├── .github ├── FUNDING.yml ├── CODEOWNERS ├── labeler.yaml ├── workflows │ ├── label-sync.yaml │ ├── labeler.yaml │ └── renovate.yaml ├── SECURITY.md ├── labels.yaml └── CONTRIBUTING.md ├── .minijinja.toml ├── kubernetes ├── flux │ ├── repositories │ │ ├── git │ │ │ └── kustomization.yaml │ │ ├── helm │ │ │ └── kustomization.yaml │ │ └── oci │ │ │ ├── kustomization.yaml │ │ │ └── app-template.yaml │ └── cluster │ │ └── ks.yaml ├── components │ ├── keda │ │ ├── kustomization.yaml │ │ └── nfs-scaler │ │ │ ├── kustomization.yaml │ │ │ └── scaledobject.yaml │ ├── volsync │ │ ├── pvc │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ ├── kustomization.yaml │ │ └── volsync │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── replicationdestination.yaml │ │ │ └── replicationsource.yaml │ └── namespace │ │ ├── kustomization.yaml │ │ ├── namespace │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ │ └── alerts │ │ ├── kustomization.yaml │ │ ├── alertmanager │ │ ├── kustomization.yaml │ │ ├── provider.yaml │ │ └── alert.yaml │ │ └── github │ │ ├── kustomization.yaml │ │ ├── alert.yaml │ │ ├── provider.yaml │ │ └── externalsecret.yaml └── apps │ ├── media │ ├── bazarr │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── nzbget │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── qbittorrent │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── plex │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── qui │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── prowlarr │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── externalsecret.yaml │ │ └── ks.yaml │ ├── radarr │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── externalsecret.yaml │ │ └── ks.yaml │ ├── seerr │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── externalsecret.yaml │ │ └── ks.yaml │ ├── sonarr │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── externalsecret.yaml │ │ └── ks.yaml │ ├── tautulli │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── externalsecret.yaml │ │ └── ks.yaml │ ├── autobrr │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── prometheusrule.yaml │ │ └── ks.yaml │ ├── tqm │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── cross-seed │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── resources │ │ │ │ └── config.js │ │ └── ks.yaml │ ├── recyclarr │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── resources │ │ │ │ └── recyclarr.yml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── default │ ├── atuin │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── thelounge │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── home-assistant │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── zigbee2mqtt │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── scaledobject.yaml │ │ │ └── externalsecret.yaml │ │ └── ks.yaml │ ├── mosquitto │ │ ├── app │ │ │ ├── resources │ │ │ │ └── mosquitto.conf │ │ │ ├── pvc.yaml │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── networking │ ├── multus │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ ├── networks │ │ │ ├── kustomization.yaml │ │ │ └── iot.yaml │ │ └── ks.yaml │ ├── echo-server │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── envoy-gateway │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ ├── proxy │ │ │ ├── kustomization.yaml │ │ │ ├── certificate.yaml │ │ │ ├── podmonitor.yaml │ │ │ └── prometheusrule.yaml │ │ └── ks.yaml │ ├── tailscale-operator │ │ ├── connectors │ │ │ ├── egress.yaml │ │ │ ├── kustomization.yaml │ │ │ └── ingress.yaml │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── external-dns │ │ ├── unifi │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── prometheusrule.yaml │ │ │ └── rbac.yaml │ │ ├── cloudflare │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── prometheusrule.yaml │ │ │ └── rbac.yaml │ │ └── ks.yaml │ ├── cloudflared │ │ ├── app │ │ │ ├── resources │ │ │ │ └── config.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── smtp-relay │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── resources │ │ │ │ └── maddy.conf │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── kube-system │ ├── cilium │ │ ├── app │ │ │ └── kustomization.yaml │ │ ├── config │ │ │ ├── kustomization.yaml │ │ │ ├── pool.yaml │ │ │ ├── vip.yaml │ │ │ └── l3.yaml │ │ └── ks.yaml │ ├── coredns │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── reloader │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── spegel │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── descheduler │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── metrics-server │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── intel-gpu-resource-driver │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── observability │ ├── karma │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── keda │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── fluent-bit │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── victoria-logs │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── silence-operator │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ ├── silences │ │ │ ├── kustomization.yaml │ │ │ └── silences.yaml │ │ └── ks.yaml │ ├── blackbox-exporter │ │ ├── probes │ │ │ ├── kustomization.yaml │ │ │ ├── nfs.yaml │ │ │ └── devices.yaml │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── prometheusrule.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── grafana │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── externalsecret.yaml │ │ └── ks.yaml │ ├── snmp-exporter │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── prometheusrule.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── smartctl-exporter │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── unpoller │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── prometheusrule.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── kube-prometheus-stack │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── prometheusrule.yaml │ │ └── ks.yaml │ ├── kromgo │ │ ├── app │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── gatus │ │ ├── ks.yaml │ │ └── app │ │ │ ├── kustomization.yaml │ │ │ ├── rbac.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── prometheusrule.yaml │ │ │ └── resources │ │ │ ├── config.yaml │ │ │ └── buddy.yaml │ └── kustomization.yaml │ ├── openebs-system │ ├── openebs │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── rook-ceph │ ├── rook-ceph │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ ├── cluster │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── system-upgrade │ ├── tuppr │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ ├── upgrades │ │ │ ├── kustomization.yaml │ │ │ ├── kubernetes.yaml │ │ │ └── talos.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── flux-system │ ├── flux-operator │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── flux-instance │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── receiver │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── receiver.yaml │ │ │ │ └── httproute.yaml │ │ │ └── prometheusrule.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── external-secrets │ ├── onepassword │ │ ├── app │ │ │ └── kustomization.yaml │ │ ├── store │ │ │ ├── kustomization.yaml │ │ │ └── onepassword.yaml │ │ └── ks.yaml │ ├── external-secrets │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── volsync-system │ ├── snapshot-controller │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ ├── volsync │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── prometheusrule.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ ├── actions-runner-system │ ├── actions-runner-controller │ │ ├── app │ │ │ ├── kustomization.yaml │ │ │ └── helmrelease.yaml │ │ ├── runners │ │ │ ├── kustomization.yaml │ │ │ └── k8s-gitops │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── rbac.yaml │ │ │ │ └── helmrelease.yaml │ │ └── ks.yaml │ └── kustomization.yaml │ └── cert-manager │ ├── cert-manager │ ├── app │ │ ├── kustomization.yaml │ │ ├── helmrelease.yaml │ │ └── prometheusrule.yaml │ ├── issuers │ │ ├── kustomization.yaml │ │ ├── externalsecret.yaml │ │ └── clusterissuer.yaml │ └── ks.yaml │ └── kustomization.yaml ├── .vscode ├── extensions.json └── settings.json ├── .gitignore ├── .mise.toml ├── bootstrap ├── helmfile.d │ ├── templates │ │ └── values.yaml.gotmpl │ └── 00-crds.yaml └── resources.yaml ├── .editorconfig ├── talos ├── controlplane │ ├── 192.168.10.10.yaml │ ├── 192.168.10.11.yaml │ └── 192.168.10.12.yaml └── schematic.yaml ├── .gitattributes ├── LICENSE ├── .renovate ├── overrides.json5 ├── customManagers.json5 ├── labels.json5 ├── autoMerge.json5 ├── grafanaDashboards.json5 ├── semanticCommits.json5 └── groups.json5 ├── .taskfiles ├── volsync │ └── resources │ │ ├── unlock.yaml.j2 │ │ └── replicationdestination.yaml.j2 ├── kubernetes │ └── Taskfile.yaml └── bootstrap │ └── Taskfile.yaml ├── Taskfile.yaml └── .renovaterc.json5 /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: buroa 4 | -------------------------------------------------------------------------------- /.minijinja.toml: -------------------------------------------------------------------------------- 1 | autoescape = "none" 2 | newline = true 3 | trim-blocks = true 4 | lstrip-blocks = true 5 | env = true 6 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Ref: https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners 2 | * @buroa 3 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/git/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: [] 5 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/helm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: [] 5 | -------------------------------------------------------------------------------- /kubernetes/components/keda/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | resources: 5 | - ./nfs-scaler 6 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/pvc/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "blueglassblock.better-json5", 4 | "irongeek.vscode-env", 5 | "redhat.vscode-yaml" 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/bazarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/nzbget/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | resources: 5 | - ./pvc 6 | - ./volsync 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /.private/ 2 | /.task/ 3 | *.crt 4 | *.iso 5 | *.key 6 | .decrypted~* 7 | .DS_Store 8 | Brewfile.lock.json 9 | Thumbs.db 10 | kubeconfig 11 | talosconfig 12 | -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/default/thelounge/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/qbittorrent/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/multus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/multus/networks/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./iot.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/oci/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./app-template.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/default/home-assistant/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/echo-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/keda/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/tuppr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/components/keda/nfs-scaler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./scaledobject.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | resources: 5 | - ./alerts 6 | - ./namespace 7 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/namespace/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./namespace.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/descheduler/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/envoy-gateway/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/fluent-bit/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-logs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /.mise.toml: -------------------------------------------------------------------------------- 1 | [env] 2 | KUBECONFIG = '{{config_root}}/kubernetes/kubeconfig' 3 | MINIJINJA_CONFIG_FILE = '{{config_root}}/.minijinja.toml' 4 | TALOSCONFIG = '{{config_root}}/talos/talosconfig' 5 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/onepassword/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/onepassword/store/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./onepassword.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/silences/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./silences.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./alertmanager 6 | - ./github 7 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-gpu-resource-driver/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/qui/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./k8s-gitops 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/tuppr/upgrades/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./kubernetes.yaml 6 | - ./talos.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./l3.yaml 6 | - ./pool.yaml 7 | - ./vip.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/probes/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./devices.yaml 6 | - ./nfs.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./prometheusrule.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/alertmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./alert.yaml 6 | - ./provider.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./prometheusrule.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/connectors/egress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tailscale.com/v1alpha1 3 | kind: Connector 4 | metadata: 5 | name: egress 6 | spec: 7 | exitNode: true 8 | replicas: 2 9 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/connectors/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./egress.yaml 6 | - ./ingress.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/snmp-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./prometheusrule.yaml 7 | -------------------------------------------------------------------------------- /bootstrap/helmfile.d/templates/values.yaml.gotmpl: -------------------------------------------------------------------------------- 1 | {{ exec "yq" (list "select(.kind == \"HelmRelease\").spec.values" (printf "../../../kubernetes/apps/%s/%s/app/helmrelease.yaml" .Release.Namespace .Release.Name)) }} 2 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./clusterissuer.yaml 6 | - ./externalsecret.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/seerr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./prometheusrule.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/smartctl-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./prometheusrule.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./scaledobject.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./receiver 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/autobrr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./alert.yaml 6 | - ./externalsecret.yaml 7 | - ./provider.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: rook-ceph 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./rook-ceph/ks.yaml 9 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | indent_style = space 5 | indent_size = 2 6 | end_of_line = lf 7 | charset = utf-8 8 | trim_trailing_whitespace = true 9 | insert_final_newline = true 10 | 11 | [*.sh] 12 | indent_size = 4 13 | -------------------------------------------------------------------------------- /kubernetes/apps/default/mosquitto/app/resources/mosquitto.conf: -------------------------------------------------------------------------------- 1 | allow_anonymous true 2 | autosave_interval 60 3 | connection_messages false 4 | listener 1883 5 | per_listener_settings false 6 | persistence true 7 | persistence_location /config 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/receiver/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./httproute.yaml 7 | - ./receiver.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: cert-manager 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./cert-manager/ks.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cilium.io/v2 3 | kind: CiliumLoadBalancerIPPool 4 | metadata: 5 | name: lb-pool 6 | spec: 7 | allowFirstLastIPs: "No" 8 | blocks: 9 | - cidr: 192.168.20.0/24 10 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openebs-system 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./openebs/ks.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: system-upgrade 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./tuppr/ks.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./replicationdestination.yaml 7 | - ./replicationsource.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/envoy-gateway/proxy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./certificate.yaml 6 | - ./envoy.yaml 7 | - ./podmonitor.yaml 8 | - ./prometheusrule.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/unifi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | - ./rbac.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/k8s-gitops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./rbac.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | - ./rbac.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: actions-runner-system 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./actions-runner-controller/ks.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/namespace/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: _ 6 | annotations: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | labels: 9 | pod-security.kubernetes.io/enforce: privileged 10 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: plex-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 75Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/default/mosquitto/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: mosquitto 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 1Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./flux-instance/ks.yaml 9 | - ./flux-operator/ks.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radarr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/seerr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: seerr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sonarr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./alertmanagerconfig.yaml 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./prometheusrule.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tautulli-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: ceph-block 12 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/connectors/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tailscale.com/v1alpha1 3 | kind: Connector 4 | metadata: 5 | name: ingress 6 | spec: 7 | appConnector: 8 | routes: 9 | - 192.168.10.0/24 10 | - 192.168.20.0/24 11 | replicas: 2 12 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: volsync-system 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./snapshot-controller/ks.yaml 9 | - ./volsync/ks.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/github/alert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Alert 4 | metadata: 5 | name: github 6 | spec: 7 | providerRef: 8 | name: github 9 | eventSources: 10 | - kind: Kustomization 11 | name: "*" 12 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: external-secrets 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./external-secrets/ks.yaml 9 | - ./onepassword/ks.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflared/app/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ingress: 3 | - hostname: "*.k13.dev" 4 | service: https://envoy-external.networking.svc.cluster.local 5 | originRequest: 6 | http2Origin: true 7 | originServerName: external.k13.dev 8 | - service: http_status:404 9 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/alertmanager/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Provider 4 | metadata: 5 | name: alertmanager 6 | spec: 7 | type: alertmanager 8 | address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/ 9 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/github/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Provider 4 | metadata: 5 | name: github 6 | spec: 7 | type: github 8 | address: https://github.com/buroa/k8s-gitops 9 | secretRef: 10 | name: github-token-secret 11 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/tuppr/upgrades/kubernetes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tuppr.home-operations.com/v1alpha1 3 | kind: KubernetesUpgrade 4 | metadata: 5 | name: kubernetes 6 | spec: 7 | kubernetes: 8 | # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 9 | version: v1.34.3 10 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tqm/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: tqm-configmap 8 | files: 9 | - ./resources/config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: kromgo-configmap 8 | files: 9 | - ./resources/config.yaml 10 | generatorOptions: 11 | disableNameSuffixHash: true 12 | -------------------------------------------------------------------------------- /kubernetes/apps/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: default 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./atuin/ks.yaml 9 | - ./home-assistant/ks.yaml 10 | - ./mosquitto/ks.yaml 11 | - ./thelounge/ks.yaml 12 | - ./zigbee2mqtt/ks.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/envoy-gateway/proxy/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: k13-dev 6 | spec: 7 | secretName: k13-dev-tls 8 | issuerRef: 9 | name: letsencrypt-production 10 | kind: ClusterIssuer 11 | commonName: k13.dev 12 | dnsNames: ["k13.dev", "*.k13.dev"] 13 | -------------------------------------------------------------------------------- /kubernetes/apps/default/mosquitto/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | configMapGenerator: 8 | - name: mosquitto-configmap 9 | files: 10 | - ./resources/mosquitto.conf 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/probes/nfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Probe 3 | apiVersion: monitoring.coreos.com/v1 4 | metadata: 5 | name: nfs 6 | spec: 7 | module: tcp_connect 8 | prober: 9 | url: blackbox-exporter.observability.svc.cluster.local:9115 10 | targets: 11 | staticConfig: 12 | static: 13 | - nas.internal:2049 14 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tqm/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tqm 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/media/tqm/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: media 15 | -------------------------------------------------------------------------------- /kubernetes/apps/media/cross-seed/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: cross-seed-configmap 9 | files: 10 | - ./resources/config.js 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: recyclarr-configmap 9 | files: 10 | - ./resources/recyclarr.yml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /bootstrap/resources.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: external-secrets 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: onepassword-secret 11 | namespace: external-secrets 12 | stringData: 13 | 1password-credentials.json: op://K8s/1password/OP_CREDENTIALS_JSON 14 | token: op://K8s/1password/OP_CONNECT_TOKEN 15 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflared/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: cloudflared-configmap 9 | files: 10 | - ./resources/config.yaml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/smtp-relay/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: smtp-relay-configmap 9 | files: 10 | - ./resources/maddy.conf 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: spegel 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/kube-system/spegel/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: kube-system 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/keda/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: keda 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/keda/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: coredns 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/kube-system/coredns/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: kube-system 15 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: reloader 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/kube-system/reloader/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: kube-system 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: gatus 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/gatus/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: karma 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/karma/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kromgo 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/kromgo/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflared/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cloudflared 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/networking/cloudflared/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: networking 15 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/echo-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: echo-server 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/networking/echo-server/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: networking 15 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/smtp-relay/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: smtp-relay 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/networking/smtp-relay/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: networking 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: grafana 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/grafana/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: unpoller 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/unpoller/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/descheduler/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: descheduler 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/kube-system/descheduler/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: kube-system 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/fluent-bit/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: fluent-bit 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/fluent-bit/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /talos/controlplane/192.168.10.10.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | install: 4 | diskSelector: 5 | serial: S666NN0W402512 6 | --- 7 | apiVersion: v1alpha1 8 | kind: HostnameConfig 9 | hostname: m0.k8s.internal 10 | --- 11 | apiVersion: v1alpha1 12 | kind: UserVolumeConfig 13 | name: local-hostpath 14 | volumeType: disk 15 | provisioning: 16 | diskSelector: 17 | match: disk.serial == "S666NG0X101174" 18 | -------------------------------------------------------------------------------- /talos/controlplane/192.168.10.11.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | install: 4 | diskSelector: 5 | serial: S666NG0X101148 6 | --- 7 | apiVersion: v1alpha1 8 | kind: HostnameConfig 9 | hostname: m1.k8s.internal 10 | --- 11 | apiVersion: v1alpha1 12 | kind: UserVolumeConfig 13 | name: local-hostpath 14 | volumeType: disk 15 | provisioning: 16 | diskSelector: 17 | match: disk.serial == "S666NN0W110861" 18 | -------------------------------------------------------------------------------- /talos/controlplane/192.168.10.12.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | install: 4 | diskSelector: 5 | serial: S666NN0W401713 6 | --- 7 | apiVersion: v1alpha1 8 | kind: HostnameConfig 9 | hostname: m2.k8s.internal 10 | --- 11 | apiVersion: v1alpha1 12 | kind: UserVolumeConfig 13 | name: local-hostpath 14 | volumeType: disk 15 | provisioning: 16 | diskSelector: 17 | match: disk.serial == "S666NN0X221313" 18 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: metrics-server 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/kube-system/metrics-server/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: kube-system 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/snmp-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: snmp-exporter 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/snmp-exporter/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: openebs 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/openebs-system/openebs/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: openebs-system 15 | wait: true 16 | -------------------------------------------------------------------------------- /kubernetes/apps/media/seerr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: seerr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: seerr-secret 12 | template: 13 | data: 14 | API_KEY: "{{ .SEERR_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: seerr 18 | -------------------------------------------------------------------------------- /kubernetes/flux/repositories/oci/app-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: app-template 6 | namespace: flux-system 7 | spec: 8 | interval: 15m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 4.5.0 14 | url: oci://ghcr.io/bjw-s-labs/helm/app-template 15 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: flux-operator 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/flux-system/flux-operator/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: flux-system 15 | wait: true 16 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./cilium/ks.yaml 9 | - ./coredns/ks.yaml 10 | - ./descheduler/ks.yaml 11 | - ./intel-gpu-resource-driver/ks.yaml 12 | - ./metrics-server/ks.yaml 13 | - ./reloader/ks.yaml 14 | - ./spegel/ks.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: networking 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./cloudflared/ks.yaml 9 | - ./echo-server/ks.yaml 10 | - ./envoy-gateway/ks.yaml 11 | - ./external-dns/ks.yaml 12 | - ./multus/ks.yaml 13 | - ./smtp-relay/ks.yaml 14 | - ./tailscale-operator/ks.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/smartctl-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: smartctl-exporter 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/smartctl-exporter/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: external-secrets 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/external-secrets/external-secrets/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: external-secrets 15 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/vip.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: kube-vip 6 | annotations: 7 | external-dns.alpha.kubernetes.io/hostname: k8s.k13.dev 8 | lbipam.cilium.io/ips: 192.168.20.2 9 | spec: 10 | type: LoadBalancer 11 | externalTrafficPolicy: Local 12 | selector: 13 | k8s-app: kube-apiserver 14 | tier: control-plane 15 | ports: 16 | - port: 6443 17 | -------------------------------------------------------------------------------- /kubernetes/apps/media/qui/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: qui 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: qui-secret 12 | template: 13 | data: 14 | QUI__SESSION_SECRET: "{{ .QUI_SESSION_SECRET }}" 15 | dataFrom: 16 | - extract: 17 | key: qui 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: radarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: radarr-secret 12 | template: 13 | data: 14 | RADARR__AUTH__APIKEY: "{{ .RADARR_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: radarr 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: sonarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: sonarr-secret 12 | template: 13 | data: 14 | SONARR__AUTH__APIKEY: "{{ .SONARR_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: sonarr 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: tautulli 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: tautulli-secret 12 | template: 13 | data: 14 | TAUTULLI_API_KEY: "{{ .TAUTULLI_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: tautulli 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: prowlarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: prowlarr-secret 12 | template: 13 | data: 14 | PROWLARR__AUTH__APIKEY: "{{ .PROWLARR_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: prowlarr 18 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: snapshot-controller 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/volsync-system/snapshot-controller/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: volsync-system 15 | wait: true 16 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/github/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: github-token 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: github-token-secret 12 | template: 13 | data: 14 | token: "{{ .FLUX_GITHUB_TOKEN }}" 15 | dataFrom: 16 | - extract: 17 | key: flux 18 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: flux-instance 6 | spec: 7 | dependsOn: 8 | - name: flux-operator 9 | interval: 1h 10 | path: ./kubernetes/apps/flux-system/flux-instance/app 11 | prune: true 12 | sourceRef: 13 | kind: GitRepository 14 | name: flux-system 15 | namespace: flux-system 16 | targetNamespace: flux-system 17 | -------------------------------------------------------------------------------- /kubernetes/apps/media/autobrr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: autobrr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: autobrr-secret 12 | template: 13 | data: 14 | AUTOBRR__SESSION_SECRET: "{{ .AUTOBRR_SESSION_SECRET }}" 15 | dataFrom: 16 | - extract: 17 | key: autobrr 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/cross-seed/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cross-seed 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: cross-seed-secret 12 | template: 13 | data: 14 | CROSS_SEED_API_KEY: "{{ .CROSS_SEED_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: cross-seed 18 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: unpoller 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: unpoller-secret 12 | template: 13 | data: 14 | UP_UNIFI_DEFAULT_API_KEY: "{{ .UNIFI_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: unifi 18 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-gpu-resource-driver/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: intel-gpu-resource-driver 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/kube-system/intel-gpu-resource-driver/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: kube-system 15 | wait: true 16 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/pvc/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 8 | dataSourceRef: 9 | apiGroup: volsync.backube 10 | kind: ReplicationDestination 11 | name: "${APP}" 12 | resources: 13 | requests: 14 | storage: "${VOLSYNC_CAPACITY:=2Gi}" 15 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 16 | -------------------------------------------------------------------------------- /kubernetes/apps/default/mosquitto/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: mosquitto 6 | spec: 7 | dependsOn: 8 | - name: rook-ceph-cluster 9 | namespace: rook-ceph 10 | interval: 1h 11 | path: ./kubernetes/apps/default/mosquitto/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | targetNamespace: default 18 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/unifi/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: external-dns-unifi 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: external-dns-unifi-secret 12 | template: 13 | data: 14 | UNIFI_API_KEY: "{{ .UNIFI_API_KEY }}" 15 | dataFrom: 16 | - extract: 17 | key: unifi 18 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/receiver/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: github-webhook-token 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: github-webhook-token-secret 12 | template: 13 | data: 14 | token: "{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}" 15 | dataFrom: 16 | - extract: 17 | key: flux 18 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cloudflare-issuer 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: cloudflare-issuer-secret 12 | template: 13 | data: 14 | CLOUDFLARE_API_TOKEN: "{{ .CLOUDFLARE_API_TOKEN }}" 15 | dataFrom: 16 | - extract: 17 | key: cloudflare 18 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-logs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: victoria-logs 6 | spec: 7 | dependsOn: 8 | - name: rook-ceph-cluster 9 | namespace: rook-ceph 10 | interval: 1h 11 | path: ./kubernetes/apps/observability/victoria-logs/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | targetNamespace: observability 18 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: grafana 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: grafana-secret 12 | template: 13 | data: 14 | admin-user: "{{ .GRAFANA_ADMIN_USER }}" 15 | admin-password: "{{ .GRAFANA_ADMIN_PASS }}" 16 | dataFrom: 17 | - extract: 18 | key: grafana 19 | -------------------------------------------------------------------------------- /kubernetes/apps/media/cross-seed/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cross-seed 6 | spec: 7 | components: 8 | - ../../../../components/keda 9 | interval: 1h 10 | path: ./kubernetes/apps/media/cross-seed/app 11 | postBuild: 12 | substitute: 13 | APP: cross-seed 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | targetNamespace: media 20 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/envoy-gateway/proxy/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: envoy 6 | spec: 7 | jobLabel: envoy-proxy 8 | namespaceSelector: 9 | matchNames: 10 | - networking 11 | podMetricsEndpoints: 12 | - port: metrics 13 | path: /stats/prometheus 14 | honorLabels: true 15 | selector: 16 | matchLabels: 17 | app.kubernetes.io/component: proxy 18 | app.kubernetes.io/name: envoy 19 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/probes/devices.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Probe 3 | apiVersion: monitoring.coreos.com/v1 4 | metadata: 5 | name: devices 6 | spec: 7 | module: icmp 8 | prober: 9 | url: blackbox-exporter.observability.svc.cluster.local:9115 10 | targets: 11 | staticConfig: 12 | static: 13 | - unifi.internal 14 | - nas.internal 15 | - ups.internal 16 | - kvm.internal 17 | - pikvm.internal 18 | - zigbee-controller.internal 19 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | *.env linguist-detectable linguist-language=SHELL 3 | *.json linguist-detectable linguist-language=JSON 4 | *.json5 linguist-detectable linguist-language=JSON5 5 | *.md linguist-detectable linguist-language=MARKDOWN 6 | *.sh linguist-detectable linguist-language=SHELL 7 | *.toml linguist-detectable linguist-language=TOML 8 | *.yml linguist-detectable linguist-language=YAML 9 | *.yaml linguist-detectable linguist-language=YAML 10 | *.yaml.j2 linguist-detectable linguist-language=YAML 11 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kube-prometheus-stack 6 | spec: 7 | dependsOn: 8 | - name: rook-ceph-cluster 9 | namespace: rook-ceph 10 | interval: 1h 11 | path: ./kubernetes/apps/observability/kube-prometheus-stack/app 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | targetNamespace: observability 18 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/onepassword/store/onepassword.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ClusterSecretStore 4 | metadata: 5 | name: onepassword 6 | spec: 7 | provider: 8 | onepassword: 9 | connectHost: http://onepassword.external-secrets.svc.cluster.local 10 | vaults: 11 | K8s: 1 12 | auth: 13 | secretRef: 14 | connectTokenSecretRef: 15 | name: onepassword-secret 16 | key: token 17 | namespace: external-secrets 18 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | - ./rbac.yaml 9 | configMapGenerator: 10 | - name: gatus-configmap 11 | files: 12 | - ./resources/buddy.yaml 13 | - ./resources/config.yaml 14 | generatorOptions: 15 | disableNameSuffixHash: true 16 | annotations: 17 | kustomize.toolkit.fluxcd.io/substitute: disabled 18 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: volsync 6 | spec: 7 | dependsOn: 8 | - name: openebs 9 | namespace: openebs-system 10 | - name: snapshot-controller 11 | interval: 1h 12 | path: ./kubernetes/apps/volsync-system/volsync/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | targetNamespace: volsync-system 19 | wait: true 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 2 | Version 2, December 2004 3 | 4 | Copyright (C) 2025 Steven Kreitzer 5 | 6 | Everyone is permitted to copy and distribute verbatim or modified 7 | copies of this license document, and changing it is allowed as long 8 | as the name is changed. 9 | 10 | DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 11 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 12 | 13 | 0. You just DO WHAT THE FUCK YOU WANT TO. 14 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: recyclarr 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: recyclarr-secret 12 | template: 13 | data: 14 | RADARR_API_KEY: "{{ .RADARR_API_KEY }}" 15 | SONARR_API_KEY: "{{ .SONARR_API_KEY }}" 16 | dataFrom: 17 | - extract: 18 | key: radarr 19 | - extract: 20 | key: sonarr 21 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: external-dns-cloudflare 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: external-dns-cloudflare-secret 12 | template: 13 | data: 14 | CF_ZONE_ID: "{{ .CLOUDFLARE_ZONE_ID }}" 15 | CF_API_TOKEN: "{{ .CLOUDFLARE_API_TOKEN }}" 16 | dataFrom: 17 | - extract: 18 | key: cloudflare 19 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: tailscale-operator 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: tailscale-operator-secret 12 | template: 13 | data: 14 | client_id: "{{ .TAILSCALE_OAUTH_CLIENT_ID }}" 15 | client_secret: "{{ .TAILSCALE_OAUTH_CLIENT_SECRET }}" 16 | dataFrom: 17 | - extract: 18 | key: tailscale 19 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/receiver/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1 3 | kind: Receiver 4 | metadata: 5 | name: github-webhook 6 | spec: 7 | type: github 8 | events: 9 | - ping 10 | - push 11 | secretRef: 12 | name: github-webhook-token-secret 13 | resources: 14 | - apiVersion: source.toolkit.fluxcd.io/v1 15 | kind: GitRepository 16 | name: flux-system 17 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | name: flux-system 20 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflared/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cloudflared 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: cloudflared-secret 12 | template: 13 | data: 14 | TUNNEL_TOKEN: |- 15 | {{ toJson (dict "a" .CLOUDFLARE_ACCOUNT_ID "t" .CLOUDFLARE_TUNNEL_ID "s" .CLOUDFLARE_TUNNEL_SECRET) | b64enc }} 16 | dataFrom: 17 | - extract: 18 | key: cloudflare 19 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: blackbox-exporter 6 | spec: 7 | groups: 8 | - name: blackbox-exporter.rules 9 | rules: 10 | - alert: BlackboxInstanceDown 11 | expr: |- 12 | probe_success == 0 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | The host {{ $labels.instance }} is down 17 | labels: 18 | severity: critical 19 | -------------------------------------------------------------------------------- /kubernetes/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: media 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./autobrr/ks.yaml 9 | - ./bazarr/ks.yaml 10 | - ./cross-seed/ks.yaml 11 | - ./nzbget/ks.yaml 12 | - ./plex/ks.yaml 13 | - ./prowlarr/ks.yaml 14 | - ./qbittorrent/ks.yaml 15 | - ./qui/ks.yaml 16 | - ./radarr/ks.yaml 17 | - ./recyclarr/ks.yaml 18 | - ./seerr/ks.yaml 19 | - ./sonarr/ks.yaml 20 | - ./tautulli/ks.yaml 21 | - ./tqm/ks.yaml 22 | -------------------------------------------------------------------------------- /kubernetes/apps/media/qui/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: qui 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/media/qui/app 14 | postBuild: 15 | substitute: 16 | APP: qui 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: media 23 | -------------------------------------------------------------------------------- /kubernetes/apps/media/seerr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: seerr 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/media/seerr/app 14 | postBuild: 15 | substitute: 16 | APP: seerr 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: media 23 | -------------------------------------------------------------------------------- /kubernetes/apps/default/atuin/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: atuin 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/default/atuin/app 14 | postBuild: 15 | substitute: 16 | APP: atuin 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: default 23 | -------------------------------------------------------------------------------- /kubernetes/apps/media/autobrr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: autobrr 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/media/autobrr/app 14 | postBuild: 15 | substitute: 16 | APP: autobrr 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: media 23 | -------------------------------------------------------------------------------- /.renovate/overrides.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "Override Helmfile Dependency Name", 6 | matchDatasources: ["docker"], 7 | matchManagers: ["helmfile"], 8 | overrideDepName: "{{packageName}}", 9 | }, 10 | { 11 | description: "Override Talos Installer Package Name", 12 | matchDatasources: ["docker"], 13 | matchPackageNames: ["/factory\\.talos\\.dev/"], 14 | overridePackageName: "ghcr.io/siderolabs/installer", 15 | }, 16 | ], 17 | } 18 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-production 6 | spec: 7 | acme: 8 | server: https://acme-v02.api.letsencrypt.org/directory 9 | privateKeySecretRef: 10 | name: letsencrypt-production 11 | solvers: 12 | - dns01: 13 | cloudflare: 14 | apiTokenSecretRef: 15 | name: cloudflare-issuer-secret 16 | key: CLOUDFLARE_API_TOKEN 17 | selector: 18 | dnsZones: ["k13.dev"] 19 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: prowlarr 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/media/prowlarr/app 14 | postBuild: 15 | substitute: 16 | APP: prowlarr 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: media 23 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: recyclarr 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/media/recyclarr/app 14 | postBuild: 15 | substitute: 16 | APP: recyclarr 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: media 23 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tautulli 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/media/tautulli/app 14 | postBuild: 15 | substitute: 16 | APP: tautulli 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: media 23 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/smtp-relay/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: smtp-relay 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: smtp-relay-secret 12 | template: 13 | data: 14 | SMTP_RELAY_SERVER: "{{ .SMTP_RELAY_SERVER }}" 15 | SMTP_RELAY_USERNAME: "{{ .SMTP_RELAY_USERNAME }}" 16 | SMTP_RELAY_PASSWORD: "{{ .SMTP_RELAY_PASSWORD }}" 17 | dataFrom: 18 | - extract: 19 | key: smtp-relay 20 | -------------------------------------------------------------------------------- /kubernetes/apps/default/thelounge/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: thelounge 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/default/thelounge/app 14 | postBuild: 15 | substitute: 16 | APP: thelounge 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: default 23 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zigbee2mqtt/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: zigbee2mqtt 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: rook-ceph-cluster 11 | namespace: rook-ceph 12 | interval: 1h 13 | path: ./kubernetes/apps/default/zigbee2mqtt/app 14 | postBuild: 15 | substitute: 16 | APP: zigbee2mqtt 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | targetNamespace: default 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: observability 5 | components: 6 | - ../../components/namespace 7 | resources: 8 | - ./blackbox-exporter/ks.yaml 9 | - ./fluent-bit/ks.yaml 10 | - ./gatus/ks.yaml 11 | - ./grafana/ks.yaml 12 | - ./karma/ks.yaml 13 | - ./keda/ks.yaml 14 | - ./kromgo/ks.yaml 15 | - ./kube-prometheus-stack/ks.yaml 16 | - ./silence-operator/ks.yaml 17 | - ./smartctl-exporter/ks.yaml 18 | - ./snmp-exporter/ks.yaml 19 | - ./unpoller/ks.yaml 20 | - ./victoria-logs/ks.yaml 21 | -------------------------------------------------------------------------------- /kubernetes/components/keda/nfs-scaler/scaledobject.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: keda.sh/v1alpha1 3 | kind: ScaledObject 4 | metadata: 5 | name: ${APP}-nfs-scaler 6 | spec: 7 | cooldownPeriod: 0 8 | minReplicaCount: 0 9 | maxReplicaCount: 1 10 | scaleTargetRef: 11 | apiVersion: apps/v1 12 | kind: Deployment 13 | name: ${APP} 14 | triggers: 15 | - type: prometheus 16 | metadata: 17 | serverAddress: http://prometheus-operated.observability.svc.cluster.local:9090 18 | query: probe_success{instance=~".+:2049"} 19 | threshold: "1" 20 | ignoreNullValues: "0" 21 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/unlock.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: volsync-unlock-{{ ENV.APP }} 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | ttlSecondsAfterFinished: 3600 9 | template: 10 | spec: 11 | automountServiceAccountToken: false 12 | restartPolicy: OnFailure 13 | containers: 14 | - name: restic 15 | image: docker.io/restic/restic:latest 16 | args: ["unlock", "--remove-all"] 17 | envFrom: 18 | - secretRef: 19 | name: {{ ENV.APP }}-restic-secret 20 | resources: {} 21 | -------------------------------------------------------------------------------- /kubernetes/apps/media/bazarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: bazarr 6 | spec: 7 | components: 8 | - ../../../../components/keda 9 | - ../../../../components/volsync 10 | dependsOn: 11 | - name: rook-ceph-cluster 12 | namespace: rook-ceph 13 | interval: 1h 14 | path: ./kubernetes/apps/media/bazarr/app 15 | postBuild: 16 | substitute: 17 | APP: bazarr 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | targetNamespace: media 24 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: radarr 6 | spec: 7 | components: 8 | - ../../../../components/keda 9 | - ../../../../components/volsync 10 | dependsOn: 11 | - name: rook-ceph-cluster 12 | namespace: rook-ceph 13 | interval: 1h 14 | path: ./kubernetes/apps/media/radarr/app 15 | postBuild: 16 | substitute: 17 | APP: radarr 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | targetNamespace: media 24 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: sonarr 6 | spec: 7 | components: 8 | - ../../../../components/keda 9 | - ../../../../components/volsync 10 | dependsOn: 11 | - name: rook-ceph-cluster 12 | namespace: rook-ceph 13 | interval: 1h 14 | path: ./kubernetes/apps/media/sonarr/app 15 | postBuild: 16 | substitute: 17 | APP: sonarr 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | targetNamespace: media 24 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zigbee2mqtt/app/scaledobject.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: keda.sh/v1alpha1 3 | kind: ScaledObject 4 | metadata: 5 | name: zigbee2mqtt-scaler 6 | spec: 7 | cooldownPeriod: 0 8 | minReplicaCount: 0 9 | maxReplicaCount: 1 10 | scaleTargetRef: 11 | apiVersion: apps/v1 12 | kind: Deployment 13 | name: zigbee2mqtt 14 | triggers: 15 | - type: prometheus 16 | metadata: 17 | serverAddress: http://prometheus-operated.observability.svc.cluster.local:9090 18 | query: probe_success{instance=~"zigbee-controller.+"} 19 | threshold: "1" 20 | ignoreNullValues: "0" 21 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/tuppr/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: tuppr 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.0.45 13 | url: oci://ghcr.io/home-operations/charts/tuppr 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: tuppr 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: tuppr 23 | interval: 1h 24 | values: 25 | replicaCount: 2 26 | -------------------------------------------------------------------------------- /kubernetes/apps/media/autobrr/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: autobrr 6 | spec: 7 | groups: 8 | - name: autobrr.rules 9 | rules: 10 | - alert: AutobrrNetworkUnmonitored 11 | expr: |- 12 | autobrr_irc_channel_enabled_total != autobrr_irc_channel_monitored_total 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | One or more IRC channels on the {{ $labels.network }} network are enabled but not being monitored 17 | labels: 18 | severity: critical 19 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/smtp-relay/app/resources/maddy.conf: -------------------------------------------------------------------------------- 1 | state_dir /cache/state 2 | runtime_dir /cache/run 3 | 4 | openmetrics tcp://0.0.0.0:{env:SMTP_RELAY_METRICS_PORT} { } 5 | 6 | tls off 7 | hostname {env:HOSTNAME} 8 | 9 | smtp tcp://0.0.0.0:{env:SMTP_RELAY_SMTP_PORT} { 10 | default_source { 11 | deliver_to &remote_queue 12 | } 13 | } 14 | 15 | target.queue remote_queue { 16 | target &remote_smtp 17 | } 18 | 19 | target.smtp remote_smtp { 20 | starttls yes 21 | auth plain {env:SMTP_RELAY_USERNAME} {env:SMTP_RELAY_PASSWORD} 22 | targets tcp://{env:SMTP_RELAY_SERVER}:{env:SMTP_RELAY_SERVER_PORT} 23 | } 24 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/keda/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: keda 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 2.18.2 13 | url: oci://ghcr.io/home-operations/charts-mirror/keda 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: keda 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: keda 23 | interval: 1h 24 | values: 25 | enableServiceLinks: false 26 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: '3' 3 | 4 | set: [pipefail] 5 | shopt: [globstar] 6 | 7 | vars: 8 | BOOTSTRAP_DIR: '{{.ROOT_DIR}}/bootstrap' 9 | KUBERNETES_DIR: '{{.ROOT_DIR}}/kubernetes' 10 | TALOS_DIR: '{{.ROOT_DIR}}/talos' 11 | 12 | env: 13 | KUBECONFIG: '{{.KUBERNETES_DIR}}/kubeconfig' 14 | MINIJINJA_CONFIG_FILE: '{{.ROOT_DIR}}/.minijinja.toml' 15 | TALOSCONFIG: '{{.TALOS_DIR}}/talosconfig' 16 | 17 | includes: 18 | bootstrap: .taskfiles/bootstrap 19 | kubernetes: .taskfiles/kubernetes 20 | talos: .taskfiles/talos 21 | volsync: .taskfiles/volsync 22 | 23 | tasks: 24 | 25 | default: 26 | cmd: task --list 27 | silent: true 28 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/tuppr/upgrades/talos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tuppr.home-operations.com/v1alpha1 3 | kind: TalosUpgrade 4 | metadata: 5 | name: talos 6 | spec: 7 | talos: 8 | # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 9 | version: v1.12.0-rc.0 10 | policy: 11 | rebootMode: powercycle 12 | healthChecks: 13 | - apiVersion: ceph.rook.io/v1 14 | kind: CephCluster 15 | expr: status.ceph.health in ['HEALTH_OK'] 16 | - apiVersion: volsync.backube/v1alpha1 17 | kind: ReplicationSource 18 | expr: status.conditions.filter(c, c.type == "Synchronizing").all(c, c.status == "False") 19 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/receiver/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: flux-webhook 6 | annotations: 7 | gatus.home-operations.com/endpoint: |- 8 | conditions: ["[STATUS] == 404"] 9 | spec: 10 | hostnames: 11 | - flux-webhook.k13.dev 12 | parentRefs: 13 | - name: envoy-external 14 | namespace: networking 15 | rules: 16 | - backendRefs: 17 | - name: webhook-receiver 18 | namespace: flux-system 19 | port: 80 20 | matches: 21 | - path: 22 | type: PathPrefix 23 | value: /hook/ 24 | -------------------------------------------------------------------------------- /kubernetes/apps/media/nzbget/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: nzbget 6 | spec: 7 | components: 8 | - ../../../../components/keda 9 | - ../../../../components/volsync 10 | dependsOn: 11 | - name: openebs 12 | namespace: openebs-system 13 | - name: rook-ceph-cluster 14 | namespace: rook-ceph 15 | interval: 1h 16 | path: ./kubernetes/apps/media/nzbget/app 17 | postBuild: 18 | substitute: 19 | APP: nzbget 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: media 26 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/unifi/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: external-dns-unifi 6 | spec: 7 | groups: 8 | - name: external-dns-unifi.rules 9 | rules: 10 | - alert: ExternalDNSUnifiStale 11 | expr: |- 12 | time() - external_dns_controller_last_sync_timestamp_seconds{job="external-dns-unifi"} > 60 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | ExternalDNS ({{ $labels.job }}) has not synced successfully in the last five minutes 17 | labels: 18 | severity: critical 19 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/multus/networks/iot.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: k8s.cni.cncf.io/v1 3 | kind: NetworkAttachmentDefinition 4 | metadata: 5 | name: iot 6 | spec: 7 | config: |- 8 | { 9 | "cniVersion": "1.1.0", 10 | "name": "iot", 11 | "plugins": [ 12 | { 13 | "type": "macvlan", 14 | "master": "bond0.30", 15 | "mode": "bridge", 16 | "ipam": { 17 | "type": "static", 18 | "routes": [ 19 | {"dst": "0.0.0.0/0", "gw": "192.168.30.1"} 20 | ] 21 | } 22 | }, 23 | { 24 | "type": "sbr" 25 | } 26 | ] 27 | } 28 | -------------------------------------------------------------------------------- /kubernetes/apps/default/home-assistant/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: home-assistant 6 | spec: 7 | components: 8 | - ../../../../components/volsync 9 | dependsOn: 10 | - name: multus-networks 11 | namespace: networking 12 | - name: rook-ceph-cluster 13 | namespace: rook-ceph 14 | interval: 1h 15 | path: ./kubernetes/apps/default/home-assistant/app 16 | postBuild: 17 | substitute: 18 | APP: home-assistant 19 | prune: true 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | targetNamespace: default 25 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/k8s-gitops/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: k8s-gitops-runner 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: k8s-gitops-runner-secret 12 | template: 13 | data: 14 | github_app_id: "{{ .ACTION_RUNNER_GITHUB_APP_ID }}" 15 | github_app_installation_id: "{{ .ACTION_RUNNER_GITHUB_INSTALLATION_ID }}" 16 | github_app_private_key: "{{ .ACTION_RUNNER_GITHUB_PRIVATE_KEY }}" 17 | dataFrom: 18 | - extract: 19 | key: actions-runner 20 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/k8s-gitops/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: k8s-gitops-runner 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: k8s-gitops-runner 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: k8s-gitops-runner 18 | namespace: actions-runner-system 19 | --- 20 | apiVersion: talos.dev/v1alpha1 21 | kind: ServiceAccount 22 | metadata: 23 | name: k8s-gitops-runner 24 | spec: 25 | roles: ["os:admin"] 26 | -------------------------------------------------------------------------------- /kubernetes/apps/media/qbittorrent/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: qbittorrent 6 | spec: 7 | components: 8 | - ../../../../components/keda 9 | - ../../../../components/volsync 10 | dependsOn: 11 | - name: openebs 12 | namespace: openebs-system 13 | - name: rook-ceph-cluster 14 | namespace: rook-ceph 15 | interval: 1h 16 | path: ./kubernetes/apps/media/qbittorrent/app 17 | postBuild: 18 | substitute: 19 | APP: qbittorrent 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: media 26 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: external-dns-cloudflare 6 | spec: 7 | groups: 8 | - name: external-dns-cloudflare.rules 9 | rules: 10 | - alert: ExternalDNSCloudflareStale 11 | expr: |- 12 | time() - external_dns_controller_last_sync_timestamp_seconds{job="external-dns-cloudflare"} > 60 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | ExternalDNS ({{ $labels.job }}) has not synced successfully in the last five minutes 17 | labels: 18 | severity: critical 19 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: gatus 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRole 9 | metadata: 10 | name: gatus 11 | rules: 12 | - apiGroups: ["gateway.networking.k8s.io"] 13 | resources: ["gateways", "httproutes"] 14 | verbs: ["get", "watch", "list"] 15 | --- 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | kind: ClusterRoleBinding 18 | metadata: 19 | name: gatus 20 | roleRef: 21 | kind: ClusterRole 22 | name: gatus 23 | apiGroup: rbac.authorization.k8s.io 24 | subjects: 25 | - kind: ServiceAccount 26 | name: gatus 27 | namespace: observability 28 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: flux-operator 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.36.0 13 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: flux-operator 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: flux-operator 23 | interval: 1h 24 | values: 25 | serviceMonitor: 26 | create: true 27 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: gatus 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: gatus-secret 12 | template: 13 | data: 14 | BUDDY_DDNS_HOSTNAME: "{{ .BUDDY_DDNS_HOSTNAME }}" 15 | BUDDY_HEARTBEAT_TOKEN: "{{ .BUDDY_HEARTBEAT_TOKEN }}" 16 | BUDDY_PUSHOVER_TOKEN: "{{ .BUDDY_PUSHOVER_TOKEN }}" 17 | BUDDY_PUSHOVER_USER_KEY: "{{ .BUDDY_PUSHOVER_USER_KEY }}" 18 | BUDDY_STATUS_HOSTNAME: "{{ .BUDDY_STATUS_HOSTNAME }}" 19 | dataFrom: 20 | - extract: 21 | key: gatus 22 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/volsync/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: "${APP}-restic" 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: "${APP}-restic-secret" 12 | template: 13 | data: 14 | RESTIC_REPOSITORY: "{{ .REPOSITORY_TEMPLATE }}/${APP}" 15 | RESTIC_PASSWORD: "{{ .RESTIC_PASSWORD }}" 16 | AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID }}" 17 | AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: cloudflare 21 | - extract: 22 | key: volsync-restic-template 23 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: volsync 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.14.0 13 | url: oci://ghcr.io/home-operations/charts-mirror/volsync 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: volsync 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: volsync 23 | interval: 1h 24 | values: 25 | manageCRDs: true 26 | replicaCount: 2 27 | metrics: 28 | disableAuth: true 29 | -------------------------------------------------------------------------------- /kubernetes/apps/media/cross-seed/app/resources/config.js: -------------------------------------------------------------------------------- 1 | // Torrent content layout: Original 2 | // Default Torrent Management Mode: Automatic 3 | // Default Save Path: /media/downloads/torrents/complete 4 | // Incomplete Save Path: /incomplete 5 | 6 | module.exports = { 7 | action: "inject", 8 | apiKey: process.env.CROSS_SEED_API_KEY, 9 | linkCategory: "cross-seed", 10 | linkDirs: ["/media/downloads/torrents/complete/cross-seed"], 11 | linkType: "hardlink", 12 | matchMode: "partial", 13 | outputDir: null, 14 | port: Number(process.env.CROSS_SEED_PORT), 15 | skipRecheck: true, 16 | torrentClients: ["qbittorrent:http://qbittorrent.media.svc.cluster.local"], 17 | torznab: [], 18 | useClientTorrents: true, 19 | }; 20 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: plex 6 | spec: 7 | components: 8 | - ../../../../components/keda 9 | - ../../../../components/volsync 10 | dependsOn: 11 | - name: intel-gpu-resource-driver 12 | namespace: kube-system 13 | - name: rook-ceph-cluster 14 | namespace: rook-ceph 15 | interval: 1h 16 | path: ./kubernetes/apps/media/plex/app 17 | postBuild: 18 | substitute: 19 | APP: plex 20 | VOLSYNC_CACHE_CAPACITY: 25Gi 21 | VOLSYNC_CAPACITY: 50Gi 22 | prune: true 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | namespace: flux-system 27 | targetNamespace: media 28 | -------------------------------------------------------------------------------- /kubernetes/components/namespace/alerts/alertmanager/alert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Alert 4 | metadata: 5 | name: alertmanager 6 | spec: 7 | providerRef: 8 | name: alertmanager 9 | eventSeverity: error 10 | eventSources: 11 | - kind: FluxInstance 12 | name: "*" 13 | - kind: GitRepository 14 | name: "*" 15 | - kind: HelmRelease 16 | name: "*" 17 | - kind: HelmRepository 18 | name: "*" 19 | - kind: Kustomization 20 | name: "*" 21 | - kind: OCIRepository 22 | name: "*" 23 | exclusionList: 24 | - "error.*lookup github\\.com" 25 | - "error.*lookup raw\\.githubusercontent\\.com" 26 | - "dial.*tcp.*timeout" 27 | - "waiting.*socket" 28 | -------------------------------------------------------------------------------- /.taskfiles/volsync/resources/replicationdestination.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: {{ ENV.APP }}-manual 6 | namespace: {{ ENV.NS }} 7 | spec: 8 | trigger: 9 | manual: restore-once 10 | restic: 11 | repository: {{ ENV.APP }}-restic-secret 12 | destinationPVC: {{ ENV.CLAIM }} 13 | copyMethod: Direct 14 | storageClassName: {{ ENV.STORAGE_CLASS_NAME }} 15 | accessModes: {{ ENV.ACCESS_MODES }} 16 | previous: {{ ENV.PREVIOUS }} 17 | moverSecurityContext: 18 | runAsUser: {{ ENV.PUID }} 19 | runAsGroup: {{ ENV.PGID }} 20 | fsGroup: {{ ENV.PGID }} 21 | enableFileDeletion: true 22 | cleanupCachePVC: true 23 | cleanupTempPVC: true 24 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | area/bootstrap: 3 | - changed-files: 4 | - any-glob-to-any-file: "bootstrap/**/*" 5 | area/docs: 6 | - changed-files: 7 | - any-glob-to-any-file: 8 | - "README.md" 9 | area/github: 10 | - changed-files: 11 | - any-glob-to-any-file: ".github/**/*" 12 | area/kubernetes: 13 | - changed-files: 14 | - any-glob-to-any-file: "kubernetes/**/*" 15 | area/renovate: 16 | - changed-files: 17 | - any-glob-to-any-file: 18 | - ".renovate/**/*" 19 | - ".renovaterc.json5" 20 | area/talos: 21 | - changed-files: 22 | - any-glob-to-any-file: "talos/**/*" 23 | area/taskfile: 24 | - changed-files: 25 | - any-glob-to-any-file: 26 | - ".taskfiles/**/*" 27 | - "Taskfile.yaml" 28 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: snapshot-controller 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 4.2.0 13 | url: oci://ghcr.io/piraeusdatastore/helm-charts/snapshot-controller 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: snapshot-controller 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: snapshot-controller 23 | interval: 1h 24 | values: 25 | controller: 26 | replicaCount: 2 27 | serviceMonitor: 28 | create: true 29 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: external-secrets 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 1.1.1 13 | url: oci://ghcr.io/external-secrets/charts/external-secrets 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: external-secrets 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: external-secrets 23 | interval: 1h 24 | values: 25 | leaderElect: true 26 | serviceMonitor: 27 | enabled: true 28 | webhook: 29 | replicaCount: 2 30 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: gha-runner-scale-set-controller 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.13.0 13 | url: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: &name actions-runner-controller 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: gha-runner-scale-set-controller 23 | interval: 1h 24 | values: 25 | fullnameOverride: *name 26 | -------------------------------------------------------------------------------- /kubernetes/apps/default/zigbee2mqtt/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: zigbee2mqtt 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: zigbee2mqtt-secret 12 | template: 13 | data: 14 | ZIGBEE2MQTT_CONFIG_ADVANCED_CHANNEL: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_CHANNEL }}" 15 | ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID }}" 16 | ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY }}" 17 | ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID }}" 18 | dataFrom: 19 | - extract: 20 | key: zigbee2mqtt 21 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: external-dns-cloudflare 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/networking/external-dns/cloudflare 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: networking 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: external-dns-unifi 20 | spec: 21 | interval: 1h 22 | path: ./kubernetes/apps/networking/external-dns/unifi 23 | prune: true 24 | sourceRef: 25 | kind: GitRepository 26 | name: flux-system 27 | namespace: flux-system 28 | targetNamespace: networking 29 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: reloader 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 2.2.7 13 | url: oci://ghcr.io/stakater/charts/reloader 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: &app reloader 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: reloader 23 | interval: 1h 24 | values: 25 | fullnameOverride: *app 26 | reloader: 27 | readOnlyRootFileSystem: true 28 | podMonitor: 29 | enabled: true 30 | namespace: "{{ .Release.Namespace }}" 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/spegel/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: spegel 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.5.1 13 | url: oci://ghcr.io/spegel-org/helm-charts/spegel 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: spegel 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: spegel 23 | interval: 1h 24 | values: 25 | serviceMonitor: 26 | enabled: true 27 | spegel: 28 | containerdRegistryConfigPath: /etc/cri/conf.d/hosts 29 | service: 30 | registry: 31 | hostPort: 29999 32 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/multus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: multus 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/networking/multus/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: networking 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: multus-networks 21 | spec: 22 | dependsOn: 23 | - name: multus 24 | interval: 1h 25 | path: ./kubernetes/apps/networking/multus/networks 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: networking 32 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: silence-operator 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.20.0 13 | url: oci://gsoci.azurecr.io/charts/giantswarm/silence-operator 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: silence-operator 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: silence-operator 23 | interval: 1h 24 | values: 25 | alertmanagerAddress: http://alertmanager-operated.observability.svc.cluster.local:9093 26 | networkPolicy: 27 | enabled: false 28 | -------------------------------------------------------------------------------- /.github/workflows/label-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Label Sync 3 | 4 | on: 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - main 9 | paths: 10 | - .github/labels.yaml 11 | schedule: 12 | - cron: 0 0 * * * # Every day at midnight 13 | 14 | jobs: 15 | sync: 16 | name: Label Sync 17 | runs-on: ubuntu-latest 18 | permissions: 19 | issues: write 20 | steps: 21 | - name: Checkout 22 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 23 | with: 24 | sparse-checkout: .github/labels.yaml 25 | 26 | - name: Sync Labels 27 | uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3 28 | with: 29 | config-file: .github/labels.yaml 30 | delete-other-labels: true 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cilium 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/kube-system/cilium/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: kube-system 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: cilium-config 21 | spec: 22 | dependsOn: 23 | - name: cilium 24 | interval: 1h 25 | path: ./kubernetes/apps/kube-system/cilium/config 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: kube-system 32 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/multus/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: multus 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 1.1.0 13 | url: oci://ghcr.io/bjw-s-labs/helm/multus 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: multus 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: multus 23 | interval: 1h 24 | values: 25 | cni: 26 | binPath: /opt/cni/bin 27 | netPath: /etc/cni/net.d 28 | multus: 29 | resources: 30 | requests: 31 | cpu: 10m 32 | limits: 33 | memory: 32Mi 34 | -------------------------------------------------------------------------------- /.renovate/customManagers.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customManagers: [ 4 | { 5 | customType: "regex", 6 | description: "Process annotated dependencies", 7 | managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"], 8 | matchStrings: [ 9 | "datasource=(?\\S+) depName=(?\\S+)\\n.+ (?[v|\\d]\\S+)" 10 | ], 11 | datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}", 12 | }, 13 | { 14 | customType: "regex", 15 | description: "Process OCI dependencies", 16 | managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"], 17 | matchStrings: ["oci://(?[^:]+):(?\\S+)"], 18 | datasourceTemplate: "docker", 19 | }, 20 | ], 21 | } 22 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/intel-gpu-resource-driver/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: intel-gpu-resource-driver 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.9.0 13 | url: oci://ghcr.io/intel/intel-resource-drivers-for-kubernetes/intel-gpu-resource-driver-chart 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: intel-gpu-resource-driver 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: intel-gpu-resource-driver 23 | interval: 1h 24 | values: 25 | cdi: 26 | staticPath: /var/cdi/static 27 | dynamicPath: /var/cdi/dynamic 28 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: alertmanager 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | name: alertmanager-secret 12 | template: 13 | data: 14 | BUDDY_HEARTBEAT_TOKEN: "{{ .BUDDY_HEARTBEAT_TOKEN }}" 15 | BUDDY_HEARTBEAT_URL: "https://{{ .BUDDY_STATUS_HOSTNAME }}/api/v1/endpoints/buddy_heartbeat/external?success=true" 16 | ALERTMANAGER_PUSHOVER_APP_TOKEN: "{{ .ALERTMANAGER_PUSHOVER_APP_TOKEN }}" 17 | ALERTMANAGER_PUSHOVER_USER_KEY: "{{ .ALERTMANAGER_PUSHOVER_USER_KEY }}" 18 | dataFrom: 19 | - extract: 20 | key: alertmanager 21 | - extract: 22 | key: gatus 23 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/tuppr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tuppr 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/system-upgrade/tuppr/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: system-upgrade 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: tuppr-upgrades 21 | spec: 22 | dependsOn: 23 | - name: tuppr 24 | interval: 1h 25 | path: ./kubernetes/apps/system-upgrade/tuppr/upgrades 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: system-upgrade 32 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Labeler 3 | 4 | on: 5 | workflow_dispatch: 6 | pull_request_target: 7 | branches: 8 | - main 9 | 10 | jobs: 11 | labeler: 12 | name: Labeler 13 | runs-on: ubuntu-latest 14 | if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} 15 | steps: 16 | - name: Generate Token 17 | uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 18 | id: app-token 19 | with: 20 | app-id: ${{ secrets.BOT_APP_ID }} 21 | private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }} 22 | 23 | - name: Labeler 24 | uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 25 | with: 26 | repo-token: ${{ steps.app-token.outputs.token }} 27 | configuration-path: .github/labeler.yaml 28 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: silence-operator 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/silence-operator/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: silence-operator-silences 21 | spec: 22 | dependsOn: 23 | - name: silence-operator 24 | interval: 1h 25 | path: ./kubernetes/apps/observability/silence-operator/silences 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: observability 32 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: tailscale-operator 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 1.90.9 13 | url: oci://ghcr.io/home-operations/charts-mirror/tailscale-operator 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: tailscale-operator 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: tailscale-operator 23 | interval: 1h 24 | values: 25 | oauthSecretVolume: 26 | secret: 27 | secretName: &secret tailscale-operator-secret 28 | operatorConfig: 29 | podAnnotations: 30 | secret.reloader.stakater.com/reload: *secret 31 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tailscale-operator 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/networking/tailscale-operator/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: networking 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: tailscale-operator-connectors 21 | spec: 22 | dependsOn: 23 | - name: tailscale-operator 24 | interval: 1h 25 | path: ./kubernetes/apps/networking/tailscale-operator/connectors 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: networking 32 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: blackbox-exporter 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/observability/blackbox-exporter/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: observability 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: blackbox-exporter-probes 21 | spec: 22 | dependsOn: 23 | - name: blackbox-exporter 24 | interval: 1h 25 | path: ./kubernetes/apps/observability/blackbox-exporter/probes 26 | prune: true 27 | sourceRef: 28 | kind: GitRepository 29 | name: flux-system 30 | namespace: flux-system 31 | targetNamespace: observability 32 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: external-dns-cloudflare 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRole 9 | metadata: 10 | name: external-dns-cloudflare 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["namespaces"] 14 | verbs: ["get", "watch", "list"] 15 | - apiGroups: ["gateway.networking.k8s.io"] 16 | resources: ["httproutes", "gateways"] 17 | verbs: ["get", "watch", "list"] 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: external-dns-cloudflare 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: external-dns-cloudflare 27 | subjects: 28 | - kind: ServiceAccount 29 | name: external-dns-cloudflare 30 | namespace: networking 31 | -------------------------------------------------------------------------------- /bootstrap/helmfile.d/00-crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # This helmfile is for installing Custom Resource Definitions (CRDs) from Helm charts. 3 | # It is not intended to be used with helmfile apply or sync. 4 | 5 | helmDefaults: 6 | args: ['--include-crds', '--no-hooks'] # Prevent helmfile apply or sync 7 | postRenderer: bash 8 | postRendererArgs: [-c, "yq ea --exit-status 'select(.kind == \"CustomResourceDefinition\")'"] 9 | 10 | releases: 11 | - name: envoy-gateway 12 | namespace: networking 13 | chart: oci://mirror.gcr.io/envoyproxy/gateway-helm 14 | version: v1.6.1 15 | 16 | - name: keda 17 | namespace: observability 18 | chart: oci://ghcr.io/home-operations/charts-mirror/keda 19 | version: 2.18.2 20 | 21 | - name: kube-prometheus-stack 22 | namespace: observability 23 | chart: oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack 24 | version: 80.4.1 25 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/smartctl-exporter/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: smartctl-exporter 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.16.0 13 | url: oci://ghcr.io/prometheus-community/charts/prometheus-smartctl-exporter 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: &app smartctl-exporter 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: smartctl-exporter 23 | interval: 1h 24 | values: 25 | fullnameOverride: *app 26 | prometheusRules: 27 | enabled: false 28 | serviceMonitor: 29 | enabled: true 30 | relabelings: 31 | - action: labeldrop 32 | regex: (pod) 33 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: v1.19.2 13 | url: oci://quay.io/jetstack/charts/cert-manager 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: cert-manager 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: cert-manager 23 | interval: 1h 24 | values: 25 | crds: 26 | enabled: true 27 | dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query 28 | dns01RecursiveNameserversOnly: true 29 | prometheus: 30 | enabled: true 31 | servicemonitor: 32 | enabled: true 33 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/envoy-gateway/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: envoy-gateway 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/networking/envoy-gateway/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: networking 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: envoy-gateway-proxy 21 | spec: 22 | dependsOn: 23 | - name: cert-manager-issuers 24 | namespace: cert-manager 25 | - name: envoy-gateway 26 | interval: 1h 27 | path: ./kubernetes/apps/networking/envoy-gateway/proxy 28 | prune: true 29 | sourceRef: 30 | kind: GitRepository 31 | name: flux-system 32 | namespace: flux-system 33 | targetNamespace: networking 34 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: gatus 6 | spec: 7 | groups: 8 | - name: gatus.rules 9 | rules: 10 | - alert: GatusEndpointDown 11 | expr: |- 12 | gatus_results_endpoint_success{group="external"} == 0 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | The {{ $labels.name }} endpoint is down 17 | labels: 18 | severity: critical 19 | 20 | - alert: GatusEndpointExposed 21 | expr: |- 22 | gatus_results_endpoint_success{group="internal"} == 0 23 | for: 5m 24 | annotations: 25 | summary: >- 26 | The {{ $labels.name }} endpoint has a public DNS record and is exposed 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /.github/SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | 🛡️ Found a security issue in a [k8s-gitops](https://github.com/buroa/k8s-gitops) project? Read on. 4 | 5 | ## Reporting a Vulnerability 6 | 7 | Maintainers will attempt to respond to/confirm reports within 2-3 days, but if you believe your report to be "critical" to user safety and security, please note as such in the subject. We have tens of thousands of users using our software, and take security vulnerabilities seriously. 8 | 9 | When reporting an issue, where possible, please provide at least: 10 | 11 | * The project and commit version the issue was identified at 12 | * A proof of concept (plaintext; no binaries) 13 | * Steps to reproduce 14 | * Your recommended remediation(s), if any 15 | 16 | ### Report using GitHub issues 17 | 18 | To report a vulnerability via GitHub issues, click on the `Issues` tab at the top of any repository and then click on the `New issue` button. 19 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: unpoller 6 | spec: 7 | groups: 8 | - name: unpoller.rules 9 | rules: 10 | - alert: UDMDownloadBandwithLow 11 | expr: |- 12 | unpoller_device_speedtest_download < 100 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | {{ $labels.name }} download bandwidth is below {{ $value }} Mbps 17 | labels: 18 | severity: critical 19 | 20 | - alert: UDMUploadBandwidthLow 21 | expr: |- 22 | unpoller_device_speedtest_upload < 100 23 | for: 5m 24 | annotations: 25 | summary: >- 26 | {{ $labels.name }} upload bandwidth is below {{ $value }} Mbps 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Areas 3 | - name: area/bootstrap 4 | color: "0e8a16" 5 | - name: area/github 6 | color: "0e8a16" 7 | - name: area/kubernetes 8 | color: "0e8a16" 9 | - name: area/renovate 10 | color: "0e8a16" 11 | - name: area/talos 12 | color: "0e8a16" 13 | - name: area/taskfile 14 | color: "0e8a16" 15 | # Renovate Types 16 | - name: renovate/container 17 | color: "027fa0" 18 | - name: renovate/github-action 19 | color: "027fa0" 20 | - name: renovate/grafana-dashboard 21 | color: "027fa0" 22 | - name: renovate/github-release 23 | color: "027fa0" 24 | - name: renovate/helm 25 | color: "027fa0" 26 | # Semantic Types 27 | - name: type/digest 28 | color: "ffeC19" 29 | - name: type/patch 30 | color: "ffeC19" 31 | - name: type/minor 32 | color: "ff9800" 33 | - name: type/major 34 | color: "f6412d" 35 | # Uncategorized 36 | - name: community 37 | color: "370fb2" 38 | - name: hold 39 | color: "ee0701" 40 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: volsync 6 | spec: 7 | groups: 8 | - name: volsync.rules 9 | rules: 10 | - alert: VolSyncComponentAbsent 11 | expr: |- 12 | absent(up{job="volsync-metrics"}) 13 | annotations: 14 | summary: >- 15 | VolSync component has disappeared from Prometheus target discovery 16 | for: 5m 17 | labels: 18 | severity: critical 19 | 20 | - alert: VolSyncVolumeOutOfSync 21 | expr: |- 22 | volsync_volume_out_of_sync{role="source"} == 1 23 | annotations: 24 | summary: >- 25 | {{ $labels.obj_namespace }}/{{ $labels.obj_name }} volume is out of sync 26 | for: 5m 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-instance/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: flux-instance 6 | spec: 7 | groups: 8 | - name: flux-instance.rules 9 | rules: 10 | - alert: FluxInstanceAbsent 11 | expr: |- 12 | absent(flux_instance_info{exported_namespace="flux-system", name="flux"}) 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | Flux instance metric is missing 17 | labels: 18 | severity: critical 19 | 20 | - alert: FluxInstanceNotReady 21 | expr: |- 22 | flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"} 23 | for: 5m 24 | annotations: 25 | summary: >- 26 | Flux instance {{ $labels.name }} is not ready 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /.renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | labels: ["type/major"], 7 | }, 8 | { 9 | matchUpdateTypes: ["minor"], 10 | labels: ["type/minor"], 11 | }, 12 | { 13 | matchUpdateTypes: ["patch"], 14 | labels: ["type/patch"], 15 | }, 16 | { 17 | matchUpdateTypes: ["digest"], 18 | labels: ["type/digest"], 19 | }, 20 | { 21 | matchDatasources: ["docker"], 22 | addLabels: ["renovate/container"], 23 | }, 24 | { 25 | matchDatasources: ["helm"], 26 | addLabels: ["renovate/helm"], 27 | }, 28 | { 29 | matchManagers: ["github-actions"], 30 | addLabels: ["renovate/github-action"], 31 | }, 32 | { 33 | matchDatasources: ["github-releases"], 34 | addLabels: ["renovate/github-release"], 35 | }, 36 | ], 37 | } 38 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/snmp-exporter/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: snmp-exporter 6 | spec: 7 | groups: 8 | - name: snmp-exporter.rules 9 | rules: 10 | - alert: UPSOnBattery 11 | expr: |- 12 | (upsAdvBatteryRunTimeRemaining/60/100 <= 20 and upsBasicBatteryTimeOnBattery > 0) 13 | annotations: 14 | summary: >- 15 | ZPM {{ $labels.instance }} is running on battery power and has less than {{ $value }} minutes of runtime remaining 16 | for: 5m 17 | labels: 18 | severity: critical 19 | 20 | - alert: UPSReplaceBattery 21 | expr: upsAdvTestDiagnosticsResults != 1 22 | annotations: 23 | summary: >- 24 | ZPM {{ $labels.instance }} battery needs to be replaced 25 | for: 5m 26 | labels: 27 | severity: critical 28 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/silence-operator/silences/silences.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: observability.giantswarm.io/v1alpha2 3 | kind: Silence 4 | metadata: 5 | name: ceph-node-nfsmount-diskspace-warning 6 | spec: 7 | matchers: 8 | - name: alertname 9 | value: CephNodeDiskspaceWarning 10 | - name: mountpoint 11 | value: /etc/nfsmount.conf 12 | --- 13 | apiVersion: observability.giantswarm.io/v1alpha2 14 | kind: Silence 15 | metadata: 16 | name: ceph-node-local-diskspace-warning 17 | spec: 18 | matchers: 19 | - name: alertname 20 | value: CephNodeDiskspaceWarning 21 | - name: device 22 | value: /dev/nvme.* 23 | matchType: "=~" 24 | --- 25 | apiVersion: observability.giantswarm.io/v1alpha2 26 | kind: Silence 27 | metadata: 28 | name: keda-hpa-maxed-out 29 | spec: 30 | matchers: 31 | - name: alertname 32 | value: KubeHpaMaxedOut 33 | - name: horizontalpodautoscaler 34 | value: keda-hpa-.* 35 | matchType: "=~" 36 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: metrics-server 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 3.13.0 13 | url: oci://ghcr.io/home-operations/charts-mirror/metrics-server 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: metrics-server 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: metrics-server 23 | interval: 1h 24 | values: 25 | args: 26 | - --kubelet-insecure-tls 27 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 28 | - --kubelet-use-node-status-port 29 | - --metric-resolution=10s 30 | - --kubelet-request-timeout=2s 31 | metrics: 32 | enabled: true 33 | serviceMonitor: 34 | enabled: true 35 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: rook-ceph 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: v1.18.8 13 | url: oci://ghcr.io/rook/rook-ceph 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: rook-ceph 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: rook-ceph 23 | interval: 1h 24 | values: 25 | csi: 26 | cephFSKernelMountOptions: ms_mode=prefer-crc 27 | enableLiveness: true 28 | serviceMonitor: 29 | enabled: true 30 | image: 31 | repository: ghcr.io/rook/ceph 32 | monitoring: 33 | enabled: true 34 | resources: 35 | requests: 36 | cpu: 100m # unchangable 37 | memory: 128Mi # unchangable 38 | limits: {} 39 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/envoy-gateway/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: envoy-gateway 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: v1.6.1 13 | url: oci://mirror.gcr.io/envoyproxy/gateway-helm 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: envoy-gateway 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: envoy-gateway 23 | interval: 1h 24 | values: 25 | config: 26 | envoyGateway: 27 | provider: 28 | type: Kubernetes 29 | kubernetes: 30 | deploy: 31 | type: GatewayNamespace 32 | global: 33 | images: 34 | envoyGateway: 35 | image: ghcr.io/buroa/gateway-dev:1d9e8bd53@sha256:d130317a7c2cec82524b8b13df26ffc18c5ba24bb6fcfe659e2a905ac88e3ce6 36 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/volsync/replicationdestination.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | trigger: 8 | manual: restore-once 9 | restic: 10 | repository: "${APP}-restic-secret" 11 | copyMethod: Snapshot 12 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-block}" 13 | cacheStorageClassName: "${VOLSYNC_CACHE_SNAPSHOTCLASS:=openebs-hostpath}" 14 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 15 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=1Gi}" 16 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 17 | accessModes: ["${VOLSYNC_ACCESSMODES:=ReadWriteOnce}"] 18 | capacity: "${VOLSYNC_CAPACITY:=2Gi}" 19 | moverSecurityContext: 20 | runAsUser: ${VOLSYNC_PUID:=1000} 21 | runAsGroup: ${VOLSYNC_PGID:=1000} 22 | fsGroup: ${VOLSYNC_PGID:=1000} 23 | enableFileDeletion: true 24 | cleanupCachePVC: true 25 | cleanupTempPVC: true 26 | -------------------------------------------------------------------------------- /kubernetes/components/volsync/volsync/replicationsource.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | name: "${APP}" 6 | spec: 7 | sourcePVC: "${APP}" 8 | trigger: 9 | schedule: "15 */8 * * *" 10 | restic: 11 | copyMethod: "${VOLSYNC_COPYMETHOD:=Snapshot}" 12 | pruneIntervalDays: 14 13 | repository: "${APP}-restic-secret" 14 | volumeSnapshotClassName: "${VOLSYNC_SNAPSHOTCLASS:=csi-ceph-block}" 15 | cacheCapacity: "${VOLSYNC_CACHE_CAPACITY:=1Gi}" 16 | cacheStorageClassName: "${VOLSYNC_CACHE_STORAGECLASS:=openebs-hostpath}" 17 | cacheAccessModes: ["${VOLSYNC_CACHE_ACCESSMODES:=ReadWriteOnce}"] 18 | storageClassName: "${VOLSYNC_STORAGECLASS:=ceph-block}" 19 | accessModes: ["${VOLSYNC_SNAP_ACCESSMODES:=ReadWriteOnce}"] 20 | moverSecurityContext: 21 | runAsUser: ${VOLSYNC_PUID:=1000} 22 | runAsGroup: ${VOLSYNC_PGID:=1000} 23 | fsGroup: ${VOLSYNC_PGID:=1000} 24 | retain: 25 | hourly: 24 26 | daily: 7 27 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: actions-runner-controller 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/actions-runner-system/actions-runner-controller/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: actions-runner-system 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: actions-runner-controller-runners 21 | spec: 22 | dependsOn: 23 | - name: actions-runner-controller 24 | - name: openebs 25 | namespace: openebs-system 26 | interval: 1h 27 | path: ./kubernetes/apps/actions-runner-system/actions-runner-controller/runners 28 | prune: true 29 | sourceRef: 30 | kind: GitRepository 31 | name: flux-system 32 | namespace: flux-system 33 | targetNamespace: actions-runner-system 34 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/unifi/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: external-dns-unifi 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRole 9 | metadata: 10 | name: external-dns-unifi 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["nodes"] 14 | verbs: ["list", "watch"] 15 | - apiGroups: [""] 16 | resources: ["namespaces", "pods", "services"] 17 | verbs: ["get", "watch", "list"] 18 | - apiGroups: ["discovery.k8s.io"] 19 | resources: ["endpointslices"] 20 | verbs: ["get", "watch", "list"] 21 | - apiGroups: ["gateway.networking.k8s.io"] 22 | resources: ["httproutes", "gateways"] 23 | verbs: ["get", "watch", "list"] 24 | --- 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | kind: ClusterRoleBinding 27 | metadata: 28 | name: external-dns-unifi 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: ClusterRole 32 | name: external-dns-unifi 33 | subjects: 34 | - kind: ServiceAccount 35 | name: external-dns-unifi 36 | namespace: networking 37 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/snmp-exporter/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: snmp-exporter 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 9.9.1 13 | url: oci://ghcr.io/prometheus-community/charts/prometheus-snmp-exporter 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: &app snmp-exporter 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: snmp-exporter 23 | interval: 1h 24 | values: 25 | fullnameOverride: *app 26 | serviceMonitor: 27 | enabled: true 28 | params: 29 | - name: nas 30 | auth: [public_v2] 31 | module: [synology] 32 | target: nas.internal 33 | - name: ups 34 | auth: [public_v2] 35 | module: [apcups] 36 | target: ups.internal 37 | relabelings: 38 | - sourceLabels: [__param_target] 39 | targetLabel: instance 40 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/cert-manager/cert-manager/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: cert-manager 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: cert-manager-issuers 21 | spec: 22 | dependsOn: 23 | - name: cert-manager 24 | healthCheckExprs: 25 | - apiVersion: cert-manager.io/v1 26 | kind: ClusterIssuer 27 | failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False') 28 | current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True') 29 | interval: 1h 30 | path: ./kubernetes/apps/cert-manager/cert-manager/issuers 31 | prune: true 32 | sourceRef: 33 | kind: GitRepository 34 | name: flux-system 35 | namespace: flux-system 36 | targetNamespace: cert-manager 37 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | connectivity: 3 | checker: 4 | target: 1.1.1.1:53 5 | interval: 1m 6 | 7 | endpoints: 8 | - name: Cloudflare 9 | group: connectivity 10 | url: icmp://1.1.1.1 11 | interval: 1m 12 | conditions: 13 | - "[CONNECTED] == true" 14 | 15 | - name: Google 16 | group: connectivity 17 | url: icmp://8.8.8.8 18 | interval: 1m 19 | conditions: 20 | - "[CONNECTED] == true" 21 | 22 | - name: Lumen 23 | group: connectivity 24 | url: icmp://4.2.2.1 25 | interval: 1m 26 | conditions: 27 | - "[CONNECTED] == true" 28 | 29 | metrics: true 30 | 31 | storage: 32 | type: sqlite 33 | caching: true 34 | path: ${GATUS_CONFIG_PATH}/gatus.db 35 | 36 | ui: 37 | title: Status | Gatus 38 | header: Status 39 | logo: https://avatars.githubusercontent.com/u/36205263 40 | link: https://github.com/buroa 41 | buttons: 42 | - name: Github 43 | link: https://github.com/buroa 44 | - name: Homelab 45 | link: https://github.com/buroa/k8s-gitops 46 | 47 | web: 48 | port: ${GATUS_WEB_PORT} 49 | -------------------------------------------------------------------------------- /kubernetes/apps/external-secrets/onepassword/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: onepassword 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/external-secrets/onepassword/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: external-secrets 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: onepassword-store 21 | spec: 22 | dependsOn: 23 | - name: onepassword 24 | healthCheckExprs: 25 | - apiVersion: external-secrets.io/v1 26 | kind: ClusterSecretStore 27 | failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False') 28 | current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True') 29 | interval: 1h 30 | path: ./kubernetes/apps/external-secrets/onepassword/store 31 | prune: true 32 | sourceRef: 33 | kind: GitRepository 34 | name: flux-system 35 | namespace: flux-system 36 | targetNamespace: external-secrets 37 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/l3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cilium.io/v2 3 | kind: CiliumBGPAdvertisement 4 | metadata: 5 | name: l3-bgp-advertisement 6 | labels: 7 | advertise: bgp 8 | spec: 9 | advertisements: 10 | - advertisementType: Service 11 | service: { addresses: ["LoadBalancerIP"] } 12 | selector: 13 | matchExpressions: 14 | - { key: somekey, operator: NotIn, values: ["never-used-value"] } 15 | --- 16 | apiVersion: cilium.io/v2 17 | kind: CiliumBGPPeerConfig 18 | metadata: 19 | name: l3-bgp-peer-config 20 | spec: 21 | families: 22 | - afi: ipv4 23 | safi: unicast 24 | advertisements: 25 | matchLabels: 26 | advertise: bgp 27 | --- 28 | apiVersion: cilium.io/v2 29 | kind: CiliumBGPClusterConfig 30 | metadata: 31 | name: l3-bgp-cluster-config 32 | spec: 33 | nodeSelector: 34 | matchLabels: 35 | kubernetes.io/os: linux 36 | bgpInstances: 37 | - name: cilium 38 | localASN: 64514 39 | peers: 40 | - name: unifi 41 | peerASN: 64513 42 | peerAddress: 192.168.0.1 43 | peerConfigRef: 44 | name: l3-bgp-peer-config 45 | -------------------------------------------------------------------------------- /.renovaterc.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | extends: [ 4 | "config:recommended", 5 | "docker:enableMajor", 6 | "helpers:pinGitHubActionDigests", 7 | "github>buroa/k8s-gitops//.renovate/autoMerge.json5", 8 | "github>buroa/k8s-gitops//.renovate/customManagers.json5", 9 | "github>buroa/k8s-gitops//.renovate/grafanaDashboards.json5", 10 | "github>buroa/k8s-gitops//.renovate/groups.json5", 11 | "github>buroa/k8s-gitops//.renovate/labels.json5", 12 | "github>buroa/k8s-gitops//.renovate/overrides.json5", 13 | "github>buroa/k8s-gitops//.renovate/semanticCommits.json5", 14 | ":automergeBranch", 15 | ":dependencyDashboard", 16 | ":disableRateLimiting", 17 | ":gitSignOff", 18 | ":semanticCommits", 19 | ":timezone(America/Chicago)", 20 | ], 21 | dependencyDashboardTitle: "Renovate Dashboard 🤖", 22 | suppressNotifications: ["prEditedNotification", "prIgnoreNotification"], 23 | ignorePaths: ["**/resources/**"], 24 | flux: { 25 | managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"], 26 | }, 27 | kubernetes: { 28 | managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"], 29 | }, 30 | } 31 | -------------------------------------------------------------------------------- /kubernetes/apps/rook-ceph/rook-ceph/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: rook-ceph 6 | spec: 7 | interval: 1h 8 | path: ./kubernetes/apps/rook-ceph/rook-ceph/app 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | namespace: flux-system 14 | targetNamespace: rook-ceph 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: rook-ceph-cluster 21 | spec: 22 | dependsOn: 23 | - name: rook-ceph 24 | - name: volsync 25 | namespace: volsync-system 26 | healthChecks: 27 | - apiVersion: ceph.rook.io/v1 28 | kind: CephCluster 29 | name: rook-ceph 30 | namespace: rook-ceph 31 | healthCheckExprs: 32 | - apiVersion: ceph.rook.io/v1 33 | kind: CephCluster 34 | failed: status.ceph.health == 'HEALTH_ERR' 35 | current: status.ceph.health in ['HEALTH_OK', 'HEALTH_WARN'] 36 | interval: 1h 37 | path: ./kubernetes/apps/rook-ceph/rook-ceph/cluster 38 | prune: true 39 | sourceRef: 40 | kind: GitRepository 41 | name: flux-system 42 | namespace: flux-system 43 | targetNamespace: rook-ceph 44 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/gatus/app/resources/buddy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | alerting: 3 | pushover: 4 | application-token: ${BUDDY_PUSHOVER_TOKEN} 5 | default-alert: 6 | description: health-check failed 7 | failure-threshold: 3 8 | minimum-reminder-interval: 1h 9 | send-on-resolved: true 10 | success-threshold: 2 11 | priority: 1 12 | resolved-priority: 0 13 | title: Gatus 14 | user-key: ${BUDDY_PUSHOVER_USER_KEY} 15 | 16 | endpoints: 17 | - name: Ping 18 | group: buddy 19 | url: icmp://${BUDDY_DDNS_HOSTNAME} 20 | interval: 1m 21 | ui: 22 | hide-url: true 23 | hide-hostname: true 24 | conditions: 25 | - "[CONNECTED] == true" 26 | alerts: 27 | - type: pushover 28 | 29 | - name: Status Page 30 | group: buddy 31 | url: https://${BUDDY_STATUS_HOSTNAME} 32 | interval: 1m 33 | ui: 34 | hide-url: true 35 | hide-hostname: true 36 | conditions: 37 | - "[STATUS] == 200" 38 | alerts: 39 | - type: pushover 40 | 41 | external-endpoints: 42 | - name: Heartbeat 43 | group: buddy 44 | token: ${BUDDY_HEARTBEAT_TOKEN} 45 | heartbeat: 46 | interval: 5m 47 | alerts: 48 | - type: pushover 49 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: kube-prometheus-stack-additional 6 | spec: 7 | groups: 8 | - name: kube-prometheus-stack-additional.rules 9 | rules: 10 | - alert: DockerhubRateLimitRisk 11 | expr: |- 12 | count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100 13 | annotations: 14 | summary: >- 15 | There are {{ $value }} containers pulling from Dockerhub. This may lead to rate limiting. 16 | labels: 17 | severity: critical 18 | 19 | - alert: OomKilled 20 | expr: |- 21 | (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1 22 | annotations: 23 | summary: >- 24 | Container {{ $labels.container }} in pod {{ $labels.namespace }}/{{ $labels.pod }} has been OOMKilled {{ $value }} times in the last 10 minutes. 25 | labels: 26 | severity: critical 27 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/envoy-gateway/proxy/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: envoy 6 | spec: 7 | groups: 8 | - name: envoy.rules 9 | rules: 10 | - alert: EnvoyHighErrorRate 11 | expr: |- 12 | ( 13 | sum by (envoy_cluster_name) (rate(envoy_cluster_upstream_rq{envoy_response_code=~"5.."}[5m])) 14 | / 15 | sum by (envoy_cluster_name) (rate(envoy_cluster_upstream_rq[5m])) 16 | ) > 0.05 17 | for: 5m 18 | annotations: 19 | summary: >- 20 | The error rate for cluster {{ $labels.envoy_cluster_name }} is {{ printf "%.2f" $value }}% 21 | labels: 22 | severity: critical 23 | 24 | - alert: EnvoyHighRequestLatency 25 | expr: |- 26 | histogram_quantile(0.99, sum by (le, envoy_cluster_name) (rate(envoy_cluster_upstream_rq_time_bucket[5m]))) > 3000 27 | for: 5m 28 | annotations: 29 | summary: >- 30 | The 99th percentile request latency for cluster {{ $labels.envoy_cluster_name }} is {{ $value }}ms 31 | labels: 32 | severity: critical 33 | -------------------------------------------------------------------------------- /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contribution guidelines 2 | 3 | Welcome to [k8s-gitops](https://github.com/buroa/k8s-gitops)! We're thrilled that you'd like to contribute. Your help is essential for making it better. 4 | 5 | ### Getting Started 6 | 7 | Before you start contributing, please make sure you have read and understood our [Code of Conduct](CODE_OF_CONDUCT.md). 8 | 9 | 1. Fork the Repository 10 | 11 | First, fork the [repository](https://github.com/buroa/k8s-gitops) to your own GitHub account. This will create a copy of the project under your account. 12 | 13 | 2. Clone the Repository 14 | 15 | ```sh 16 | git clone https://github.com/buroa/k8s-gitops 17 | ``` 18 | 19 | 3. Navigate to the project directory 📁 20 | 21 | ```sh 22 | cd k8s-gitops 23 | ``` 24 | 25 | 4. Create a new branch for your feature or bug fix: 26 | 27 | ```sh 28 | git checkout -b feature-branch 29 | ``` 30 | 31 | 5. Make your changes and commit them: 32 | 33 | ```sh 34 | git add . 35 | git commit -m "Description of your changes" 36 | ``` 37 | 38 | 6. Push your changes to your fork: 39 | 40 | ```sh 41 | git push origin feature-branch 42 | ``` 43 | 44 | 7. Finally Click on Create Pull request to contribute on this repository. 45 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: blackbox-exporter 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 11.6.1 13 | url: oci://ghcr.io/prometheus-community/charts/prometheus-blackbox-exporter 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: &app blackbox-exporter 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: blackbox-exporter 23 | interval: 1h 24 | values: 25 | fullnameOverride: *app 26 | config: 27 | modules: 28 | http_2xx: 29 | prober: http 30 | timeout: 5s 31 | http: 32 | valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] 33 | follow_redirects: true 34 | preferred_ip_protocol: ip4 35 | icmp: 36 | prober: icmp 37 | timeout: 5s 38 | icmp: 39 | preferred_ip_protocol: ip4 40 | tcp_connect: 41 | prober: tcp 42 | timeout: 5s 43 | tcp: 44 | preferred_ip_protocol: ip4 45 | serviceMonitor: 46 | enabled: true 47 | -------------------------------------------------------------------------------- /.renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "Auto-merge trusted container digests", 6 | matchDatasources: ["docker"], 7 | automerge: true, 8 | automergeType: "pr", 9 | matchUpdateTypes: ["digest"], 10 | matchPackageNames: ["/home-operations/"], 11 | ignoreTests: false, 12 | }, 13 | { 14 | description: "Auto-merge OCI Charts", 15 | matchDatasources: ["docker"], 16 | automerge: true, 17 | automergeType: "pr", 18 | matchUpdateTypes: ["minor", "patch"], 19 | matchPackageNames: ["/kube-prometheus-stack/", "/grafana/"], 20 | ignoreTests: false, 21 | }, 22 | { 23 | description: "Auto-merge GitHub Actions", 24 | matchManagers: ["github-actions"], 25 | automerge: true, 26 | automergeType: "branch", 27 | matchUpdateTypes: ["minor", "patch", "digest"], 28 | minimumReleaseAge: "3 days", 29 | ignoreTests: true, 30 | }, 31 | { 32 | description: "Auto-merge trusted GitHub Actions", 33 | matchManagers: ["github-actions"], 34 | matchPackageNames: ["/^actions//", "/^renovatebot//"], 35 | automerge: true, 36 | automergeType: "branch", 37 | matchUpdateTypes: ["minor", "patch", "digest"], 38 | minimumReleaseAge: "1 minute", 39 | ignoreTests: true, 40 | }, 41 | ], 42 | } 43 | -------------------------------------------------------------------------------- /.renovate/grafanaDashboards.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customDatasources: { 4 | "grafana-dashboards": { 5 | defaultRegistryUrlTemplate: "https://grafana.com/api/dashboards/{{packageName}}", 6 | format: "json", 7 | transformTemplates: ['{"releases":[{"version": $string(revision)}], "sourceDirectory": name}'], 8 | }, 9 | }, 10 | customManagers: [ 11 | { 12 | customType: "regex", 13 | description: "Process Grafana dashboards", 14 | managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml$/"], 15 | matchStrings: [ 16 | "dashboards\\/(?\\d+)\\/revisions\\/(?\\d+)\\/download", 17 | ], 18 | autoReplaceStringTemplate: "dashboards/{{depName}}/revisions/{{newValue}}/download", 19 | datasourceTemplate: "custom.grafana-dashboards", 20 | versioningTemplate: "regex:^(?\\d+)$", 21 | }, 22 | ], 23 | packageRules: [ 24 | { 25 | addLabels: ["renovate/grafana-dashboard"], 26 | automerge: true, 27 | automergeType: "branch", 28 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 29 | commitMessageTopic: "dashboard {{sourceDirectory}}", 30 | ignoreTests: true, 31 | matchDatasources: ["custom.grafana-dashboards"], 32 | matchUpdateTypes: ["major"], 33 | semanticCommitScope: "grafana-dashboards", 34 | semanticCommitType: "chore", 35 | }, 36 | ], 37 | } 38 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-logs/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: victoria-logs 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.11.18 13 | url: oci://ghcr.io/victoriametrics/helm-charts/victoria-logs-single 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: victoria-logs 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: victoria-logs 23 | interval: 1h 24 | values: 25 | fullnameOverride: victoria-logs 26 | server: 27 | persistentVolume: 28 | enabled: true 29 | storageClassName: ceph-block 30 | size: 20Gi 31 | serviceMonitor: 32 | enabled: true 33 | retentionPeriod: 14d 34 | route: 35 | enabled: true 36 | hostnames: 37 | - logs.k13.dev 38 | parentRefs: 39 | - name: envoy-internal 40 | namespace: networking 41 | extraRules: 42 | - filters: 43 | - type: RequestRedirect 44 | requestRedirect: 45 | path: 46 | type: ReplaceFullPath 47 | replaceFullPath: /select/vmui/ 48 | statusCode: 302 49 | matches: 50 | - path: 51 | type: Exact 52 | value: / 53 | -------------------------------------------------------------------------------- /.renovate/semanticCommits.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | semanticCommitType: "feat", 7 | commitMessagePrefix: "{{semanticCommitType}}({{semanticCommitScope}})!:", 8 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 9 | }, 10 | { 11 | matchUpdateTypes: ["minor"], 12 | semanticCommitType: "feat", 13 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 14 | }, 15 | { 16 | matchUpdateTypes: ["patch"], 17 | semanticCommitType: "fix", 18 | commitMessageExtra: "({{currentVersion}} → {{newVersion}})", 19 | }, 20 | { 21 | matchUpdateTypes: ["digest"], 22 | semanticCommitType: "chore", 23 | commitMessageExtra: "({{currentDigestShort}} → {{newDigestShort}})", 24 | }, 25 | { 26 | matchDatasources: ["docker"], 27 | semanticCommitScope: "container", 28 | commitMessageTopic: "image {{depName}}", 29 | }, 30 | { 31 | matchDatasources: ["helm"], 32 | semanticCommitScope: "helm", 33 | commitMessageTopic: "chart {{depName}}", 34 | }, 35 | { 36 | matchManagers: ["github-actions"], 37 | semanticCommitType: "ci", 38 | semanticCommitScope: "github-action", 39 | commitMessageTopic: "action {{depName}}", 40 | }, 41 | { 42 | matchDatasources: ["github-releases"], 43 | semanticCommitScope: "github-release", 44 | commitMessageTopic: "release {{depName}}", 45 | }, 46 | ], 47 | } 48 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: openebs 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 4.4.0 13 | url: oci://ghcr.io/openebs/charts/openebs 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: openebs 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: openebs 23 | interval: 1h 24 | values: 25 | preUpgradeHook: 26 | enabled: false 27 | localpv-provisioner: 28 | analytics: 29 | enabled: false 30 | localpv: 31 | image: 32 | registry: quay.io/ 33 | basePath: &basePath /var/mnt/local-hostpath 34 | hostpathClass: 35 | enabled: true 36 | name: openebs-hostpath 37 | isDefaultClass: false 38 | basePath: *basePath 39 | helperPod: 40 | image: 41 | registry: quay.io/ 42 | openebs-crds: 43 | csi: 44 | volumeSnapshots: 45 | enabled: false 46 | keep: false 47 | zfs-localpv: 48 | enabled: false 49 | lvm-localpv: 50 | enabled: false 51 | mayastor: 52 | enabled: false 53 | engines: 54 | local: 55 | lvm: 56 | enabled: false 57 | zfs: 58 | enabled: false 59 | replicated: 60 | mayastor: 61 | enabled: false 62 | loki: 63 | enabled: false 64 | alloy: 65 | enabled: false 66 | minio: 67 | enabled: false 68 | -------------------------------------------------------------------------------- /talos/schematic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | customization: 3 | extraKernelArgs: 4 | - -init_on_alloc # Less security, faster puter 5 | - -selinux # Less security, faster puter 6 | - apparmor=0 # Less security, faster puter 7 | - init_on_alloc=0 # Less security, faster puter 8 | - init_on_free=0 # Less security, faster puter 9 | - amd_iommu=on # PCI Passthrough 10 | - amd_pstate=active # AMD P-State Driver 11 | - iommu=pt # PCI Passthrough 12 | - pcie_aspm=off # Disable PCIe ASPM 13 | - mitigations=off # Less security, faster puter 14 | - module_blacklist=igc # Disable onboard NIC 15 | - security=none # Less security, faster puter 16 | - sysctl.kernel.kexec_load_disabled=1 # Disable kexec load 17 | - talos.auditd.disabled=1 # Less security, faster puter 18 | - # Early networking config 19 | talos.config.early=KLUv/ST8LQUAIssjHlBr6gNsN1Gz/4VYIQWYJyEFPlAJiIZxEis1ZmJianh45Sbtyd83Qnjfrg7CsUgoDgpyHd7C5zjl9mOFdlghAgBJ+sEq93FcsQXDseL5ekBVNct9IWIkQEAJchuxBDTtjbbXpG6gfWfJxHWNd4WKnjHk9uLHBk/PEuiZQS56b6BhRlNsHLnP3CW94I2xlBIGADNLKmYaTNWA1BABquAxw80oLNh7BA== 20 | systemExtensions: 21 | officialExtensions: 22 | - siderolabs/amd-ucode # AMD CPU Microcode 23 | - siderolabs/gasket-driver # Google Coral 24 | - siderolabs/i915 # Intel GPU 25 | - siderolabs/mei # Intel GPU 26 | - siderolabs/nfsrahead # NFS Performance 27 | -------------------------------------------------------------------------------- /kubernetes/apps/default/thelounge/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: thelounge 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | thelounge: 15 | containers: 16 | app: 17 | image: 18 | repository: ghcr.io/thelounge/thelounge 19 | tag: 4.4.3@sha256:c2aa0916203b298ffaf3a36c4eb60ef73c1006448d430e218d37840472e84e50 20 | env: 21 | THELOUNGE_HOME: /config/thelounge 22 | probes: 23 | liveness: 24 | enabled: true 25 | readiness: 26 | enabled: true 27 | resources: 28 | requests: 29 | cpu: 10m 30 | limits: 31 | memory: 512Mi 32 | securityContext: 33 | allowPrivilegeEscalation: false 34 | readOnlyRootFilesystem: true 35 | capabilities: { drop: ["ALL"] } 36 | defaultPodOptions: 37 | securityContext: 38 | runAsNonRoot: true 39 | runAsUser: 1000 40 | runAsGroup: 1000 41 | fsGroup: 1000 42 | fsGroupChangePolicy: OnRootMismatch 43 | persistence: 44 | config: 45 | existingClaim: "{{ .Release.Name }}" 46 | route: 47 | app: 48 | hostnames: 49 | - "{{ .Release.Name }}.k13.dev" 50 | parentRefs: 51 | - name: envoy-internal 52 | namespace: networking 53 | service: 54 | app: 55 | ports: 56 | http: 57 | port: 9000 58 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "editor.bracketPairColorization.enabled": true, 3 | "editor.fontFamily": "FiraCode Nerd Font", 4 | "editor.fontLigatures": true, 5 | "editor.guides.bracketPairs": true, 6 | "editor.guides.bracketPairsHorizontal": true, 7 | "editor.guides.highlightActiveBracketPair": true, 8 | "editor.hover.delay": 1500, 9 | "editor.rulers": [100], 10 | "editor.stickyScroll.enabled": false, 11 | "explorer.autoReveal": false, 12 | "files.associations": { 13 | "**/*.json5": "json5", 14 | "**/*.yaml.j2": "yaml" 15 | }, 16 | "files.trimTrailingWhitespace": true, 17 | "material-icon-theme.files.associations": { 18 | "*.gotmpl": "smarty", 19 | "kubeconfig": "kubernetes", 20 | "talosconfig": "kubernetes" 21 | }, 22 | "material-icon-theme.folders.associations": { 23 | // top level 24 | ".github/workflows": "ci", 25 | ".renovate": "robot", 26 | "bootstrap": "seeders", 27 | "bootstrap/helmfile.d": "helm", 28 | "flux": "pipe", 29 | "talos": "linux", 30 | // namespaces 31 | "actions-runner-system": "github", 32 | "cert-manager": "guard", 33 | "default": "home", 34 | "external-secrets": "secure", 35 | "flux-system": "pipe", 36 | "kube-system": "kubernetes", 37 | "media": "video", 38 | "observability": "event", 39 | "networking": "connection", 40 | "openebs-system": "base", 41 | "rook-ceph": "dump", 42 | "system-upgrade": "update", 43 | "volsync-system": "aws" 44 | }, 45 | "vs-kubernetes": { 46 | "vs-kubernetes.kubeconfig": "./kubernetes/kubeconfig", 47 | "vs-kubernetes.knownKubeconfigs": ["./kubernetes/kubeconfig"] 48 | }, 49 | "yaml.schemaStore.enable": true, 50 | "yaml.schemas": { 51 | "kubernetes": "./kubernetes/**/*.yaml" 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /kubernetes/apps/default/mosquitto/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: mosquitto 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | mosquitto: 15 | annotations: 16 | reloader.stakater.com/auto: "true" 17 | containers: 18 | app: 19 | image: 20 | repository: public.ecr.aws/docker/library/eclipse-mosquitto 21 | tag: 2.0.22@sha256:077fe4ff4c49df1e860c98335c77dda08360629e0e2a718147027e4db3eace9d 22 | env: 23 | TZ: America/Chicago 24 | probes: 25 | liveness: 26 | enabled: true 27 | readiness: 28 | enabled: true 29 | resources: 30 | requests: 31 | cpu: 10m 32 | limits: 33 | memory: 100Mi 34 | securityContext: 35 | allowPrivilegeEscalation: false 36 | readOnlyRootFilesystem: true 37 | capabilities: { drop: ["ALL"] } 38 | defaultPodOptions: 39 | securityContext: 40 | runAsNonRoot: true 41 | runAsUser: 1000 42 | runAsGroup: 1000 43 | fsGroup: 1000 44 | fsGroupChangePolicy: OnRootMismatch 45 | persistence: 46 | config: 47 | existingClaim: "{{ .Release.Name }}" 48 | config-file: 49 | type: configMap 50 | name: "{{ .Release.Name }}-configmap" 51 | globalMounts: 52 | - path: /mosquitto/config/mosquitto.conf 53 | subPath: mosquitto.conf 54 | service: 55 | app: 56 | ports: 57 | http: 58 | port: 1883 59 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | groups: 8 | - name: cert-manager.rules 9 | rules: 10 | - alert: CertManagerAbsent 11 | expr: |- 12 | absent(up{job="cert-manager"}) 13 | for: 5m 14 | annotations: 15 | summary: >- 16 | Cert Manager has dissapeared from Prometheus service discovery 17 | labels: 18 | severity: critical 19 | 20 | - name: cert-manager-tls.rules 21 | rules: 22 | - alert: CertManagerCertExpirySoon 23 | expr: |- 24 | avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600) 25 | for: 5m 26 | annotations: 27 | summary: >- 28 | The cert {{ $labels.name }} is {{ $value | humanizeDuration }} from expiry 29 | labels: 30 | severity: critical 31 | 32 | - alert: CertManagerCertNotReady 33 | expr: |- 34 | max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1) 35 | for: 5m 36 | annotations: 37 | summary: >- 38 | The cert {{ $labels.name }} is not ready to serve traffic 39 | labels: 40 | severity: critical 41 | 42 | - alert: CertManagerHittingRateLimits 43 | expr: |- 44 | sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m])) > 0 45 | for: 5m 46 | annotations: 47 | summary: >- 48 | Cert manager hitting LetsEncrypt rate limits 49 | labels: 50 | severity: critical 51 | -------------------------------------------------------------------------------- /.taskfiles/kubernetes/Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: '3' 3 | 4 | tasks: 5 | 6 | browse-pvc: 7 | desc: Mount a PVC to an temp container [NS={{.NS}}] [CLAIM=required] 8 | interactive: true 9 | cmd: kubectl browse-pvc --namespace {{.NS}} --image docker.io/library/alpine:latest {{.CLAIM}} 10 | vars: 11 | NS: '{{.NS | default "default"}}' 12 | requires: 13 | vars: [CLAIM] 14 | preconditions: 15 | - kubectl --namespace {{.NS}} get persistentvolumeclaims {{.CLAIM}} 16 | - kubectl browse-pvc --version 17 | - which kubectl 18 | 19 | node-shell: 20 | desc: Open a shell to a node [NS={{.NS}}] [NODE=required] 21 | interactive: true 22 | cmd: kubectl node-shell -n {{.NS}} -x {{.NODE}} 23 | vars: 24 | NS: '{{.NS | default "kube-system"}}' 25 | requires: 26 | vars: [NODE] 27 | preconditions: 28 | - kubectl get nodes {{.NODE}} 29 | - kubectl node-shell --version 30 | - which kubectl 31 | 32 | sync-secrets: 33 | desc: Sync all ExternalSecrets 34 | cmds: 35 | - for: { var: SECRETS, split: "\n" } 36 | cmd: kubectl --namespace {{splitList "," .ITEM | first}} annotate externalsecret {{splitList "," .ITEM | last}} force-sync="{{now | unixEpoch}}" --overwrite 37 | vars: 38 | SECRETS: 39 | sh: kubectl get externalsecret --all-namespaces --no-headers --output=jsonpath='{range .items[*]}{.metadata.namespace},{.metadata.name}{"\n"}{end}' 40 | preconditions: 41 | - which kubectl 42 | 43 | cleanse-pods: 44 | desc: Cleanse pods with a Failed/Pending/Succeeded phase 45 | cmds: 46 | - for: 47 | matrix: 48 | PHASE: [Failed, Pending, Succeeded] 49 | cmd: kubectl delete pods --all-namespaces --field-selector status.phase={{.ITEM.PHASE}} --ignore-not-found=true 50 | preconditions: 51 | - which kubectl 52 | -------------------------------------------------------------------------------- /.taskfiles/bootstrap/Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: '3' 3 | 4 | tasks: 5 | 6 | talos: 7 | desc: Bootstrap Talos 8 | prompt: Bootstrap Talos ...? 9 | cmds: 10 | - until talosctl --nodes {{.RANDOM_CONTROLLER}} bootstrap; do sleep 5; done 11 | - talosctl kubeconfig --nodes {{.RANDOM_CONTROLLER}} --force {{.KUBERNETES_DIR}} 12 | vars: 13 | RANDOM_CONTROLLER: 14 | sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1 15 | preconditions: 16 | - talosctl config info 17 | - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig 18 | - which jq talosctl 19 | 20 | apps: 21 | desc: Bootstrap Kubernetes Apps 22 | prompt: Bootstrap Kubernetes Apps ...? 23 | cmds: 24 | - kubectl config set-cluster {{.CONTEXT}} --server https://{{.RANDOM_CONTROLLER}}:6443 25 | - defer: talosctl kubeconfig --nodes {{.RANDOM_CONTROLLER}} --force {{.KUBERNETES_DIR}} 26 | - until kubectl wait nodes --for=condition=Ready=False --all --timeout=10m; do sleep 5; done 27 | - op inject --in-file {{.BOOTSTRAP_DIR}}/resources.yaml | kubectl apply --server-side --filename - 28 | - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.d/00-crds.yaml template --quiet | kubectl apply --server-side --filename - 29 | - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.d/01-apps.yaml sync --hide-notes 30 | vars: 31 | CONTEXT: 32 | sh: talosctl config info --output json | jq --raw-output '.context' 33 | RANDOM_CONTROLLER: 34 | sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1 35 | preconditions: 36 | - op user get --me 37 | - talosctl config info 38 | - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig 39 | - test -f {{.BOOTSTRAP_DIR}}/helmfile.d/00-crds.yaml 40 | - test -f {{.BOOTSTRAP_DIR}}/helmfile.d/01-apps.yaml 41 | - test -f {{.BOOTSTRAP_DIR}}/resources.yaml 42 | - which helmfile jq kubectl op talosctl 43 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/karma/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: karma 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | karma: 15 | containers: 16 | app: 17 | image: 18 | repository: ghcr.io/prymitive/karma 19 | tag: v0.122@sha256:87312daa8b8ca740e2acd427fc996724f8c69e36b9f0ad15c1961c1e4ccb1987 20 | env: 21 | ALERTMANAGER_URI: http://alertmanager-operated.observability.svc.cluster.local:9093 22 | LISTEN_PORT: &port 80 23 | probes: 24 | liveness: &probes 25 | enabled: true 26 | custom: true 27 | spec: 28 | httpGet: 29 | path: /health 30 | port: *port 31 | initialDelaySeconds: 0 32 | periodSeconds: 10 33 | timeoutSeconds: 1 34 | failureThreshold: 3 35 | readiness: *probes 36 | resources: 37 | requests: 38 | cpu: 10m 39 | limits: 40 | memory: 64Mi 41 | securityContext: 42 | allowPrivilegeEscalation: false 43 | readOnlyRootFilesystem: true 44 | capabilities: { drop: ["ALL"] } 45 | defaultPodOptions: 46 | securityContext: 47 | runAsNonRoot: true 48 | runAsUser: 1000 49 | runAsGroup: 1000 50 | route: 51 | app: 52 | hostnames: 53 | - "{{ .Release.Name }}.k13.dev" 54 | parentRefs: 55 | - name: envoy-internal 56 | namespace: networking 57 | service: 58 | app: 59 | ports: 60 | http: 61 | port: *port 62 | serviceMonitor: 63 | app: 64 | endpoints: 65 | - port: http 66 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tqm/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: tqm 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | tqm: 15 | type: cronjob 16 | cronjob: 17 | schedule: "@hourly" 18 | timeZone: America/Chicago 19 | concurrencyPolicy: Forbid 20 | successfulJobsHistory: 1 21 | failedJobsHistory: 1 22 | initContainers: 23 | retag: &container 24 | image: 25 | repository: ghcr.io/home-operations/tqm 26 | tag: 1.18.0@sha256:454864e1f56a86550c54776c3ba5f3439133b4fc4e66ef69ff90a6ee65db6cc5 27 | args: 28 | - retag 29 | - qb 30 | resources: 31 | requests: 32 | cpu: 10m 33 | limits: 34 | memory: 64Mi 35 | securityContext: 36 | allowPrivilegeEscalation: false 37 | readOnlyRootFilesystem: true 38 | capabilities: { drop: ["ALL"] } 39 | containers: 40 | clean: 41 | <<: *container 42 | args: 43 | - clean 44 | - qb 45 | defaultPodOptions: 46 | securityContext: 47 | runAsNonRoot: true 48 | runAsUser: 1000 49 | runAsGroup: 1000 50 | supplementalGroups: [65537] 51 | persistence: 52 | config: 53 | type: emptyDir 54 | globalMounts: 55 | - path: /.config/tqm 56 | config-file: 57 | type: configMap 58 | name: "{{ .Release.Name }}-configmap" 59 | globalMounts: 60 | - path: /.config/tqm/config.yaml 61 | subPath: config.yaml 62 | readOnly: true 63 | media: 64 | type: nfs 65 | server: nas.internal 66 | path: /volume1/media 67 | globalMounts: 68 | - readOnly: true 69 | -------------------------------------------------------------------------------- /.github/workflows/renovate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Renovate 3 | 4 | on: 5 | push: 6 | branches: 7 | - main 8 | paths: 9 | - .renovaterc.json5 10 | - .renovate/**.json5 11 | schedule: 12 | - cron: 0 * * * * # Every hour 13 | workflow_dispatch: 14 | inputs: 15 | dryRun: 16 | description: Dry Run 17 | type: boolean 18 | default: false 19 | required: true 20 | logLevel: 21 | description: Log Level 22 | type: choice 23 | default: debug 24 | options: 25 | - debug 26 | - info 27 | required: true 28 | version: 29 | description: Renovate Version 30 | default: latest 31 | required: true 32 | 33 | concurrency: 34 | group: ${{ github.workflow }}-${{ github.event.number || github.ref }} 35 | cancel-in-progress: true 36 | 37 | jobs: 38 | renovate: 39 | name: Renovate 40 | runs-on: ubuntu-latest 41 | steps: 42 | - name: Generate Token 43 | uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 44 | id: app-token 45 | with: 46 | app-id: ${{ secrets.BOT_APP_ID }} 47 | private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }} 48 | 49 | - name: Checkout 50 | uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 51 | with: 52 | token: ${{ steps.app-token.outputs.token }} 53 | 54 | - name: Renovate 55 | uses: renovatebot/github-action@502904f1cefdd70cba026cb1cbd8c53a1443e91b # v44.1.0 56 | env: 57 | LOG_LEVEL: ${{ inputs.logLevel || 'debug' }} 58 | RENOVATE_AUTODISCOVER: true 59 | RENOVATE_AUTODISCOVER_FILTER: ${{ github.repository }} 60 | RENOVATE_DRY_RUN: ${{ inputs.dryRun }} 61 | RENOVATE_INTERNAL_CHECKS_FILTER: strict 62 | RENOVATE_PLATFORM: github 63 | RENOVATE_PLATFORM_COMMIT: true 64 | with: 65 | token: ${{ steps.app-token.outputs.token }} 66 | renovate-version: ${{ inputs.version || 'latest' }} 67 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/k8s-gitops/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: gha-runner-scale-set 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 0.13.0 13 | url: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: &app k8s-gitops-runner 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: gha-runner-scale-set 23 | interval: 1h 24 | values: 25 | githubConfigUrl: https://github.com/buroa/k8s-gitops 26 | githubConfigSecret: k8s-gitops-runner-secret 27 | minRunners: 1 28 | maxRunners: 3 29 | containerMode: 30 | type: kubernetes 31 | kubernetesModeWorkVolumeClaim: 32 | accessModes: ["ReadWriteOnce"] 33 | resources: 34 | requests: 35 | storage: 25Gi 36 | storageClassName: openebs-hostpath 37 | controllerServiceAccount: 38 | name: actions-runner-controller 39 | namespace: actions-runner-system 40 | template: 41 | spec: 42 | containers: 43 | - name: runner 44 | image: ghcr.io/home-operations/actions-runner:2.330.0@sha256:92a45e47f4b349f4da2307ebaaea5443cc86d1ce625d37acf2c61b3b09192e47 45 | command: 46 | - /home/runner/run.sh 47 | env: 48 | - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER 49 | value: "false" 50 | - name: NODE 51 | valueFrom: 52 | fieldRef: 53 | fieldPath: spec.nodeName 54 | volumeMounts: 55 | - mountPath: /var/run/secrets/talos.dev 56 | name: talos 57 | readOnly: true 58 | serviceAccountName: *app 59 | volumes: 60 | - name: talos 61 | secret: 62 | secretName: *app 63 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/resources/recyclarr.yml: -------------------------------------------------------------------------------- 1 | --- 2 | sonarr: 3 | sonarr: 4 | base_url: http://sonarr.media.svc.cluster.local 5 | api_key: !env_var SONARR_API_KEY 6 | 7 | delete_old_custom_formats: true 8 | replace_existing_custom_formats: true 9 | 10 | quality_profiles: 11 | - name: WEB-1080p 12 | 13 | include: 14 | - template: sonarr-quality-definition-series 15 | - template: sonarr-v4-quality-profile-web-1080p 16 | - template: sonarr-v4-custom-formats-web-1080p 17 | 18 | custom_formats: 19 | - trash_ids: 20 | - 32b367365729d530ca1c124a0b180c64 # Bad Dual Groups 21 | - 82d40da2bc6923f41e14394075dd4b03 # No-RlsGroup 22 | - e1a997ddb54e3ecbfe06341ad323c458 # Obfuscated 23 | - 06d66ab109d4d2eddb2794d21526d140 # Retags 24 | - 1b3994c551cbb92a2c781af061f4ab44 # Scene 25 | assign_scores_to: 26 | - name: WEB-1080p 27 | 28 | radarr: 29 | radarr: 30 | base_url: http://radarr.media.svc.cluster.local 31 | api_key: !env_var RADARR_API_KEY 32 | 33 | delete_old_custom_formats: true 34 | replace_existing_custom_formats: true 35 | 36 | quality_profiles: 37 | - name: SQP-1 (2160p) 38 | 39 | include: 40 | - template: radarr-quality-definition-sqp-streaming 41 | - template: radarr-quality-profile-sqp-1-2160p-default 42 | - template: radarr-custom-formats-sqp-1-2160p 43 | 44 | custom_formats: 45 | - trash_ids: 46 | - 839bea857ed2c0a8e084f3cbdbd65ecb # x265 (no HDR/DV) 47 | assign_scores_to: 48 | - name: SQP-1 (2160p) 49 | score: 0 50 | 51 | - trash_ids: 52 | - b6832f586342ef70d9c128d40c07b872 # Bad Dual Groups 53 | - cc444569854e9de0b084ab2b8b1532b2 # Black and White Editions 54 | - ae9b7c9ebde1f3bd336a8cbd1ec4c5e5 # No-RlsGroup 55 | - 7357cf5161efbf8c4d5d0c30b4815ee2 # Obfuscated 56 | - 5c44f52a8714fdd79bb4d98e2673be1f # Retags 57 | - f537cf427b64c38c8e36298f657e4828 # Scene 58 | assign_scores_to: 59 | - name: SQP-1 (2160p) 60 | -------------------------------------------------------------------------------- /kubernetes/flux/cluster/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: flux-repositories 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | path: ./kubernetes/flux/repositories 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | namespace: flux-system 15 | wait: true 16 | --- 17 | apiVersion: kustomize.toolkit.fluxcd.io/v1 18 | kind: Kustomization 19 | metadata: 20 | name: cluster-apps 21 | namespace: flux-system 22 | spec: 23 | dependsOn: 24 | - name: flux-repositories 25 | namespace: flux-system 26 | interval: 1h 27 | path: ./kubernetes/apps 28 | prune: true 29 | sourceRef: 30 | kind: GitRepository 31 | name: flux-system 32 | namespace: flux-system 33 | patches: 34 | - # Add Kustomization defaults for all child Kustomizations 35 | patch: |- 36 | apiVersion: kustomize.toolkit.fluxcd.io/v1 37 | kind: Kustomization 38 | metadata: 39 | name: _ 40 | spec: 41 | deletionPolicy: WaitForTermination 42 | patches: 43 | - patch: |- 44 | apiVersion: helm.toolkit.fluxcd.io/v2 45 | kind: HelmRelease 46 | metadata: 47 | name: _ 48 | spec: 49 | install: 50 | crds: CreateReplace 51 | strategy: 52 | name: RetryOnFailure 53 | rollback: 54 | cleanupOnFail: true 55 | recreate: true 56 | upgrade: 57 | cleanupOnFail: true 58 | crds: CreateReplace 59 | strategy: 60 | name: RemediateOnFailure 61 | remediation: 62 | remediateLastFailure: true 63 | retries: 2 64 | target: 65 | group: helm.toolkit.fluxcd.io 66 | kind: HelmRelease 67 | target: 68 | group: kustomize.toolkit.fluxcd.io 69 | kind: Kustomization 70 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/smtp-relay/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: smtp-relay 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | smtp-relay: 15 | replicas: 2 16 | strategy: RollingUpdate 17 | annotations: 18 | reloader.stakater.com/auto: "true" 19 | containers: 20 | app: 21 | image: 22 | repository: ghcr.io/foxcpp/maddy 23 | tag: 0.8.1@sha256:55636d8a29588eea62d81d51acdafe38e0f694fb91801ab12dc1ed8c47b6439d 24 | env: 25 | SMTP_RELAY_METRICS_PORT: &metricsPort 8080 26 | SMTP_RELAY_SMTP_PORT: &smtpPort 25 27 | SMTP_RELAY_SERVER_PORT: 587 28 | envFrom: 29 | - secretRef: 30 | name: "{{ .Release.Name }}-secret" 31 | probes: 32 | liveness: 33 | enabled: true 34 | readiness: 35 | enabled: true 36 | resources: 37 | requests: 38 | cpu: 10m 39 | limits: 40 | memory: 64Mi 41 | securityContext: 42 | allowPrivilegeEscalation: false 43 | readOnlyRootFilesystem: true 44 | capabilities: { drop: ["ALL"] } 45 | defaultPodOptions: 46 | securityContext: 47 | runAsNonRoot: true 48 | runAsUser: 1000 49 | runAsGroup: 1000 50 | persistence: 51 | cache: 52 | type: emptyDir 53 | medium: Memory 54 | config: 55 | type: configMap 56 | name: "{{ .Release.Name }}-configmap" 57 | globalMounts: 58 | - path: /data/maddy.conf 59 | subPath: maddy.conf 60 | readOnly: true 61 | service: 62 | app: 63 | ports: 64 | http: 65 | port: *metricsPort 66 | smtp: 67 | port: *smtpPort 68 | serviceMonitor: 69 | app: 70 | endpoints: 71 | - port: http 72 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: recyclarr 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | recyclarr: 15 | type: cronjob 16 | cronjob: 17 | schedule: "@daily" 18 | timeZone: &timeZone America/Chicago 19 | concurrencyPolicy: Forbid 20 | successfulJobsHistory: 1 21 | failedJobsHistory: 1 22 | containers: 23 | app: 24 | image: 25 | repository: ghcr.io/recyclarr/recyclarr 26 | tag: 7.5.2@sha256:2550848d43a453f2c6adf3582f2198ac719f76670691d76de0819053103ef2fb 27 | args: 28 | - sync 29 | env: 30 | TZ: *timeZone 31 | envFrom: 32 | - secretRef: 33 | name: "{{ .Release.Name }}-secret" 34 | resources: 35 | requests: 36 | cpu: 10m 37 | limits: 38 | memory: 128Mi 39 | securityContext: 40 | allowPrivilegeEscalation: false 41 | readOnlyRootFilesystem: true 42 | capabilities: { drop: ["ALL"] } 43 | defaultPodOptions: 44 | securityContext: 45 | runAsNonRoot: true 46 | runAsUser: 1000 47 | runAsGroup: 1000 48 | fsGroup: 1000 49 | fsGroupChangePolicy: OnRootMismatch 50 | persistence: 51 | config: 52 | existingClaim: "{{ .Release.Name }}" 53 | config-file: 54 | type: configMap 55 | name: "{{ .Release.Name }}-configmap" 56 | globalMounts: 57 | - path: /config/recyclarr.yml 58 | subPath: recyclarr.yml 59 | readOnly: true 60 | tmpfs: 61 | type: emptyDir 62 | advancedMounts: 63 | recyclarr: 64 | app: 65 | - path: /config/logs 66 | subPath: logs 67 | - path: /config/repositories 68 | subPath: repositories 69 | - path: /tmp 70 | subPath: tmp 71 | -------------------------------------------------------------------------------- /kubernetes/apps/media/qui/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: qui 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | qui: 15 | annotations: 16 | reloader.stakater.com/auto: "true" 17 | containers: 18 | app: 19 | image: 20 | repository: ghcr.io/autobrr/qui 21 | tag: v1.10.0@sha256:8f0917e66df1aa9935d79d525df95009a3d0a07c520de117ef519c49e1f120f4 22 | env: 23 | QUI__HOST: 0.0.0.0 24 | QUI__PORT: &port 80 25 | QUI__LOG_LEVEL: INFO 26 | TZ: America/Chicago 27 | envFrom: 28 | - secretRef: 29 | name: "{{ .Release.Name }}-secret" 30 | probes: 31 | liveness: &probes 32 | enabled: true 33 | custom: true 34 | spec: 35 | httpGet: 36 | path: /health 37 | port: *port 38 | initialDelaySeconds: 0 39 | periodSeconds: 10 40 | timeoutSeconds: 1 41 | failureThreshold: 3 42 | readiness: *probes 43 | resources: 44 | requests: 45 | cpu: 10m 46 | limits: 47 | memory: 512Mi 48 | securityContext: 49 | allowPrivilegeEscalation: false 50 | readOnlyRootFilesystem: true 51 | capabilities: { drop: ["ALL"] } 52 | defaultPodOptions: 53 | securityContext: 54 | runAsNonRoot: true 55 | runAsUser: 1000 56 | runAsGroup: 1000 57 | fsGroup: 1000 58 | fsGroupChangePolicy: OnRootMismatch 59 | persistence: 60 | config: 61 | existingClaim: "{{ .Release.Name }}" 62 | route: 63 | app: 64 | hostnames: 65 | - "{{ .Release.Name }}.k13.dev" 66 | parentRefs: 67 | - name: envoy-internal 68 | namespace: networking 69 | service: 70 | app: 71 | ports: 72 | http: 73 | port: *port 74 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/unpoller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: unpoller 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | unpoller: 15 | annotations: 16 | reloader.stakater.com/auto: "true" 17 | containers: 18 | app: 19 | image: 20 | repository: ghcr.io/unpoller/unpoller 21 | tag: v2.19.0@sha256:6b481094a15d6da4d4b701ba5cb2f8358f307a0c438c8e84b4b132b36879ff77 22 | env: 23 | TZ: America/Chicago 24 | UP_INFLUXDB_DISABLE: true 25 | UP_PROMETHEUS_HTTP_LISTEN: 0.0.0.0:8080 26 | UP_UNIFI_DEFAULT_ROLE: k8s-gitops 27 | UP_UNIFI_DEFAULT_URL: https://unifi.internal 28 | UP_UNIFI_DEFAULT_VERIFY_SSL: false 29 | envFrom: 30 | - secretRef: 31 | name: "{{ .Release.Name }}-secret" 32 | probes: 33 | liveness: &probes 34 | enabled: true 35 | custom: true 36 | spec: 37 | httpGet: 38 | path: /health 39 | port: &port 8080 40 | initialDelaySeconds: 0 41 | periodSeconds: 10 42 | timeoutSeconds: 1 43 | failureThreshold: 3 44 | readiness: *probes 45 | resources: 46 | requests: 47 | cpu: 10m 48 | limits: 49 | memory: 64Mi 50 | securityContext: 51 | allowPrivilegeEscalation: false 52 | readOnlyRootFilesystem: true 53 | capabilities: { drop: ["ALL"] } 54 | defaultPodOptions: 55 | securityContext: 56 | runAsNonRoot: true 57 | runAsUser: 1000 58 | runAsGroup: 1000 59 | service: 60 | app: 61 | ports: 62 | http: 63 | port: *port 64 | serviceMonitor: 65 | app: 66 | endpoints: 67 | - port: http 68 | interval: 2m # Unifi API only polls at 2m intervals 69 | scrapeTimeout: 10s 70 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/echo-server/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: echo-server 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | echo-server: 15 | replicas: 2 16 | strategy: RollingUpdate 17 | containers: 18 | app: 19 | image: 20 | repository: ghcr.io/mendhak/http-https-echo 21 | tag: 38@sha256:c73e039e883944a38e37eaba829eb9a67641cd03eff868827683951feceef96e 22 | env: 23 | HTTP_PORT: &port 80 24 | LOG_WITHOUT_NEWLINE: true 25 | LOG_IGNORE_PATH: &path /healthz 26 | PROMETHEUS_ENABLED: true 27 | probes: 28 | liveness: &probes 29 | enabled: true 30 | custom: true 31 | spec: 32 | httpGet: 33 | path: *path 34 | port: *port 35 | initialDelaySeconds: 0 36 | periodSeconds: 10 37 | timeoutSeconds: 1 38 | failureThreshold: 3 39 | readiness: *probes 40 | resources: 41 | requests: 42 | cpu: 10m 43 | limits: 44 | memory: 64Mi 45 | securityContext: 46 | allowPrivilegeEscalation: false 47 | readOnlyRootFilesystem: true 48 | capabilities: { drop: ["ALL"] } 49 | defaultPodOptions: 50 | securityContext: 51 | runAsNonRoot: true 52 | runAsUser: 1000 53 | runAsGroup: 1000 54 | route: 55 | app: 56 | annotations: 57 | gatus.home-operations.com/endpoint: |- 58 | url: https://{{ .Release.Name }}.k13.dev/healthz 59 | hostnames: 60 | - "{{ .Release.Name }}.k13.dev" 61 | - echo.k13.dev 62 | parentRefs: 63 | - name: envoy-external 64 | namespace: networking 65 | service: 66 | app: 67 | ports: 68 | http: 69 | port: *port 70 | serviceMonitor: 71 | app: 72 | endpoints: 73 | - port: http 74 | -------------------------------------------------------------------------------- /.renovate/groups.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "1Password Connect Group", 6 | groupName: "1password-connect", 7 | matchDatasources: ["docker"], 8 | matchPackageNames: ["/1password/"], 9 | group: { 10 | commitMessageTopic: "{{{groupName}}} group", 11 | }, 12 | minimumGroupSize: 2, 13 | }, 14 | { 15 | description: "Actions Runner Controller Group", 16 | groupName: "actions-runner-controller", 17 | matchDatasources: ["docker"], 18 | matchPackageNames: [ 19 | "/gha-runner-scale-set-controller/", 20 | "/gha-runner-scale-set/", 21 | ], 22 | group: { 23 | commitMessageTopic: "{{{groupName}}} group", 24 | }, 25 | minimumGroupSize: 2, 26 | }, 27 | { 28 | description: "Flux Operator Group", 29 | groupName: "flux-operator", 30 | matchDatasources: ["docker"], 31 | matchPackageNames: [ 32 | "/flux-instance/", 33 | "/flux-operator/", 34 | "/flux-operator-manifests/", 35 | ], 36 | group: { 37 | commitMessageTopic: "{{{groupName}}} group", 38 | }, 39 | minimumGroupSize: 3, 40 | }, 41 | { 42 | description: "Kubernetes Group", 43 | groupName: "kubernetes", 44 | matchDatasources: ["docker"], 45 | matchPackageNames: [ 46 | "/kube-apiserver/", 47 | "/kube-controller-manager/", 48 | "/kube-proxy/", 49 | "/kube-scheduler/", 50 | "/kubelet/", 51 | ], 52 | group: { 53 | commitMessageTopic: "{{{groupName}}} group", 54 | }, 55 | minimumGroupSize: 5, 56 | }, 57 | { 58 | description: "Rook-Ceph Group", 59 | groupName: "rook-ceph", 60 | matchDatasources: ["docker"], 61 | matchPackageNames: ["/rook-ceph/", "/rook-ceph-cluster/"], 62 | group: { 63 | commitMessageTopic: "{{{groupName}}} group", 64 | }, 65 | minimumGroupSize: 2, 66 | }, 67 | { 68 | description: "Talos Group", 69 | groupName: "talos", 70 | matchDatasources: ["docker"], 71 | matchPackageNames: ["/installer/", "/talosctl/"], 72 | group: { 73 | commitMessageTopic: "{{{groupName}}} group", 74 | }, 75 | minimumGroupSize: 2, 76 | }, 77 | ], 78 | } 79 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: OCIRepository 4 | metadata: 5 | name: coredns 6 | spec: 7 | interval: 15m 8 | layerSelector: 9 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 10 | operation: copy 11 | ref: 12 | tag: 1.45.0 13 | url: oci://ghcr.io/coredns/charts/coredns 14 | --- 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: coredns 19 | spec: 20 | chartRef: 21 | kind: OCIRepository 22 | name: coredns 23 | interval: 1h 24 | values: 25 | fullnameOverride: coredns 26 | image: 27 | repository: mirror.gcr.io/coredns/coredns 28 | replicaCount: 2 29 | k8sAppLabelOverride: kube-dns 30 | serviceAccount: 31 | create: true 32 | service: 33 | name: kube-dns 34 | clusterIP: 10.245.0.10 35 | servers: 36 | - zones: 37 | - zone: . 38 | scheme: dns:// 39 | use_tcp: true 40 | port: 53 41 | plugins: 42 | - name: errors 43 | - name: health 44 | configBlock: |- 45 | lameduck 5s 46 | - name: ready 47 | - name: kubernetes 48 | parameters: cluster.local in-addr.arpa ip6.arpa 49 | configBlock: |- 50 | pods verified 51 | fallthrough in-addr.arpa ip6.arpa 52 | - name: autopath 53 | parameters: "@kubernetes" 54 | - name: forward 55 | parameters: . /etc/resolv.conf 56 | - name: cache 57 | configBlock: |- 58 | prefetch 20 59 | serve_stale 60 | - name: loop 61 | - name: reload 62 | - name: loadbalance 63 | - name: prometheus 64 | parameters: 0.0.0.0:9153 65 | - name: log 66 | configBlock: |- 67 | class error 68 | affinity: 69 | nodeAffinity: 70 | requiredDuringSchedulingIgnoredDuringExecution: 71 | nodeSelectorTerms: 72 | - matchExpressions: 73 | - key: node-role.kubernetes.io/control-plane 74 | operator: Exists 75 | tolerations: 76 | - key: CriticalAddonsOnly 77 | operator: Exists 78 | - key: node-role.kubernetes.io/control-plane 79 | operator: Exists 80 | effect: NoSchedule 81 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflared/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cloudflared 6 | spec: 7 | chartRef: 8 | kind: OCIRepository 9 | name: app-template 10 | namespace: flux-system 11 | interval: 1h 12 | values: 13 | controllers: 14 | cloudflared: 15 | replicas: 2 16 | strategy: RollingUpdate 17 | annotations: 18 | reloader.stakater.com/auto: "true" 19 | containers: 20 | app: 21 | image: 22 | repository: mirror.gcr.io/cloudflare/cloudflared 23 | tag: 2025.11.1@sha256:89ee50efb1e9cb2ae30281a8a404fed95eb8f02f0a972617526f8c5b417acae2 24 | args: 25 | - tunnel 26 | - run 27 | env: 28 | NO_AUTOUPDATE: true 29 | TUNNEL_METRICS: 0.0.0.0:8080 30 | TUNNEL_POST_QUANTUM: true 31 | TUNNEL_TRANSPORT_PROTOCOL: quic 32 | envFrom: 33 | - secretRef: 34 | name: "{{ .Release.Name }}-secret" 35 | probes: 36 | liveness: &probes 37 | enabled: true 38 | custom: true 39 | spec: 40 | httpGet: 41 | path: /ready 42 | port: &port 8080 43 | initialDelaySeconds: 0 44 | periodSeconds: 10 45 | timeoutSeconds: 1 46 | failureThreshold: 3 47 | readiness: *probes 48 | resources: 49 | requests: 50 | cpu: 10m 51 | limits: 52 | memory: 128Mi 53 | securityContext: 54 | allowPrivilegeEscalation: false 55 | readOnlyRootFilesystem: true 56 | capabilities: { drop: ["ALL"] } 57 | defaultPodOptions: 58 | securityContext: 59 | runAsNonRoot: true 60 | runAsUser: 1000 61 | runAsGroup: 1000 62 | persistence: 63 | config: 64 | type: configMap 65 | name: "{{ .Release.Name }}-configmap" 66 | globalMounts: 67 | - path: /etc/cloudflared/config.yaml 68 | subPath: config.yaml 69 | readOnly: true 70 | service: 71 | app: 72 | ports: 73 | http: 74 | port: *port 75 | serviceMonitor: 76 | app: 77 | endpoints: 78 | - port: http 79 | --------------------------------------------------------------------------------