | - name: snapshot-controller 32 | namespace: kube-system 33 | - name: kube-prometheus-crds 34 | namespace: monitoring-system 35 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kubernetes-replicator/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: kubernetes-replicator 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/kubernetes-replicator 11 | ref: 12 | tag: 2.12.2 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: kubernetes-replicator 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: kubernetes-replicator 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/node-feature-discovery/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: node-feature-discovery 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/node-feature-discovery 11 | ref: 12 | tag: 0.18.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: node-feature-discovery 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: node-feature-discovery 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | -------------------------------------------------------------------------------- /cluster/apps/monitoring-system/kube-prometheus/crds/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: kube-prometheus-crds 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds 11 | ref: 12 | tag: 20.0.3 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: kube-prometheus-crds 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: kube-prometheus-crds 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | -------------------------------------------------------------------------------- /cluster/apps/redis-operator/ot-operator/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: ot-operator 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/ot-container-kit/charts/redis-operator 11 | ref: 12 | tag: 0.22.2 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: ot-operator 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: ot-operator 28 | install: 29 | crds: CreateReplace 30 | remediation: 31 | retries: -1 32 | upgrade: 33 | cleanupOnFail: true 34 | crds: CreateReplace 35 | remediation: 36 | retries: 5 37 | -------------------------------------------------------------------------------- /.taskfiles/VolSync/ReplicationDestination.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: "${rsrc}-${claim}-${ts}" 6 | namespace: "${namespace}" 7 | spec: 8 | trigger: 9 | manual: restore-once 10 | restic: 11 | repository: "${rsrc}-restic-secret" 12 | destinationPVC: "${claim}" 13 | copyMethod: Direct 14 | storageClassName: rook-ceph-block 15 | # IMPORTANT NOTE: 16 | # Set to the last X number of snapshots to restore from 17 | previous: 2 18 | # OR; 19 | # IMPORTANT NOTE: 20 | # On bootstrap set `restoreAsOf` to the time the old cluster was destroyed. 21 | # This will essentially prevent volsync from trying to restore a backup 22 | # from a application that started with default data in the PVC. 23 | # Do not restore snapshots made after the following RFC3339 Timestamp. 24 | # date --rfc-3339=seconds (--utc) 25 | # restoreAsOf: "2022-12-10T16:00:00-05:00" 26 | moverSecurityContext: 27 | runAsUser: 568 28 | runAsGroup: 568 29 | fsGroup: 568 30 | -------------------------------------------------------------------------------- /cluster/apps/default/immich/server/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name immich-server 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: immich 16 | app.kubernetes.io/instance: immich 17 | app.kubernetes.io/part-of: immich 18 | components: 19 | - ../../../../../components/keda/nfs-scaler 20 | postBuild: 21 | substitute: 22 | APP_NAME: *name 23 | path: ./cluster/apps/default/immich/server/base 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | dependsOn: 30 | - name: envoy-gateway-operator 31 | namespace: networking-system 32 | - name: immich-database 33 | namespace: default 34 | - name: keda 35 | namespace: monitoring-system 36 | -------------------------------------------------------------------------------- /cluster/apps/backup-system/volsync/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: volsync 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/volsync 11 | ref: 12 | tag: 0.14.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: volsync 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: volsync 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | values: 36 | manageCRDs: true 37 | metrics: 38 | disableAuth: true 39 | -------------------------------------------------------------------------------- /cluster/apps/default/jellyseerr/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name jellyseerr 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | - ../../../../components/keda/nfs-scaler 19 | postBuild: 20 | substitute: 21 | APP_NAME: *name 22 | path: ./cluster/apps/default/jellyseerr/base 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | wait: true 28 | dependsOn: 29 | - name: envoy-gateway-operator 30 | namespace: networking-system 31 | - name: rook-ceph-cluster 32 | namespace: rook-ceph 33 | - name: volsync 34 | namespace: backup-system 35 | - name: keda 36 | namespace: monitoring-system 37 | -------------------------------------------------------------------------------- /cluster/apps/postgres-operator/cdpg-operator/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: cdpg-operator 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://registry.developers.crunchydata.com/crunchydata/pgo 11 | ref: 12 | tag: 5.8.5 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: cdpg-operator 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: cdpg-operator 28 | install: 29 | crds: CreateReplace 30 | remediation: 31 | retries: -1 32 | upgrade: 33 | cleanupOnFail: true 34 | crds: CreateReplace 35 | remediation: 36 | retries: 5 37 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/cilium/operator/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: cilium-operator 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/cilium 11 | ref: 12 | tag: 1.18.4 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: cilium-operator 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: cilium-operator 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | valuesFrom: 36 | - kind: ConfigMap 37 | name: cilium-values 38 | -------------------------------------------------------------------------------- /cluster/apps/default/jellyfin/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name jellyfin 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | - ../../../../components/keda/nfs-scaler 19 | postBuild: 20 | substitute: 21 | APP_NAME: *name 22 | VOLSYNC_CAPACITY: 3Gi 23 | path: ./cluster/apps/default/jellyfin/base 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | dependsOn: 30 | - name: envoy-gateway-operator 31 | namespace: networking-system 32 | - name: rook-ceph-cluster 33 | namespace: rook-ceph 34 | - name: volsync 35 | namespace: backup-system 36 | - name: keda 37 | namespace: monitoring-system 38 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-instance/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: flux-instance 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance 11 | ref: 12 | tag: 0.37.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: flux-instance 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: flux-instance 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | valuesFrom: 36 | - kind: ConfigMap 37 | name: flux-instance-values 38 | -------------------------------------------------------------------------------- /cluster/apps/flux-system/flux-operator/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: flux-operator 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator 11 | ref: 12 | tag: 0.37.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: flux-operator 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: flux-operator 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | valuesFrom: 36 | - kind: ConfigMap 37 | name: flux-operator-values 38 | -------------------------------------------------------------------------------- /cluster/apps/default/bazarr/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name bazarr 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/ext-auth 18 | - ../../../../components/volsync 19 | - ../../../../components/keda/nfs-scaler 20 | postBuild: 21 | substitute: 22 | APP_NAME: *name 23 | VOLSYNC_PUID: "1000" 24 | VOLSYNC_PGID: "1000" 25 | path: ./cluster/apps/default/bazarr/base 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | wait: true 31 | dependsOn: 32 | - name: envoy-gateway-operator 33 | namespace: networking-system 34 | - name: rook-ceph-cluster 35 | namespace: rook-ceph 36 | - name: volsync 37 | namespace: backup-system 38 | -------------------------------------------------------------------------------- /cluster/apps/default/radarr/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name radarr 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/ext-auth 18 | - ../../../../components/volsync 19 | - ../../../../components/keda/nfs-scaler 20 | postBuild: 21 | substitute: 22 | APP_NAME: *name 23 | path: ./cluster/apps/default/radarr/base 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | dependsOn: 30 | - name: envoy-gateway-operator 31 | namespace: networking-system 32 | - name: rook-ceph-cluster 33 | namespace: rook-ceph 34 | - name: volsync 35 | namespace: backup-system 36 | - name: keda 37 | namespace: monitoring-system 38 | -------------------------------------------------------------------------------- /cluster/apps/default/sonarr/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name sonarr 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/ext-auth 18 | - ../../../../components/volsync 19 | - ../../../../components/keda/nfs-scaler 20 | postBuild: 21 | substitute: 22 | APP_NAME: *name 23 | path: ./cluster/apps/default/sonarr/base 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | dependsOn: 30 | - name: envoy-gateway-operator 31 | namespace: networking-system 32 | - name: rook-ceph-cluster 33 | namespace: rook-ceph 34 | - name: volsync 35 | namespace: backup-system 36 | - name: keda 37 | namespace: monitoring-system 38 | -------------------------------------------------------------------------------- /cluster/apps/default/qbittorrent/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name qbittorrent 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | - ../../../../components/keda/nfs-scaler 19 | postBuild: 20 | substitute: 21 | APP_NAME: *name 22 | DEPLOY_TYPE: StatefulSet 23 | path: ./cluster/apps/default/qbittorrent/base 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | wait: true 29 | dependsOn: 30 | - name: envoy-gateway-operator 31 | namespace: networking-system 32 | - name: rook-ceph-cluster 33 | namespace: rook-ceph 34 | - name: volsync 35 | namespace: backup-system 36 | - name: keda 37 | namespace: monitoring-system 38 | -------------------------------------------------------------------------------- /cluster/apps/default/homeassistant/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name homeassistant 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/volsync 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/homeassistant/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: envoy-gateway-operator 29 | namespace: networking-system 30 | - name: shared-postgrescluster-pgo-cluster 31 | namespace: default 32 | - name: rook-ceph-cluster 33 | namespace: rook-ceph 34 | - name: csi-driver-nfs 35 | namespace: nfs-system 36 | - name: volsync 37 | namespace: backup-system 38 | -------------------------------------------------------------------------------- /cluster/components/volsync/replicationsource.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/volsync.backube/replicationsource_v1alpha1.json 3 | apiVersion: volsync.backube/v1alpha1 4 | kind: ReplicationSource 5 | metadata: 6 | name: ${APP_NAME} 7 | spec: 8 | sourcePVC: ${APP_NAME} 9 | trigger: 10 | schedule: 0 0 * * * 11 | restic: 12 | copyMethod: ${VOLSYNC_COPYMETHOD:=Snapshot} 13 | pruneIntervalDays: 10 14 | repository: ${APP_NAME}-volsync-secret 15 | volumeSnapshotClassName: ${VOLSYNC_SNAPSHOTCLASS:=rook-ceph-block} 16 | cacheCapacity: ${VOLSYNC_CACHE_CAPACITY:=1Gi} 17 | cacheStorageClassName: nfs-csi # this makes more sense for me because I don't need to worry about the size and I can use ReadWriteMany 18 | cacheAccessModes: 19 | - ReadWriteMany 20 | storageClassName: ${VOLSYNC_STORAGECLASS:=rook-ceph-block} 21 | accessModes: 22 | - ${VOLSYNC_ACCESSMODE:=ReadWriteOnce} 23 | moverSecurityContext: 24 | runAsUser: ${VOLSYNC_PUID:=1000} 25 | runAsGroup: ${VOLSYNC_PGID:=1000} 26 | fsGroup: ${VOLSYNC_PGID:=1000} 27 | retain: 28 | daily: 10 29 | -------------------------------------------------------------------------------- /cluster/apps/default/nextcloud/fluxtomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name nextcloud 7 | namespace: default 8 | spec: 9 | interval: 1h 10 | retryInterval: 2m 11 | timeout: 5m 12 | prune: true 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *name 16 | components: 17 | - ../../../../components/keda/nfs-scaler 18 | postBuild: 19 | substitute: 20 | APP_NAME: *name 21 | path: ./cluster/apps/default/nextcloud/base 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | wait: true 27 | dependsOn: 28 | - name: envoy-gateway-operator 29 | namespace: networking-system 30 | - name: csi-driver-nfs 31 | namespace: nfs-system 32 | - name: shared-postgrescluster-pgo-cluster 33 | namespace: default 34 | - name: shared-rediscluster-ot-standalone 35 | namespace: default 36 | - name: keda 37 | namespace: monitoring-system 38 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/intel-device-plugins/gpu/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: intel-device-plugins-gpu 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/intel-device-plugins-gpu 11 | ref: 12 | tag: 0.34.1 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: intel-device-plugins-gpu 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: intel-device-plugins-gpu 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | values: 36 | name: i915 37 | sharedDevNum: 99 38 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/metrics-server/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: metrics-server 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/metrics-server 11 | ref: 12 | tag: 3.13.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: metrics-server 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: metrics-server 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | values: 36 | metrics: 37 | enabled: true 38 | serviceMonitor: 39 | enabled: true 40 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kubelet-csr-approver/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: kubelet-csr-approver 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/postfinance/charts/kubelet-csr-approver 11 | ref: 12 | tag: 1.2.12 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: kubelet-csr-approver 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: kubelet-csr-approver 28 | install: 29 | remediation: 30 | retries: -1 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | retries: 5 35 | values: 36 | providerRegex: ^k(master|worker)\d\d?$ 37 | bypassDnsResolution: true 38 | -------------------------------------------------------------------------------- /cluster/apps/cert-manager/cert-manager/issuers/selfsigned/clusterissuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: cluster-selfsigned-bootstrap 7 | spec: 8 | selfSigned: {} 9 | 10 | --- 11 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/certificate_v1.json 12 | apiVersion: cert-manager.io/v1 13 | kind: Certificate 14 | metadata: 15 | name: &name cluster-selfsigned-ca 16 | spec: 17 | isCA: true 18 | commonName: *name 19 | subject: 20 | organizations: 21 | - budimanjojo 22 | secretName: *name 23 | privateKey: 24 | algorithm: ECDSA 25 | size: 256 26 | issuerRef: 27 | name: cluster-selfsigned-bootstrap 28 | kind: ClusterIssuer 29 | group: cert-manager.io 30 | 31 | --- 32 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/cert-manager.io/clusterissuer_v1.json 33 | apiVersion: cert-manager.io/v1 34 | kind: ClusterIssuer 35 | metadata: 36 | name: cluster-selfsigned 37 | spec: 38 | ca: 39 | secretName: cluster-selfsigned-ca 40 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/intel-device-plugins/operator/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: intel-device-plugins-operator 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/home-operations/charts-mirror/intel-device-plugins-operator 11 | ref: 12 | tag: 0.34.1 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: intel-device-plugins-operator 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: intel-device-plugins-operator 28 | install: 29 | crds: CreateReplace 30 | remediation: 31 | retries: -1 32 | upgrade: 33 | cleanupOnFail: true 34 | crds: CreateReplace 35 | remediation: 36 | retries: 5 37 | -------------------------------------------------------------------------------- /cluster/apps/actions-runner-system/actions-runner-controller/base/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: gha-runner-scale-set-controller 7 | spec: 8 | interval: 30m 9 | timeout: 60s 10 | url: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller 11 | ref: 12 | tag: 0.13.0 13 | layerSelector: 14 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 15 | operation: copy 16 | --- 17 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json 18 | apiVersion: helm.toolkit.fluxcd.io/v2 19 | kind: HelmRelease 20 | metadata: 21 | name: actions-runner-controller 22 | spec: 23 | interval: 1h 24 | timeout: 5m 25 | chartRef: 26 | kind: OCIRepository 27 | name: gha-runner-scale-set-controller 28 | install: 29 | crds: CreateReplace 30 | remediation: 31 | retries: -1 32 | upgrade: 33 | cleanupOnFail: true 34 | crds: CreateReplace 35 | remediation: 36 | retries: 5 37 | -------------------------------------------------------------------------------- /cluster/apps/default/nextcloud/base/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: nextcloud 7 | spec: 8 | hostnames: ["nextcloud.${SECRET_DOMAIN_0}"] 9 | parentRefs: 10 | - name: external 11 | namespace: networking-system 12 | port: 443 13 | rules: 14 | - backendRefs: 15 | - name: nextcloud 16 | port: 8080 17 | - matches: 18 | - path: 19 | type: RegularExpression 20 | value: /.well-known/(?:card|cal)dav 21 | filters: 22 | - type: RequestRedirect 23 | requestRedirect: 24 | path: 25 | type: ReplaceFullPath 26 | replaceFullPath: /remote.php/dav/ 27 | statusCode: 301 28 | # fix security and setup warnings failing to load in the web ui 29 | - backendRefs: 30 | - name: nextcloud 31 | port: 8080 32 | matches: 33 | - path: 34 | type: PathPrefix 35 | value: /settings/ajax/checksetup 36 | timeouts: 37 | request: 300s 38 | --------------------------------------------------------------------------------