├── .envrc ├── .gitattributes ├── .github ├── hrval.yaml ├── lint │ └── .yamllint.yaml └── workflows │ └── renovate.yaml ├── .gitignore ├── .pre-commit-config.yaml ├── .renovate ├── autoMerge.json5 ├── customManagers.json5 ├── groups.json5 ├── labels.json5 └── semanticCommits.json5 ├── .renovaterc.json5 ├── .sops.yaml ├── LICENSE ├── README.md ├── ansible.cfg ├── clusters ├── apps │ ├── base │ │ ├── app-template │ │ │ ├── hr.yaml │ │ │ └── kustomization.yaml │ │ ├── auth-system │ │ │ └── oauth2-proxy │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ ├── flux-system │ │ │ ├── kustomization.yaml │ │ │ └── podmonitor.yaml │ │ ├── games │ │ │ ├── minecraft-proxy │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── minecraft │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ ├── home │ │ │ └── homepage │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ ├── kube-system │ │ │ ├── kustomization.yaml │ │ │ └── node-feature-discovery │ │ │ │ ├── kustomization.yaml │ │ │ │ └── rules │ │ │ │ ├── coral.yaml │ │ │ │ ├── intel-gpu.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── ups.yaml │ │ │ │ └── zzh.yaml │ │ ├── network-system │ │ │ ├── librespeed │ │ │ │ ├── hr.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── vs.yaml │ │ │ └── traefik │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ ├── observability │ │ │ ├── otel-collector │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── otel-operator │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ └── volsync │ │ │ └── lib │ │ │ ├── rclone │ │ │ ├── backup.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── restore.yaml │ │ │ └── secret.rclone.yaml │ │ │ └── restic │ │ │ ├── backup.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── restore.yaml │ │ │ └── secret.restic.yaml │ └── env │ │ └── production │ │ ├── actions-runner-system │ │ ├── controller │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ks.yaml │ │ │ └── runners │ │ │ │ ├── gitops │ │ │ │ ├── hr.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── rbac.yaml │ │ │ │ └── secret.enc.yaml │ │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ │ ├── auth-system │ │ ├── kustomization.yaml │ │ └── oauth2-proxy │ │ │ ├── app │ │ │ ├── google.enc.yaml │ │ │ ├── ingressroute.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── middleware.yaml │ │ │ └── patch.oauth2-proxy.yaml │ │ │ └── ks.yaml │ │ ├── database │ │ ├── cnpg │ │ │ ├── cluster │ │ │ │ ├── backup.yaml │ │ │ │ ├── cluster.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── minio.enc.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── superuser.enc.yaml │ │ │ ├── ks.yaml │ │ │ └── operator │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ └── minio │ │ │ ├── app │ │ │ ├── app.patch.yaml │ │ │ ├── ingressroute.yaml │ │ │ ├── kustomization.yaml │ │ │ └── minio.enc.yaml │ │ │ └── ks.yaml │ │ ├── flux-system │ │ ├── kustomization.yaml │ │ ├── notifications │ │ │ ├── ks.yaml │ │ │ └── randomgamers │ │ │ │ ├── alerts.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── provider.yaml │ │ │ │ └── secret.enc.yaml │ │ └── webhook-receiver │ │ │ ├── github │ │ │ ├── ingressroute.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── receiver.yaml │ │ │ └── secret.enc.yaml │ │ │ └── ks.yaml │ │ ├── games │ │ ├── ark │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ks.yaml │ │ │ └── volsync │ │ │ │ ├── backup.yaml │ │ │ │ ├── cluster.yaml │ │ │ │ ├── fjordor-save.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── theisland-save.yaml │ │ └── kustomization.yaml │ │ ├── home │ │ ├── esphome │ │ │ ├── app │ │ │ │ ├── deploykey.enc.yaml │ │ │ │ ├── hr.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── secrets.yaml │ │ │ └── ks.yaml │ │ ├── frigate │ │ │ ├── app │ │ │ │ ├── config │ │ │ │ │ └── config.yml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── patch.frigate.yaml │ │ │ └── ks.yaml │ │ ├── home-assistant │ │ │ ├── app │ │ │ │ ├── code.enc.yaml │ │ │ │ ├── hass.enc.yaml │ │ │ │ ├── ingressroute.home-assistant.yaml │ │ │ │ ├── ingressroute.music-assistant.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── patch.hassio.yaml │ │ │ └── ks.yaml │ │ ├── homepage │ │ │ ├── buck │ │ │ │ ├── app.patch.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── common │ │ │ │ ├── dns.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── kat │ │ │ │ ├── app.patch.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── mosquitto │ │ │ ├── app │ │ │ │ ├── config │ │ │ │ │ └── mosquitto.conf │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── patch.mosquitto.yaml │ │ │ │ ├── patches │ │ │ │ │ └── kustomizeconfig.yaml │ │ │ │ └── secret.enc.yaml │ │ │ └── ks.yaml │ │ ├── nextcloud │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── nextcloud.enc.yaml │ │ │ └── ks.yaml │ │ ├── paperless │ │ │ ├── app │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── patch.paperless.yaml │ │ │ │ └── secret.enc.yaml │ │ │ └── ks.yaml │ │ └── zwavejs │ │ │ ├── app │ │ │ ├── ingressroute.yaml │ │ │ ├── kustomization.yaml │ │ │ └── patch.zwavejs.yaml │ │ │ └── ks.yaml │ │ ├── kube-system │ │ └── kustomization.yaml │ │ ├── media │ │ ├── audiobookshelf │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── deemix │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── lidarr │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── lidarr.enc.yaml │ │ │ └── ks.yaml │ │ ├── linkwarden │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── linkwarden.enc.yaml │ │ │ └── ks.yaml │ │ ├── music-assistant │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── volsync.yaml │ │ │ └── ks.yaml │ │ ├── navidrome │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── prowlarr │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── readarr │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── slskd │ │ │ ├── app │ │ │ │ ├── app.patch.yaml │ │ │ │ ├── config.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── slskd.enc.yaml │ │ │ └── ks.yaml │ │ └── syncthing │ │ │ ├── app │ │ │ ├── app.patch.yaml │ │ │ ├── ingressroute.yaml │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── n8n │ │ ├── kustomization.yaml │ │ └── n8n │ │ │ ├── app │ │ │ ├── hr.yaml │ │ │ ├── kustomization.yaml │ │ │ └── n8n.enc.yaml │ │ │ └── ks.yaml │ │ ├── network-system │ │ ├── external-dns │ │ │ ├── ks.yaml │ │ │ └── local │ │ │ │ ├── home-automation.yaml │ │ │ │ ├── k8s-nodes.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── monitoring.yaml │ │ │ │ ├── omada.yaml │ │ │ │ ├── pihole.yaml │ │ │ │ ├── workbench.yaml │ │ │ │ └── workstations.yaml │ │ ├── kustomization.yaml │ │ ├── librespeed │ │ │ ├── app │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── patch.librespeed.yaml │ │ │ └── ks.yaml │ │ └── traefik │ │ │ ├── external │ │ │ ├── app.patch.yaml │ │ │ └── kustomization.yaml │ │ │ ├── internal │ │ │ ├── app.patch.yaml │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── observability │ │ ├── jaeger │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ ├── ingressroute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── loadbalancer.yaml │ │ │ └── ks.yaml │ │ ├── kustomization.yaml │ │ ├── nut-exporter │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ ├── otel │ │ │ ├── daemonset │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── otel.yaml │ │ │ │ ├── rbac.yaml │ │ │ │ └── rbac.yaml.old │ │ │ ├── ks.yaml │ │ │ ├── operator │ │ │ │ ├── hr.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── rbac.yaml │ │ │ ├── scraper │ │ │ │ ├── cert.yaml │ │ │ │ ├── env.enc.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── otel.yaml │ │ │ │ └── rbac.yaml │ │ │ └── syslogger │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── otel.yaml │ │ │ │ └── service.yaml │ │ ├── prometheus │ │ │ ├── app │ │ │ │ ├── deployment.yaml │ │ │ │ ├── dns.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── prometheus.yaml │ │ │ │ ├── service-account.yaml │ │ │ │ └── service.yaml │ │ │ └── ks.yaml │ │ ├── pyroscope │ │ │ ├── app │ │ │ │ └── hr.yaml │ │ │ └── ks.yaml │ │ └── speedtest-exporter │ │ │ ├── app │ │ │ ├── hr.yaml │ │ │ └── kustomization.yaml │ │ │ └── ks.yaml │ │ └── rook │ │ ├── ingressroute.yaml │ │ └── kustomization.yaml ├── core │ ├── base │ │ └── applications │ │ │ ├── flux-system │ │ │ ├── git-repositories │ │ │ │ ├── cert-manager-linode.yaml │ │ │ │ ├── cert-manager-webhook-linode.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── ocis.yaml │ │ │ ├── helm-repositories │ │ │ │ ├── angelnu-charts.yaml │ │ │ │ ├── ark-server-charts-custom.yaml │ │ │ │ ├── ark-server-charts.yaml │ │ │ │ ├── authentik-charts.yaml │ │ │ │ ├── backube-charts.yaml │ │ │ │ ├── banzaicloud-charts.yaml │ │ │ │ ├── bitnami-charts.yaml │ │ │ │ ├── bjw-s-charts.yaml │ │ │ │ ├── blakeshome-charts.yaml │ │ │ │ ├── botkube-charts.yaml │ │ │ │ ├── cnpg.yaml │ │ │ │ ├── coredns-charts.yaml │ │ │ │ ├── crossplane-charts.yaml │ │ │ │ ├── crutonjohn-charts.yaml │ │ │ │ ├── custom-bitwarden.yaml │ │ │ │ ├── democratic-csi-charts.yaml │ │ │ │ ├── dex-chart.yaml │ │ │ │ ├── emqx-charts.yaml │ │ │ │ ├── fairwinds-charts.yaml │ │ │ │ ├── flagger-charts.yaml │ │ │ │ ├── gatekeeper-charts.yaml │ │ │ │ ├── grafana-charts.yaml │ │ │ │ ├── inlets-charts.yaml │ │ │ │ ├── istio-charts.yaml │ │ │ │ ├── itzg-minecraft-charts.yaml │ │ │ │ ├── jaeger-charts.yaml │ │ │ │ ├── jameswynn-charts.yaml │ │ │ │ ├── jetstack-charts.yaml │ │ │ │ ├── k8s-at-home-charts.yaml │ │ │ │ ├── k8s-sigs-descheduler-charts.yaml │ │ │ │ ├── k8s-sigs-external-dns-charts.yaml │ │ │ │ ├── kubernetes-nginx-ingress.yaml │ │ │ │ ├── kubernetes-stable-charts.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── litmuschaos-charts.yaml │ │ │ │ ├── longhorn-charts.yaml │ │ │ │ ├── metallb-charts.yaml │ │ │ │ ├── nextcloud-charts.yaml │ │ │ │ ├── node-feature-discovery-chart.yaml │ │ │ │ ├── oauth2-proxy-chart.yaml │ │ │ │ ├── openfaas-charts.yaml │ │ │ │ ├── opentelemetry-charts.yaml │ │ │ │ ├── piraeus-charts.yaml │ │ │ │ ├── replicator-charts.yaml │ │ │ │ ├── rook-charts.yaml │ │ │ │ ├── signoz-charts.yaml │ │ │ │ ├── smallstep-charts.yaml │ │ │ │ ├── stakater-charts.yaml │ │ │ │ ├── tanzu-charts.yaml │ │ │ │ ├── traefik-charts.yaml │ │ │ │ ├── vernemq-charts.yaml │ │ │ │ ├── victoriametrics-charts.yaml │ │ │ │ └── weaveworks-kured-charts.yaml │ │ │ └── kustomization.yaml │ │ │ ├── kube-system │ │ │ ├── intel-gpu-plugin │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── node-feature-discovery │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── reloader │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── replicator │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── network-system │ │ │ ├── cert-manager │ │ │ ├── hr.yaml │ │ │ └── kustomization.yaml │ │ │ ├── external-dns │ │ │ ├── hr.yaml │ │ │ └── kustomization.yaml │ │ │ ├── linode-cert-manager │ │ │ ├── hr.yaml │ │ │ └── kustomization.yaml │ │ │ └── linode-webhook │ │ │ ├── hr.yaml │ │ │ └── kustomization.yaml │ ├── crds │ │ ├── external-dns │ │ │ ├── crds.yaml │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ ├── multus │ │ │ ├── crds.yaml │ │ │ └── kustomization.yaml │ │ ├── otel │ │ │ ├── crds.yaml │ │ │ └── kustomization.yaml │ │ └── traefik │ │ │ ├── crds.yaml │ │ │ └── kustomization.yaml │ ├── env │ │ └── production │ │ │ ├── backups │ │ │ ├── kustomization.yaml │ │ │ ├── snapshot-controller │ │ │ │ ├── app │ │ │ │ │ ├── hr.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ └── ks.yaml │ │ │ └── volsync │ │ │ │ ├── app │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ │ └── ks.yaml │ │ │ ├── kube-system │ │ │ ├── cilium │ │ │ │ ├── bgp │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── peering.yaml │ │ │ │ │ └── service-pool.yaml │ │ │ │ ├── hubble │ │ │ │ │ ├── dns.yaml │ │ │ │ │ ├── ingressroute.hubble.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ └── ks.yaml │ │ │ ├── intel-gpu-plugin │ │ │ │ ├── app │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── patch.intel.yaml │ │ │ │ └── ks.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── node-feature-discovery │ │ │ │ ├── app │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── patch.nfd.yaml │ │ │ │ └── ks.yaml │ │ │ ├── reloader │ │ │ │ ├── app │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── patch.reloader.yaml │ │ │ │ └── ks.yaml │ │ │ └── replicator │ │ │ │ ├── app │ │ │ │ ├── kustomization.yaml │ │ │ │ └── patch.replicator.yaml │ │ │ │ └── ks.yaml │ │ │ ├── network-system │ │ │ ├── cert-manager │ │ │ │ ├── aws │ │ │ │ │ ├── app.patch.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── certificates │ │ │ │ │ ├── crj-wildcard-cert.yaml │ │ │ │ │ ├── heyjohn-wildcard-cert.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── issuers │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── le-prod.yaml │ │ │ │ │ └── le-stg.yaml │ │ │ │ ├── ks.yaml │ │ │ │ └── linode │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── patch.app.yaml │ │ │ ├── external-dns │ │ │ │ ├── aws │ │ │ │ │ ├── app.patch.yaml │ │ │ │ │ ├── aws-creds.enc.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── ks.yaml │ │ │ │ ├── linode │ │ │ │ │ ├── app.patch.yaml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── opnsense │ │ │ │ │ ├── config.alloy │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── patch.externaldns.yaml │ │ │ │ │ └── secret.enc.yaml │ │ │ │ └── pihole │ │ │ │ │ ├── hr.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── secret.enc.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── linode-certmanager-webhook │ │ │ │ ├── app │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── patch.app.yaml │ │ │ │ │ └── token.enc.yaml │ │ │ │ └── ks.yaml │ │ │ ├── multus │ │ │ │ ├── app │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── multus.yaml │ │ │ │ │ ├── rbac.yaml │ │ │ │ │ └── upstream.yaml │ │ │ │ ├── config │ │ │ │ │ ├── dhcp.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── network-attachment.iot-garbage.yaml │ │ │ │ │ └── network-attachment.server-vlan.yaml │ │ │ │ └── ks.yaml │ │ │ └── step │ │ │ │ ├── ks.yaml │ │ │ │ ├── registration-authority │ │ │ │ ├── cert-req.yaml │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ │ └── step-issuer │ │ │ │ ├── hr.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── step-issuer-provisioner-password.enc.yaml │ │ │ │ └── step-issuer.yaml │ │ │ └── rook │ │ │ ├── ceph │ │ │ ├── codex │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── ks.yaml │ │ │ ├── operator │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── terra │ │ │ │ ├── hr.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── kustomization.yaml │ ├── namespaces │ │ └── production │ │ │ ├── kustomization.yaml │ │ │ └── ns.yaml │ └── pvc │ │ ├── production │ │ ├── ark │ │ │ ├── cluster.yaml │ │ │ ├── theisland.yaml │ │ │ └── workbench-backups.yaml │ │ ├── audiobook-library.yaml │ │ ├── audiobookshelf.yaml │ │ ├── changedetection.yaml │ │ ├── frigate.yaml │ │ ├── kustomization.yaml │ │ ├── lidarr.yaml │ │ ├── music-library.yaml │ │ ├── navidrome.yaml │ │ ├── nextcloud.yaml │ │ ├── paperless.yaml │ │ ├── podcast-library.yaml │ │ ├── prometheus.yaml │ │ ├── prowlarr.yaml │ │ ├── readarr.yaml │ │ ├── syncthing.yaml │ │ └── thelounge.yaml │ │ └── rook │ │ ├── database │ │ └── minio.yaml │ │ ├── games │ │ ├── ark │ │ │ ├── fjordur.yaml │ │ │ └── theisland.yaml │ │ └── retrom │ │ │ └── data.yaml │ │ ├── home │ │ ├── esphome │ │ │ └── config.yaml │ │ ├── frigate │ │ │ ├── data.yaml │ │ │ └── recordings.yaml │ │ ├── grocy │ │ │ └── data.yaml │ │ ├── home-assistant │ │ │ └── config.yaml │ │ ├── mosquitto │ │ │ └── data.yaml │ │ ├── music-assistant │ │ │ └── config.yaml │ │ ├── nextcloud │ │ │ ├── config.yaml │ │ │ └── data.yaml │ │ ├── paperless │ │ │ ├── config.yaml │ │ │ └── data.yaml │ │ └── zwavejs │ │ │ └── config.yaml │ │ ├── media │ │ ├── audiobookshelf │ │ │ ├── audiobook-library.yaml │ │ │ ├── config.yaml │ │ │ ├── ebook-library.yaml │ │ │ ├── metadata.yaml │ │ │ └── podcast-library.yaml │ │ ├── downloads.yaml │ │ ├── lidarr │ │ │ └── config.yaml │ │ ├── linkwarden │ │ │ └── data.yaml │ │ ├── music-library.yaml │ │ ├── navidrome │ │ │ └── config.yaml │ │ ├── prowlarr │ │ │ └── config.yaml │ │ ├── readarr │ │ │ └── config.yaml │ │ ├── slskd │ │ │ └── data.yaml │ │ └── syncthing │ │ │ └── config.yaml │ │ ├── network-system │ │ └── registration-authority │ │ │ └── db.yaml │ │ ├── observability │ │ ├── changedetection │ │ │ └── config.yaml │ │ └── prometheus │ │ │ └── prometheus.yaml │ │ ├── ocis │ │ ├── data.yaml │ │ ├── idm.yaml │ │ ├── nats.yaml │ │ ├── search.yaml │ │ ├── storage.yaml │ │ ├── thumbnails.yaml │ │ └── web.yaml │ │ └── social │ │ └── thelounge │ │ └── config.yaml ├── env │ └── production │ │ ├── bootstrap.yaml │ │ ├── bootstrap │ │ ├── install.yaml │ │ └── kustomization.yaml │ │ ├── flux-system │ │ ├── gotk-components.yaml │ │ ├── gotk-sync.yaml │ │ └── kustomization.yaml │ │ └── kustomization.yaml └── secrets │ ├── generic │ ├── kustomization.yaml │ ├── secrets.yaml │ └── settings.yaml │ ├── production │ ├── kustomization.yaml │ ├── secrets.yaml │ └── settings.yaml │ └── truenas │ ├── kustomization.yaml │ ├── secrets.yaml │ └── settings.yaml ├── default.nix ├── hack ├── cert-service-account.yaml ├── delete-ns.sh ├── enphase.py ├── pvc-debugger.sh ├── pvcc.sh ├── runner ├── sa-kubeconfig.sh ├── wildcard-cert-heyjohn.yaml └── wildcard-cert.yaml ├── provision ├── cilium │ ├── home-automation.yaml │ └── production.yaml └── k0s │ ├── home-automation.yaml │ ├── kube-vip.yaml │ └── production.yaml ├── sops-aws.enc.yaml └── zigbee └── default.nix /.envrc: -------------------------------------------------------------------------------- 1 | # Kubeconfig 2 | export KUBECONFIG=$(expand_path ./hack/main) 3 | 4 | # Ceph client 5 | export CEPH_CONF=$(expand_path ./ceph/ceph.conf) 6 | export CEPH_KEYRING=$(expand_path ./ceph/ceph.keyring) 7 | export CEPH_ARGS="--id wayward" 8 | 9 | # AWS 10 | export AWS_PROFILE=personal 11 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crutonjohn/gitops/7cc1ccd170d26e3e5a3d5c43a24f2920f16b148f/.gitattributes -------------------------------------------------------------------------------- /.github/hrval.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | hrval: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v1 10 | - name: Validate Helm v2 Releases in root dir 11 | uses: stefanprodan/hrval-action@v2.9.0 12 | with: 13 | helmRelease: ./ 14 | helmVersion: v2 15 | kubernetesVersion: 1.17.0 16 | ignoreValues: true 17 | - name: Validate Helm v3 in root dir 18 | uses: stefanprodan/hrval-action@v2.9.0 19 | with: 20 | helmRelease: ./ 21 | helmVersion: v3 22 | kubernetesVersion: 1.17.0 23 | ignoreValues: true 24 | -------------------------------------------------------------------------------- /.github/lint/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | ignore: | 2 | *.sops.* 3 | *.enc.* 4 | *.encrypted.* 5 | gotk-components.yaml 6 | extends: default 7 | rules: 8 | truthy: 9 | allowed-values: ["true", "false", "on"] 10 | comments: 11 | min-spaces-from-content: 1 12 | line-length: disable 13 | braces: 14 | min-spaces-inside: 0 15 | max-spaces-inside: 1 16 | brackets: 17 | min-spaces-inside: 0 18 | max-spaces-inside: 0 19 | indentation: enable 20 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.dll 4 | *.so 5 | *.dylib 6 | 7 | # Test binary, build with `go test -c` 8 | *.test 9 | 10 | # Output of the go coverage tool, specifically when used with LiteIDE 11 | *.out 12 | 13 | # Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736 14 | .glide/ 15 | 16 | .vscode 17 | auth 18 | master.key 19 | *.snap 20 | *.rkestate 21 | kubeconfig 22 | gitignore/ 23 | 24 | # Ansible 25 | provision/ansible 26 | provision/kubeconfig 27 | provision/templates/kube-cilium-manifests.yaml.j2 28 | 29 | # Vim 30 | *.swp 31 | 32 | # Terraform 33 | .terraform 34 | *.tfstate 35 | vars.tf 36 | 37 | # kubeconfigs 38 | hack/main 39 | cert-sync-kubeconfig 40 | 41 | # ceph config 42 | ./ceph/ 43 | 44 | # cloud stuff 45 | ./cloud/ 46 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fail_fast: false 3 | repos: 4 | - repo: https://github.com/adrienverge/yamllint 5 | rev: v1.26.3 6 | hooks: 7 | - args: 8 | - --config-file 9 | - .github/lint/.yamllint.yaml 10 | id: yamllint 11 | - repo: https://github.com/pre-commit/pre-commit-hooks 12 | rev: v4.2.0 13 | hooks: 14 | - id: trailing-whitespace 15 | - id: end-of-file-fixer 16 | - id: mixed-line-ending 17 | - repo: https://github.com/Lucas-C/pre-commit-hooks 18 | rev: v1.2.0 19 | hooks: 20 | - id: remove-crlf 21 | - id: remove-tabs 22 | - repo: https://github.com/sirosen/fix-smartquotes 23 | rev: 0.2.0 24 | hooks: 25 | - id: fix-smartquotes 26 | - repo: https://github.com/k8s-at-home/sops-pre-commit 27 | rev: v2.1.0 28 | hooks: 29 | - id: forbid-secrets 30 | # - repo: https://github.com/crutonjohn/flux-kustomize-hook 31 | # rev: v0.0.4 32 | # hooks: 33 | # - id: run-kustomize 34 | - repo: https://github.com/Truxnell/pre-commit 35 | rev: v0.0.9 36 | hooks: 37 | - id: kustomize_build 38 | files: ^k8s/ 39 | args: [--dry-run=server] 40 | -------------------------------------------------------------------------------- /.renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "Auto-merge GitHub Releases", 6 | matchDatasources: ["github-releases"], 7 | automerge: true, 8 | automergeType: "branch", 9 | matchUpdateTypes: ["minor", "patch"], 10 | matchPackageNames: ["/external-dns/", "/cert-manager/", "/node-feature-discovery/", "/reloader/", "/replicator/" ], 11 | ignoreTests: true, 12 | }, 13 | ], 14 | } 15 | -------------------------------------------------------------------------------- /.renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | labels: ["type/major"], 7 | }, 8 | { 9 | matchUpdateTypes: ["minor"], 10 | labels: ["type/minor"], 11 | }, 12 | { 13 | matchUpdateTypes: ["patch"], 14 | labels: ["type/patch"], 15 | }, 16 | { 17 | matchUpdateTypes: ["digest"], 18 | labels: ["type/digest"], 19 | }, 20 | { 21 | matchDatasources: ["docker"], 22 | addLabels: ["renovate/container"], 23 | }, 24 | { 25 | matchDatasources: ["helm"], 26 | addLabels: ["renovate/helm"], 27 | }, 28 | { 29 | matchManagers: ["github-actions"], 30 | addLabels: ["renovate/github-action"], 31 | }, 32 | { 33 | matchDatasources: ["github-releases"], 34 | addLabels: ["renovate/github-release"], 35 | }, 36 | ], 37 | } 38 | -------------------------------------------------------------------------------- /.renovaterc.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: 'https://docs.renovatebot.com/renovate-schema.json', 3 | extends: [ 4 | 'config:recommended', 5 | 'docker:enableMajor', 6 | 'helpers:pinGitHubActionDigests', 7 | 'github>crutonjohn/gitops//.renovate/autoMerge.json5', 8 | 'github>crutonjohn/gitops//.renovate/customManagers.json5', 9 | 'github>crutonjohn/gitops//.renovate/groups.json5', 10 | 'github>crutonjohn/gitops//.renovate/labels.json5', 11 | 'github>crutonjohn/gitops//.renovate/semanticCommits.json5', 12 | ':automergeBranch', 13 | ':disableRateLimiting', 14 | ':dependencyDashboard', 15 | ':semanticCommits', 16 | ':timezone(America/New_York)', 17 | ], 18 | dependencyDashboardTitle: 'Renovate Dashboard 🤖', 19 | suppressNotifications: [ 20 | 'prEditedNotification', 21 | 'prIgnoreNotification', 22 | ], 23 | ignorePaths: [ 24 | '**/*.enc.*', 25 | 'hack/**', 26 | ], 27 | flux: { 28 | managerFilePatterns: [ 29 | '/(^|/)clusters/.+\\.ya?ml$/', 30 | ], 31 | }, 32 | 'helm-values': { 33 | managerFilePatterns: [ 34 | '/(^|/)clusters/.+\\.ya?ml$/', 35 | ], 36 | }, 37 | kubernetes: { 38 | managerFilePatterns: [ 39 | '/(^|/)clusters/.+\\.ya?ml$/', 40 | ], 41 | }, 42 | } 43 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - path_regex: clusters/.*.yaml 4 | encrypted_regex: ^(data|stringData)$ 5 | kms: 'arn:aws:kms:us-east-2:300851077188:key/b797e748-1c53-462c-9c4c-50eebebc3130' 6 | - path_regex: sops-aws.enc.yaml 7 | encrypted_regex: ^(data|stringData)$ 8 | kms: 'arn:aws:kms:us-east-2:300851077188:key/b797e748-1c53-462c-9c4c-50eebebc3130' 9 | - path_regex: provision/cilium/(production|home-automation).yaml 10 | encrypted_regex: ^(key)$ 11 | kms: 'arn:aws:kms:us-east-2:300851077188:key/b797e748-1c53-462c-9c4c-50eebebc3130' 12 | -------------------------------------------------------------------------------- /clusters/apps/base/app-template/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: app-template 6 | spec: 7 | interval: 30m 8 | timeout: 15m 9 | chart: 10 | spec: 11 | chart: app-template 12 | version: 2.6.0 13 | interval: 30m 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-charts 17 | namespace: flux-system 18 | values: 19 | ingress: 20 | main: 21 | enabled: false 22 | hosts: [] 23 | -------------------------------------------------------------------------------- /clusters/apps/base/app-template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/base/auth-system/oauth2-proxy/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: google-auth 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: oauth2-proxy 11 | version: 7.12.13 12 | sourceRef: 13 | kind: HelmRepository 14 | name: oauth2-proxy-chart 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | image: 19 | repository: "quay.io/oauth2-proxy/oauth2-proxy" 20 | # appVersion is used by default 21 | tag: "" 22 | pullPolicy: "IfNotPresent" 23 | -------------------------------------------------------------------------------- /clusters/apps/base/auth-system/oauth2-proxy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/base/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - podmonitor.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/base/games/minecraft-proxy/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: minecraft-proxy 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: minecraft-proxy 11 | version: 3.9.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: itzg-minecraft-charts 15 | namespace: flux-system 16 | -------------------------------------------------------------------------------- /clusters/apps/base/games/minecraft-proxy/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | labels: 7 | - includeSelectors: true 8 | pairs: 9 | game: minecraft 10 | -------------------------------------------------------------------------------- /clusters/apps/base/games/minecraft/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | labels: 7 | - includeSelectors: true 8 | pairs: 9 | game: minecraft 10 | -------------------------------------------------------------------------------- /clusters/apps/base/home/homepage/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: homepage 6 | spec: 7 | interval: 30m 8 | chart: 9 | spec: 10 | chart: homepage 11 | version: 2.1.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: jameswynn-charts 15 | namespace: flux-system 16 | maxHistory: 2 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | uninstall: 25 | keepHistory: false 26 | values: 27 | image: 28 | repository: ghcr.io/gethomepage/homepage 29 | tag: v1.2.0 30 | -------------------------------------------------------------------------------- /clusters/apps/base/home/homepage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/base/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - node-feature-discovery 6 | -------------------------------------------------------------------------------- /clusters/apps/base/kube-system/node-feature-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - rules 6 | -------------------------------------------------------------------------------- /clusters/apps/base/kube-system/node-feature-discovery/rules/coral.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: coral 6 | spec: 7 | rules: 8 | - name: coral 9 | labels: 10 | feature.node.kubernetes.io/coral: "true" 11 | matchFeatures: 12 | - feature: pci.device 13 | matchExpressions: 14 | vendor: { op: In, value: ["1ac1", "089a"] } 15 | -------------------------------------------------------------------------------- /clusters/apps/base/kube-system/node-feature-discovery/rules/intel-gpu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: intel-gpu 6 | spec: 7 | rules: 8 | - name: intel-gpu 9 | labels: 10 | feature.node.kubernetes.io/intel-gpu: "true" 11 | matchFeatures: 12 | - feature: pci.device 13 | matchExpressions: 14 | vendor: { op: In, value: ["8086", "1912"] } 15 | -------------------------------------------------------------------------------- /clusters/apps/base/kube-system/node-feature-discovery/rules/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./zzh.yaml 6 | - ./coral.yaml 7 | - ./ups.yaml 8 | - ./intel-gpu.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/base/kube-system/node-feature-discovery/rules/ups.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: ups 6 | spec: 7 | rules: 8 | - name: cyberpower-ups 9 | labels: 10 | feature.node.kubernetes.io/cyberpower-ups: "true" 11 | matchFeatures: 12 | - feature: usb.device 13 | matchExpressions: 14 | vendor: { op: In, value: ["0764", "0601"] } 15 | -------------------------------------------------------------------------------- /clusters/apps/base/kube-system/node-feature-discovery/rules/zzh.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: zzh 6 | spec: 7 | rules: 8 | - name: zzh 9 | labels: 10 | feature.node.kubernetes.io/zzh: "true" 11 | matchFeatures: 12 | - feature: usb.device 13 | matchExpressions: 14 | vendor: { op: In, value: ["1a86", "7523"] } 15 | -------------------------------------------------------------------------------- /clusters/apps/base/network-system/librespeed/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: openspeedtest 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: librespeed 11 | version: 5.4.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: k8s-at-home-charts 15 | namespace: flux-system 16 | values: 17 | image: 18 | repository: openspeedtest/latest 19 | tag: latest 20 | -------------------------------------------------------------------------------- /clusters/apps/base/network-system/librespeed/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/base/network-system/librespeed/vs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.istio.io/v1alpha3 3 | kind: VirtualService 4 | metadata: 5 | name: librespeed 6 | namespace: istio-system 7 | spec: 8 | hosts: 9 | - 'speed.${SECRET_DOMAIN}' 10 | gateways: 11 | - istio-system/main 12 | http: 13 | - match: 14 | - port: 443 15 | route: 16 | - destination: 17 | port: 18 | number: 80 19 | host: librespeed.network-system.svc.cluster.local -------------------------------------------------------------------------------- /clusters/apps/base/network-system/traefik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/base/observability/otel-collector/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: otel-collector 6 | spec: 7 | interval: 5m 8 | timeout: 10m 9 | install: 10 | timeout: 10m 11 | chart: 12 | spec: 13 | chart: opentelemetry-collector 14 | version: 0.125.0 15 | sourceRef: 16 | kind: HelmRepository 17 | name: opentelemetry-charts 18 | namespace: flux-system 19 | -------------------------------------------------------------------------------- /clusters/apps/base/observability/otel-collector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/base/observability/otel-operator/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: otel-operator 6 | spec: 7 | interval: 60m 8 | timeout: 15m 9 | install: 10 | timeout: 20m 11 | chart: 12 | spec: 13 | chart: opentelemetry-operator 14 | version: 0.88.6 15 | sourceRef: 16 | kind: HelmRepository 17 | name: opentelemetry-charts 18 | namespace: flux-system 19 | -------------------------------------------------------------------------------- /clusters/apps/base/observability/otel-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/base/volsync/lib/rclone/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - backup.yaml 6 | # - restore.yaml 7 | - secret.rclone.yaml 8 | -------------------------------------------------------------------------------- /clusters/apps/base/volsync/lib/rclone/restore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | name: "${SRC_PVC}-rclone-bootstrap-local" 6 | spec: 7 | trigger: 8 | manual: "restore-once-bootstrap" 9 | rclone: 10 | rcloneConfigSection: "local-volsync" 11 | destinationPVC: "${SRC_PVC}" 12 | rcloneDestPath: "${VOLSYNC_LOCAL_BUCKET}/${APP}/${SRC_PVC}" 13 | rcloneConfig: "volsync-b2-rclone-secret" 14 | copyMethod: "Direct" 15 | storageClassName: "${STORAGE_CLASS}" 16 | capacity: "${SIZE:=20Gi}" 17 | accessModes: ["ReadWriteOnce"] 18 | moverSecurityContext: 19 | runAsNonRoot: true 20 | runAsUser: ${APP_UID} 21 | runAsGroup: ${APP_UID} 22 | fsGroup: ${APP_UID} 23 | seccompProfile: {type: "RuntimeDefault"} 24 | moverResources: 25 | requests: 26 | cpu: 100m 27 | memory: 256Mi 28 | limits: 29 | cpu: 1 30 | memory: 6Gi 31 | -------------------------------------------------------------------------------- /clusters/apps/base/volsync/lib/rclone/secret.rclone.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "volsync-b2-rclone-secret" 6 | namespace: "backups" 7 | type: Opaque 8 | stringData: 9 | rclone.conf: | 10 | [b2-volsync] 11 | type = b2 12 | account = ${VOLSYNC_B2_KEYID} 13 | key = ${VOLSYNC_B2_APPKEY} 14 | [local-volsync] 15 | type = s3 16 | provider = Minio 17 | env_auth = false 18 | access_key_id = ${VOLSYNC_LOCAL_KEYID} 19 | secret_access_key = ${VOLSYNC_LOCAL_APPKEY} 20 | region = us-east-1 21 | endpoint = http://192.168.130.4:9000 22 | -------------------------------------------------------------------------------- /clusters/apps/base/volsync/lib/restic/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - backup.yaml 6 | # - restore.yaml 7 | - secret.restic.yaml 8 | -------------------------------------------------------------------------------- /clusters/apps/base/volsync/lib/restic/restore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://crds.jank.ing/volsync.backube/replicationdestination_v1alpha1.json 3 | apiVersion: volsync.backube/v1alpha1 4 | kind: ReplicationDestination 5 | metadata: 6 | name: "${SRC_PVC}-restic-bootstrap-local" 7 | labels: 8 | kustomize.toolkit.fluxcd.io/ssa: "IfNotPresent" 9 | spec: 10 | trigger: 11 | manual: "restore-once-bootstrap" 12 | restic: 13 | copyMethod: "Snapshot" 14 | repository: "${SRC_PVC}-local-restic" 15 | accessModes: ["${DST_ACCESS_MODE:=ReadWriteOnce}"] 16 | destinationPVC: ${SRC_PVC} 17 | volumeSnapshotClassName: "${SNAPSHOT_CLASS:=block}" 18 | storageClassName: "${STORAGE_CLASS}" 19 | cacheStorageClassName: "${CACHE:=terra-blockpool}" 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | cacheCapacity: "${CACHESIZE:=2Gi}" 22 | capacity: "${SIZE:=20Gi}" 23 | moverSecurityContext: 24 | runAsNonRoot: true 25 | runAsUser: ${APP_UID} 26 | runAsGroup: ${APP_UID} 27 | fsGroup: ${APP_UID} 28 | seccompProfile: {type: "RuntimeDefault"} 29 | moverResources: 30 | requests: 31 | cpu: 100m 32 | memory: 256Mi 33 | limits: 34 | cpu: 1 35 | memory: 6Gi 36 | -------------------------------------------------------------------------------- /clusters/apps/base/volsync/lib/restic/secret.restic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: "${SRC_PVC}-b2-restic" 6 | type: Opaque 7 | stringData: 8 | RESTIC_REPOSITORY: "${VOLSYNC_B2_S3}/restic/${SRC_PVC}" 9 | RESTIC_PASSWORD: "${VOLSYNC_B2_RESTIC_PASSWORD}" 10 | AWS_ACCESS_KEY_ID: "${VOLSYNC_B2_KEYID}" 11 | AWS_SECRET_ACCESS_KEY: "${VOLSYNC_B2_APPKEY}" 12 | --- 13 | apiVersion: v1 14 | kind: Secret 15 | metadata: 16 | name: "${SRC_PVC}-local-restic" 17 | type: Opaque 18 | stringData: 19 | RESTIC_REPOSITORY: "${VOLSYNC_LOCAL_S3}/restic/${SRC_PVC}" 20 | RESTIC_PASSWORD: "${VOLSYNC_LOCAL_RESTIC_PASSWORD}" 21 | AWS_ACCESS_KEY_ID: "${VOLSYNC_LOCAL_KEYID}" 22 | AWS_SECRET_ACCESS_KEY: "${VOLSYNC_LOCAL_APPKEY}" -------------------------------------------------------------------------------- /clusters/apps/env/production/actions-runner-system/controller/app/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1beta2 4 | kind: OCIRepository 5 | metadata: 6 | name: gha-runner-scale-set-controller 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.11.0 14 | url: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: &name actions-runner-controller 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: gha-runner-scale-set-controller 26 | install: 27 | crds: CreateReplace 28 | remediation: 29 | retries: -1 30 | upgrade: 31 | cleanupOnFail: true 32 | crds: CreateReplace 33 | remediation: 34 | retries: 3 35 | values: 36 | fullnameOverride: *name 37 | replicaCount: 1 38 | -------------------------------------------------------------------------------- /clusters/apps/env/production/actions-runner-system/controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./hr.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/actions-runner-system/controller/runners/gitops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./secret.enc.yaml 7 | - ./hr.yaml 8 | - ./rbac.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/env/production/actions-runner-system/controller/runners/gitops/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: gitops-runner 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: gitops-runner 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: gitops-runner 18 | namespace: actions-runner-system 19 | -------------------------------------------------------------------------------- /clusters/apps/env/production/actions-runner-system/controller/runners/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./gitops 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./controller/ks.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/auth-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./oauth2-proxy/ks.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/auth-system/oauth2-proxy/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/auth-system/oauth2-proxy 6 | - ingressroute.yaml 7 | - middleware.yaml 8 | - google.enc.yaml 9 | patches: 10 | - path: patch.oauth2-proxy.yaml 11 | -------------------------------------------------------------------------------- /clusters/apps/env/production/auth-system/oauth2-proxy/app/middleware.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: oauth-auth 6 | spec: 7 | forwardAuth: 8 | address: https://sso.${FAMILY_DOMAIN}/oauth2 9 | trustForwardHeader: true 10 | authResponseHeaders: 11 | - X-Auth-Request-Access-Token 12 | - Authorization 13 | --- 14 | apiVersion: traefik.io/v1alpha1 15 | kind: Middleware 16 | metadata: 17 | name: oauth-errors 18 | spec: 19 | errors: 20 | status: 21 | - "401-403" 22 | service: 23 | name: google-auth-oauth2-proxy 24 | port: 80 25 | query: "/oauth2/sign_in" 26 | --- 27 | apiVersion: traefik.io/v1alpha1 28 | kind: Middleware 29 | metadata: 30 | name: oauth-headers 31 | spec: 32 | headers: 33 | sslRedirect: true 34 | stsSeconds: 315360000 35 | browserXssFilter: true 36 | contentTypeNosniff: true 37 | forceSTSHeader: true 38 | stsIncludeSubdomains: true 39 | stsPreload: true 40 | frameDeny: true 41 | -------------------------------------------------------------------------------- /clusters/apps/env/production/auth-system/oauth2-proxy/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app oauth2-proxy 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: auth-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/auth-system/oauth2-proxy/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: external-dns-aws 28 | - name: external-dns-linode 29 | - name: external-dns-opnsense 30 | - name: traefik-external 31 | postBuild: 32 | substitute: 33 | APP: *app 34 | INGRESSROUTE_SUBDOMAIN: "sso" 35 | substituteFrom: 36 | - kind: Secret 37 | name: secrets-${CLUSTER_NAME} 38 | - kind: Secret 39 | name: secrets-generic 40 | - kind: ConfigMap 41 | name: settings-generic 42 | - kind: ConfigMap 43 | name: settings-${CLUSTER_NAME} 44 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/cnpg/cluster/backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/postgresql.cnpg.io/scheduledbackup_v1.json 3 | apiVersion: postgresql.cnpg.io/v1 4 | kind: ScheduledBackup 5 | metadata: 6 | name: postgres 7 | spec: 8 | schedule: "@daily" 9 | immediate: true 10 | backupOwnerReference: self 11 | cluster: 12 | name: postgres16 13 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/cnpg/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - minio.enc.yaml 6 | - superuser.enc.yaml 7 | - service.yaml 8 | - cluster.yaml 9 | - backup.yaml 10 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/cnpg/cluster/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: postgres-lb 6 | labels: 7 | io.cilium/bgp-announce: worker 8 | annotations: 9 | io.cilium/lb-ipam-ips: "${CLUSTER_LB_CNPG}" 10 | spec: 11 | type: LoadBalancer 12 | ports: 13 | - name: postgres 14 | port: 5432 15 | protocol: TCP 16 | targetPort: 5432 17 | selector: 18 | cnpg.io/cluster: postgres16 19 | role: primary 20 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/cnpg/operator/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: cnpg 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: cloudnative-pg 12 | version: 0.23.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: cloudnative-pg 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | dependsOn: 26 | - name: minio 27 | namespace: database 28 | - name: codex 29 | namespace: rook-codex 30 | values: 31 | crds: 32 | create: true 33 | monitoring: 34 | podMonitorEnabled: false 35 | grafanaDashboard: 36 | create: false 37 | podAnnotations: 38 | prometheus.io/scrape: "true" 39 | prometheus.io/port: "8080" 40 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/cnpg/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cnpg/ks.yaml 6 | - ./minio/ks.yaml 7 | patches: 8 | - patch: |- 9 | - op: add 10 | path: /metadata/namespace 11 | value: database 12 | target: 13 | kind: Secret 14 | name: volsync-b2-rclone-secret 15 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/minio/app/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: ${APP} 6 | annotations: 7 | kubernetes.io/ingress.class: "traefik-internal" 8 | spec: 9 | entryPoints: 10 | - websecure 11 | routes: 12 | - kind: Rule 13 | match: "Host(`${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN}`)" 14 | services: 15 | - name: ${APP} 16 | port: 9001 17 | - kind: Rule 18 | match: "Host(`${INGRESSROUTE_S3}.${FAMILY_DOMAIN}`)" 19 | services: 20 | - name: ${APP} 21 | port: 9000 22 | tls: 23 | secretName: heyjohn-wildcard-certificate 24 | domains: 25 | - main: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 26 | --- 27 | apiVersion: externaldns.k8s.io/v1alpha1 28 | kind: DNSEndpoint 29 | metadata: 30 | name: ${APP}-internal 31 | annotations: 32 | external-dns/private: "true" 33 | spec: 34 | endpoints: 35 | - dnsName: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 36 | recordTTL: 300 37 | recordType: A 38 | targets: 39 | - ${CLUSTER_LB_INGRESS_INTERNAL} 40 | - dnsName: ${INGRESSROUTE_S3}.${FAMILY_DOMAIN} 41 | recordTTL: 300 42 | recordType: A 43 | targets: 44 | - ${CLUSTER_LB_INGRESS_INTERNAL} 45 | -------------------------------------------------------------------------------- /clusters/apps/env/production/database/minio/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | - minio.enc.yaml 8 | patches: 9 | - path: app.patch.yaml 10 | - patch: |- 11 | - op: replace 12 | path: /metadata/name 13 | value: minio 14 | target: 15 | kind: HelmRelease 16 | name: .* 17 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./notifications/ks.yaml 6 | - ./webhook-receiver/ks.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/notifications/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-notifications-randomgamers 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: flux-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/flux-system/notifications/randomgamers 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: external-dns-aws 28 | - name: external-dns-linode 29 | - name: traefik-external 30 | postBuild: 31 | substitute: 32 | APP: *app 33 | substituteFrom: 34 | - kind: Secret 35 | name: secrets-${CLUSTER_NAME} 36 | - kind: Secret 37 | name: secrets-generic 38 | - kind: ConfigMap 39 | name: settings-generic 40 | - kind: ConfigMap 41 | name: settings-${CLUSTER_NAME} 42 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/notifications/randomgamers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - alerts.yaml 6 | - provider.yaml 7 | - secret.enc.yaml 8 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/notifications/randomgamers/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Provider 4 | metadata: 5 | name: discord 6 | namespace: flux-system 7 | spec: 8 | type: discord 9 | channel: cluster-notifications 10 | username: Flux -- Cluster Reconciliation 11 | secretRef: 12 | name: webhook-url 13 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/webhook-receiver/github/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: webhook-receiver 6 | annotations: 7 | kubernetes.io/ingress.class: "traefik-external" 8 | external-dns.alpha.kubernetes.io/hostname: receiver.${FAMILY_DOMAIN} 9 | external-dns.alpha.kubernetes.io/target: ${DYNAMIC_DOMAIN} 10 | external-dns/public: "true" 11 | spec: 12 | entryPoints: 13 | - websecure 14 | routes: 15 | - kind: Rule 16 | match: "Host(`receiver.${FAMILY_DOMAIN}`)" 17 | priority: 10 18 | services: 19 | - name: webhook-receiver 20 | port: 80 21 | tls: 22 | secretName: heyjohn-wildcard-certificate 23 | domains: 24 | - main: receiver.${FAMILY_DOMAIN} 25 | --- 26 | apiVersion: externaldns.k8s.io/v1alpha1 27 | kind: DNSEndpoint 28 | metadata: 29 | name: webhook-receiver 30 | annotations: 31 | external-dns/public: "true" 32 | spec: 33 | endpoints: 34 | - dnsName: receiver.${FAMILY_DOMAIN} 35 | recordTTL: 300 36 | recordType: CNAME 37 | targets: 38 | - ${DYNAMIC_DOMAIN} 39 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/webhook-receiver/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingressroute.yaml 6 | - receiver.yaml 7 | - secret.enc.yaml 8 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/webhook-receiver/github/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1 3 | kind: Receiver 4 | metadata: 5 | name: gitops 6 | namespace: flux-system 7 | spec: 8 | type: github 9 | events: 10 | - 'ping' 11 | - 'push' 12 | secretRef: 13 | name: webhook-token 14 | resources: 15 | - apiVersion: source.toolkit.fluxcd.io/v1beta1 16 | kind: GitRepository 17 | name: flux-system 18 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/webhook-receiver/github/secret.enc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | stringData: 3 | token: ENC[AES256_GCM,data:meIPBXG141nxn1mo+9UJEi3DgjLSXsIH1Z1mqI62zrl6tDpGuET6qA==,iv:0RY/wM1wzjnswI1IrE/mzptBByptP1ocTb4RFgbGMH0=,tag:lQBoSKRbnKhTFb/GeYwh6w==,type:str] 4 | kind: Secret 5 | metadata: 6 | name: webhook-token 7 | namespace: flux-system 8 | type: Opaque 9 | sops: 10 | kms: 11 | - arn: arn:aws:kms:us-east-2:300851077188:key/b797e748-1c53-462c-9c4c-50eebebc3130 12 | created_at: "2022-11-26T03:56:39Z" 13 | enc: AQICAHjVtcO/v540ZKcn1JNHjpqxHudubzP0wst32mS/Cuj1RwESdex1L4BYPDMdAdXmcgnFAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMJgoqOA3eKOZk4F2iAgEQgDt3sNn7ea3UT52+yse7A2bsCdrmct1rrnZ7mA9ete9Ov8AraET8udqWdJ5Q9VumamKrnNZQkZwHBQbqzA== 14 | aws_profile: "" 15 | gcp_kms: [] 16 | azure_kv: [] 17 | hc_vault: [] 18 | age: [] 19 | lastmodified: "2022-11-26T03:56:39Z" 20 | mac: ENC[AES256_GCM,data:/PsgB7wXnVWrrUgV326HTglzejTaO2ohkq24JVlcu4op9dGGkrsy4/9Rv8EqzJP0jxO/0LwuLT9yXpeHLXEnEtucx+TUFbnxw1O3PuzE4Z13ssVfCXpAllpLOeH8OjtDPlAEe6bSoEuYNCc3ZeUQNyydbl4O+F7mTSeIDaNCcBU=,iv:IaAp26jtpTRjSlP9x0n7xQ6MdGMctG2XZxOXdsmcKJI=,tag:NXm0aI7osvd011WxV7zpbg==,type:str] 21 | pgp: [] 22 | encrypted_regex: ^(data|stringData)$ 23 | version: 3.7.3 24 | -------------------------------------------------------------------------------- /clusters/apps/env/production/flux-system/webhook-receiver/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-webhook-github 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: flux-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/flux-system/webhook-receiver/github 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: external-dns-linode 28 | - name: external-dns-aws 29 | - name: traefik-external 30 | postBuild: 31 | substitute: 32 | APP: *app 33 | substituteFrom: 34 | - kind: Secret 35 | name: secrets-${CLUSTER_NAME} 36 | - kind: Secret 37 | name: secrets-generic 38 | - kind: ConfigMap 39 | name: settings-generic 40 | - kind: ConfigMap 41 | name: settings-${CLUSTER_NAME} 42 | -------------------------------------------------------------------------------- /clusters/apps/env/production/games/ark/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/games/ark/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - backup.yaml 6 | - cluster.yaml 7 | - fjordor-save.yaml 8 | - theisland-save.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/env/production/games/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./ark/ks.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/esphome/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingressroute.yaml 6 | - deploykey.enc.yaml 7 | - secrets.yaml 8 | - hr.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/esphome/app/secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | stringData: 3 | secrets.yaml: |- 4 | wifi_ssid: "${IOT_WIFI_SSID}" 5 | wifi_password: "${IOT_WIFI_PASSWORD}" 6 | wifi_fallback_ssid_password: "${ESPHOME_WIFI_FALLBACK_PASSWORD}" 7 | 8 | ota_pwd: "${ESPHOME_OTA_PASSWORD}" 9 | 10 | mqtt_host: ${SECRET_MQTT_ADDRESS} 11 | mqtt_user: "${SECRET_MQTT_USERNAME}" 12 | mqtt_pwd: "${SECRET_MQTT_PASSWORD}" 13 | 14 | domain_devices: .${FAMILY_DOMAIN} 15 | kind: Secret 16 | metadata: 17 | name: esphome-secrets -------------------------------------------------------------------------------- /clusters/apps/env/production/home/esphome/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app esphome 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: home 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/home/esphome/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: traefik-internal 28 | - name: oauth2-proxy 29 | postBuild: 30 | substitute: 31 | APP: *app 32 | INGRESSROUTE_SUBDOMAIN: "esphome" 33 | substituteFrom: 34 | - kind: Secret 35 | name: secrets-${CLUSTER_NAME} 36 | - kind: Secret 37 | name: secrets-generic 38 | - kind: ConfigMap 39 | name: settings-generic 40 | - kind: ConfigMap 41 | name: settings-${CLUSTER_NAME} 42 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/frigate/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | configMapGenerator: 8 | - name: frigate-config 9 | files: 10 | - config.yml=./config/config.yml 11 | patches: 12 | - path: patch.frigate.yaml 13 | - patch: |- 14 | - op: replace 15 | path: /metadata/name 16 | value: frigate 17 | target: 18 | kind: HelmRelease 19 | name: .* 20 | generatorOptions: 21 | disableNameSuffixHash: true 22 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/frigate/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app frigate 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: home 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/home/frigate/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: traefik-internal 28 | - name: oauth2-proxy 29 | postBuild: 30 | substitute: 31 | APP: *app 32 | INGRESSROUTE_SUBDOMAIN: "frigate" 33 | substituteFrom: 34 | - kind: Secret 35 | name: secrets-${CLUSTER_NAME} 36 | - kind: Secret 37 | name: secrets-generic 38 | - kind: ConfigMap 39 | name: settings-generic 40 | - kind: ConfigMap 41 | name: settings-${CLUSTER_NAME} 42 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/home-assistant/app/ingressroute.music-assistant.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: music-assistant-local 6 | annotations: 7 | kubernetes.io/ingress.class: "traefik-internal" 8 | spec: 9 | entryPoints: 10 | - websecure 11 | routes: 12 | - kind: Rule 13 | match: "Host(`mass.${FAMILY_DOMAIN}`)" 14 | services: 15 | - name: home-assistant 16 | port: 8095 17 | nativeLB: true 18 | tls: 19 | secretName: heyjohn-wildcard-certificate 20 | domains: 21 | - main: mass.${FAMILY_DOMAIN} 22 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/home-assistant/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - code.enc.yaml 7 | - hass.enc.yaml 8 | - ingressroute.home-assistant.yaml 9 | - ingressroute.music-assistant.yaml 10 | patches: 11 | - path: patch.hassio.yaml 12 | - patch: |- 13 | - op: replace 14 | path: /metadata/name 15 | value: home-assistant 16 | target: 17 | kind: HelmRelease 18 | name: .* 19 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/homepage/buck/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/home/homepage/ 6 | - ../common/ 7 | nameSuffix: -buck 8 | patches: 9 | - path: app.patch.yaml 10 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/homepage/common/dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: homepage-external 6 | annotations: 7 | external-dns/public: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: CNAME 13 | targets: 14 | - ${DYNAMIC_DOMAIN} 15 | --- 16 | apiVersion: externaldns.k8s.io/v1alpha1 17 | kind: DNSEndpoint 18 | metadata: 19 | name: homepage-internal 20 | annotations: 21 | external-dns/private: "true" 22 | spec: 23 | endpoints: 24 | - dnsName: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 25 | recordTTL: 300 26 | recordType: A 27 | targets: 28 | - ${CLUSTER_LB_INGRESS_EXTERNAL} 29 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/homepage/common/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./ingressroute.yaml 6 | - ./dns.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/homepage/kat/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/home/homepage/ 6 | - ../common/ 7 | nameSuffix: -kat 8 | patches: 9 | - path: app.patch.yaml 10 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./esphome/ks.yaml 6 | - ./frigate/ks.yaml 7 | - ./home-assistant/ks.yaml 8 | - ./homepage/ks.yaml 9 | - ./paperless/ks.yaml 10 | - ./zwavejs/ks.yaml 11 | - ./mosquitto/ks.yaml 12 | - ./nextcloud/ks.yaml 13 | patches: 14 | - patch: |- 15 | - op: add 16 | path: /metadata/namespace 17 | value: home 18 | target: 19 | kind: Secret 20 | name: volsync-b2-rclone-secret 21 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/mosquitto/app/config/mosquitto.conf: -------------------------------------------------------------------------------- 1 | per_listener_settings false 2 | listener 1883 3 | allow_anonymous false 4 | persistence true 5 | persistence_location /data 6 | autosave_interval 1800 7 | connection_messages false 8 | autosave_interval 60 9 | password_file /mosquitto/external_config/mosquitto_pwd 10 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/mosquitto/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - secret.enc.yaml 7 | configMapGenerator: 8 | - name: mosquitto-configmap 9 | files: 10 | - mosquitto.conf=./config/mosquitto.conf 11 | configurations: 12 | - ./patches/kustomizeconfig.yaml 13 | patches: 14 | - path: patch.mosquitto.yaml 15 | - patch: |- 16 | - op: replace 17 | path: /metadata/name 18 | value: mosquitto 19 | target: 20 | kind: HelmRelease 21 | name: .* 22 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/mosquitto/app/patches/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/values/persistence/config-file/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/mosquitto/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app mosquitto 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: home 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/home/mosquitto/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: cilium-bgp 28 | postBuild: 29 | substitute: 30 | APP: *app 31 | APP_UID: "994" 32 | substituteFrom: 33 | - kind: Secret 34 | name: secrets-${CLUSTER_NAME} 35 | - kind: Secret 36 | name: secrets-generic 37 | - kind: ConfigMap 38 | name: settings-generic 39 | - kind: ConfigMap 40 | name: settings-${CLUSTER_NAME} 41 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/nextcloud/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingressroute.yaml 6 | - nextcloud.enc.yaml 7 | - hr.yaml 8 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/paperless/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | - secret.enc.yaml 8 | patches: 9 | - path: patch.paperless.yaml 10 | - patch: |- 11 | - op: replace 12 | path: /metadata/name 13 | value: paperless 14 | target: 15 | kind: HelmRelease 16 | name: .* 17 | -------------------------------------------------------------------------------- /clusters/apps/env/production/home/zwavejs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | patches: 8 | - path: patch.zwavejs.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: zwavejs 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | -------------------------------------------------------------------------------- /clusters/apps/env/production/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../base/kube-system/ 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/audiobookshelf/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | patches: 8 | - path: app.patch.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: audiobookshelf 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/deemix/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | patches: 8 | - path: app.patch.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: deemix 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/deemix/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app deemix 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: media 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/media/deemix/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: traefik-external 28 | - name: oauth2-proxy 29 | - name: lidarr 30 | postBuild: 31 | substitute: 32 | APP: *app 33 | INGRESSROUTE_SUBDOMAIN: deemix 34 | APP_UID: "1177" 35 | substituteFrom: 36 | - kind: Secret 37 | name: secrets-${CLUSTER_NAME} 38 | - kind: Secret 39 | name: secrets-generic 40 | - kind: ConfigMap 41 | name: settings-generic 42 | - kind: ConfigMap 43 | name: settings-${CLUSTER_NAME} 44 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - audiobookshelf/ks.yaml 6 | - lidarr/ks.yaml 7 | - linkwarden/ks.yaml 8 | - prowlarr/ks.yaml 9 | - navidrome/ks.yaml 10 | - readarr/ks.yaml 11 | - slskd/ks.yaml 12 | - syncthing/ks.yaml 13 | - deemix/ks.yaml 14 | # patches: 15 | # - patch: |- 16 | # - op: add 17 | # path: /metadata/namespace 18 | # value: media 19 | # target: 20 | # kind: Secret 21 | # name: volsync-b2-rclone-secret 22 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/lidarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | - lidarr.enc.yaml 8 | patches: 9 | - path: app.patch.yaml 10 | - patch: |- 11 | - op: replace 12 | path: /metadata/name 13 | value: lidarr 14 | target: 15 | kind: HelmRelease 16 | name: .* 17 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/linkwarden/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | - linkwarden.enc.yaml 8 | patches: 9 | - path: app.patch.yaml 10 | - patch: |- 11 | - op: replace 12 | path: /metadata/name 13 | value: linkwarden 14 | target: 15 | kind: HelmRelease 16 | name: .* 17 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/music-assistant/app/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: ${APP} 6 | annotations: 7 | kubernetes.io/ingress.class: "traefik-internal" 8 | spec: 9 | entryPoints: 10 | - websecure 11 | routes: 12 | - kind: Rule 13 | match: "Host(`${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN}`)" 14 | priority: 10 15 | services: 16 | - name: ${APP} 17 | port: 8095 18 | nativeLB: true 19 | tls: 20 | secretName: heyjohn-wildcard-certificate 21 | domains: 22 | - main: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 23 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/music-assistant/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | - volsync.yaml 8 | patches: 9 | - path: app.patch.yaml 10 | - patch: |- 11 | - op: replace 12 | path: /metadata/name 13 | value: music-assistant 14 | target: 15 | kind: HelmRelease 16 | name: .* 17 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/music-assistant/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app music-assistant 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: media 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/media/music-assistant/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: traefik-internal 28 | - name: oauth2-proxy 29 | postBuild: 30 | substitute: 31 | APP: *app 32 | INGRESSROUTE_SUBDOMAIN: mass 33 | APP_UID: "1177" 34 | substituteFrom: 35 | - kind: Secret 36 | name: secrets-${CLUSTER_NAME} 37 | - kind: Secret 38 | name: secrets-generic 39 | - kind: ConfigMap 40 | name: settings-generic 41 | - kind: ConfigMap 42 | name: settings-${CLUSTER_NAME} 43 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/navidrome/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | patches: 8 | - path: app.patch.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: navidrome 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/prowlarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | patches: 8 | - path: app.patch.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: prowlarr 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/readarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | patches: 8 | - path: app.patch.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: readarr 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/slskd/app/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: ${APP} 6 | annotations: 7 | kubernetes.io/ingress.class: "traefik-internal" 8 | external-dns.alpha.kubernetes.io/target: ${CLUSTER_LB_INGRESS_INTERNAL} 9 | external-dns/private: "true" 10 | spec: 11 | entryPoints: 12 | - websecure 13 | routes: 14 | - kind: Rule 15 | match: "Host(`${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN}`)" 16 | middlewares: 17 | - name: oauth-auth 18 | namespace: auth-system 19 | - name: oauth-errors 20 | namespace: auth-system 21 | priority: 10 22 | services: 23 | - name: ${APP} 24 | port: 5030 25 | - kind: Rule 26 | match: "Host(`${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN}`) && PathPrefix(`/oauth2/`)" 27 | priority: 15 28 | middlewares: 29 | - name: oauth-headers 30 | namespace: auth-system 31 | services: 32 | - name: google-auth-oauth2-proxy 33 | namespace: auth-system 34 | port: 80 35 | tls: 36 | secretName: heyjohn-wildcard-certificate 37 | domains: 38 | - main: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 39 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/slskd/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | - slskd.enc.yaml 8 | configMapGenerator: 9 | - name: slskd-config 10 | files: 11 | - slskd.yml=./config.yaml 12 | patches: 13 | - path: app.patch.yaml 14 | - patch: |- 15 | - op: replace 16 | path: /metadata/name 17 | value: slskd 18 | target: 19 | kind: HelmRelease 20 | name: .* 21 | generatorOptions: 22 | disableNameSuffixHash: true 23 | -------------------------------------------------------------------------------- /clusters/apps/env/production/media/syncthing/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/app-template 6 | - ingressroute.yaml 7 | patches: 8 | - path: app.patch.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: syncthing 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | -------------------------------------------------------------------------------- /clusters/apps/env/production/n8n/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./n8n/ks.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/n8n/n8n/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | - n8n.enc.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app local-dns-generator 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: network-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/network-system/external-dns/local 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: external-dns-opnsense 28 | postBuild: 29 | substitute: 30 | APP: *app 31 | substituteFrom: 32 | - kind: Secret 33 | name: secrets-${CLUSTER_NAME} 34 | - kind: Secret 35 | name: secrets-generic 36 | - kind: ConfigMap 37 | name: settings-generic 38 | - kind: ConfigMap 39 | name: settings-${CLUSTER_NAME} 40 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/local/home-automation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: home-automation 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: tubeszb.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - 192.168.130.120 15 | - dnsName: ratgdo.${FAMILY_DOMAIN} 16 | recordTTL: 300 17 | recordType: A 18 | targets: 19 | - 192.168.134.84 20 | - dnsName: dreame-upstairs.${FAMILY_DOMAIN} 21 | recordTTL: 300 22 | recordType: A 23 | targets: 24 | - 192.168.134.90 25 | - dnsName: dreame-downstairs.${FAMILY_DOMAIN} 26 | recordTTL: 300 27 | recordType: A 28 | targets: 29 | - 192.168.134.89 30 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/local/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./k8s-nodes.yaml 6 | - ./omada.yaml 7 | - ./monitoring.yaml 8 | - ./home-automation.yaml 9 | - ./workbench.yaml 10 | - ./workstations.yaml 11 | - ./pihole.yaml 12 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/local/monitoring.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: monitoring 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: prometheus.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - 100.64.0.9 15 | - dnsName: prom-ord.${FAMILY_DOMAIN} 16 | recordTTL: 300 17 | recordType: A 18 | targets: 19 | - 100.64.0.9 20 | - dnsName: grafana.${FAMILY_DOMAIN} 21 | recordTTL: 300 22 | recordType: A 23 | targets: 24 | - 100.64.0.9 25 | - dnsName: loki.${FAMILY_DOMAIN} 26 | recordTTL: 300 27 | recordType: A 28 | targets: 29 | - 100.64.0.9 30 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/local/omada.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: omada 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: omada.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - 192.168.133.20 15 | - dnsName: RACK1G.${FAMILY_DOMAIN} 16 | recordTTL: 300 17 | recordType: A 18 | targets: 19 | - 192.168.133.21 20 | - dnsName: SX3008F.${FAMILY_DOMAIN} 21 | recordTTL: 300 22 | recordType: A 23 | targets: 24 | - 192.168.133.22 25 | - dnsName: DOWNSTAIRS.${FAMILY_DOMAIN} 26 | recordTTL: 300 27 | recordType: A 28 | targets: 29 | - 192.168.133.23 30 | - dnsName: INWALL-MBR.${FAMILY_DOMAIN} 31 | recordTTL: 300 32 | recordType: A 33 | targets: 34 | - 192.168.133.24 35 | - dnsName: INWALL-LANDING.${FAMILY_DOMAIN} 36 | recordTTL: 300 37 | recordType: A 38 | targets: 39 | - 192.168.133.25 40 | - dnsName: GARAGE-10G.${FAMILY_DOMAIN} 41 | recordTTL: 300 42 | recordType: A 43 | targets: 44 | - 192.168.133.26 45 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/local/pihole.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: pihole 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: peanut1.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - 192.168.130.2 15 | - dnsName: peanut2.${FAMILY_DOMAIN} 16 | recordTTL: 300 17 | recordType: A 18 | targets: 19 | - 192.168.130.3 20 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/local/workbench.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: workbench 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: workbench.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - 192.168.130.4 15 | - dnsName: netboot.${FAMILY_DOMAIN} 16 | recordTTL: 300 17 | recordType: A 18 | targets: 19 | - 192.168.130.4 20 | - dnsName: boot.${FAMILY_DOMAIN} 21 | recordTTL: 300 22 | recordType: A 23 | targets: 24 | - 192.168.130.4 25 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/external-dns/local/workstations.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: workstations 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: buck-desktop.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - 192.168.128.3 15 | - dnsName: jacob-desktop.${FAMILY_DOMAIN} 16 | recordTTL: 300 17 | recordType: A 18 | targets: 19 | - 192.168.128.4 20 | - dnsName: kat-desktop.${FAMILY_DOMAIN} 21 | recordTTL: 300 22 | recordType: A 23 | targets: 24 | - 192.168.128.6 25 | - dnsName: wayward.${FAMILY_DOMAIN} 26 | recordTTL: 300 27 | recordType: A 28 | targets: 29 | - 192.168.128.8 30 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./librespeed/ks.yaml 6 | - ./traefik/ks.yaml 7 | - ./external-dns/ks.yaml 8 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/librespeed/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/network-system/librespeed 6 | - ingressroute.yaml 7 | patches: 8 | - path: patch.librespeed.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/librespeed/app/patch.librespeed.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: openspeedtest 6 | spec: 7 | values: 8 | service: 9 | main: 10 | ports: 11 | http: 12 | port: 3000 13 | ingress: 14 | main: 15 | enabled: false 16 | resources: 17 | requests: 18 | cpu: 10m 19 | memory: 27Mi 20 | limits: 21 | memory: 1024Mi 22 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/librespeed/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app librespeed 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: network-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/network-system/librespeed/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: traefik-external 28 | postBuild: 29 | substitute: 30 | APP: *app 31 | INGRESSROUTE_SUBDOMAIN: speedof 32 | substituteFrom: 33 | - kind: Secret 34 | name: secrets-${CLUSTER_NAME} 35 | - kind: Secret 36 | name: secrets-generic 37 | - kind: ConfigMap 38 | name: settings-generic 39 | - kind: ConfigMap 40 | name: settings-${CLUSTER_NAME} 41 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/traefik/external/app.patch.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: traefik 6 | spec: 7 | values: 8 | deployment: 9 | labels: 10 | app: "external-ingress" 11 | providers: 12 | kubernetesCRD: 13 | ingressClass: "traefik-external" 14 | kubernetesIngress: 15 | ingressClass: "traefik-external" 16 | service: 17 | annotations: 18 | io.cilium/lb-ipam-ips: ${CLUSTER_LB_INGRESS_EXTERNAL} 19 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/traefik/external/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/network-system/traefik 6 | nameSuffix: -external 7 | patches: 8 | - path: app.patch.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/traefik/internal/app.patch.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: traefik 6 | spec: 7 | values: 8 | deployment: 9 | labels: 10 | app: "internal-ingress" 11 | providers: 12 | kubernetesCRD: 13 | ingressClass: "traefik-internal" 14 | kubernetesIngress: 15 | ingressClass: "traefik-internal" 16 | service: 17 | annotations: 18 | io.cilium/lb-ipam-ips: ${CLUSTER_LB_INGRESS_INTERNAL} 19 | -------------------------------------------------------------------------------- /clusters/apps/env/production/network-system/traefik/internal/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/network-system/traefik 6 | nameSuffix: -internal 7 | patches: 8 | - path: app.patch.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/jaeger/app/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: jaeger 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: jaeger 12 | version: 3.4.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: jaeger-charts 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | dependsOn: 26 | - name: codex 27 | namespace: rook-codex 28 | values: 29 | provisionDataStore: 30 | cassandra: false 31 | allInOne: 32 | enabled: true 33 | resources: 34 | limits: 35 | memory: 2048Mi 36 | requests: 37 | cpu: 256m 38 | memory: 128Mi 39 | storage: 40 | type: memory 41 | agent: 42 | enabled: false 43 | collector: 44 | enabled: false 45 | query: 46 | enabled: false 47 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/jaeger/app/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: ${APP} 6 | annotations: 7 | kubernetes.io/ingress.class: "traefik-internal" 8 | spec: 9 | entryPoints: 10 | - websecure 11 | routes: 12 | - kind: Rule 13 | match: "Host(`${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN}`)" 14 | priority: 10 15 | services: 16 | - name: jaeger-query 17 | port: 16686 18 | tls: 19 | secretName: heyjohn-wildcard-certificate 20 | domains: 21 | - main: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 22 | --- 23 | apiVersion: externaldns.k8s.io/v1alpha1 24 | kind: DNSEndpoint 25 | metadata: 26 | name: ${APP}-internal 27 | annotations: 28 | external-dns/private: "true" 29 | spec: 30 | endpoints: 31 | - dnsName: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 32 | recordTTL: 300 33 | recordType: A 34 | targets: 35 | - ${CLUSTER_LB_INGRESS_INTERNAL} 36 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/jaeger/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | - ingressroute.yaml 7 | - loadbalancer.yaml 8 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/jaeger/app/loadbalancer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: jaeger-external 6 | annotations: 7 | io.cilium/lb-ipam-ips: ${CLUSTER_LB_JAEGER} 8 | labels: 9 | io.cilium/bgp-announce: worker 10 | spec: 11 | selector: 12 | app.kubernetes.io/component: all-in-one 13 | app.kubernetes.io/instance: jaeger 14 | app.kubernetes.io/name: jaeger 15 | type: LoadBalancer 16 | loadBalancerIP: ${CLUSTER_LB_JAEGER} 17 | ports: 18 | - appProtocol: http 19 | name: http-zipkin 20 | port: 9411 21 | - appProtocol: grpc 22 | name: grpc-http 23 | port: 14250 24 | - name: c-tchan-trft 25 | port: 14267 26 | - appProtocol: http 27 | name: http-c-binary-trft 28 | port: 14268 29 | - appProtocol: grpc 30 | name: otlp-grpc 31 | port: 4317 32 | - appProtocol: http 33 | name: otlp-http 34 | port: 4318 35 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/jaeger/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app jaeger 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/observability/jaeger/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | INGRESSROUTE_SUBDOMAIN: jaeger 30 | substituteFrom: 31 | - kind: Secret 32 | name: secrets-${CLUSTER_NAME} 33 | - kind: Secret 34 | name: secrets-generic 35 | - kind: ConfigMap 36 | name: settings-generic 37 | - kind: ConfigMap 38 | name: settings-${CLUSTER_NAME} 39 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./jaeger/ks.yaml 6 | - ./otel/ks.yaml 7 | - ./speedtest-exporter/ks.yaml 8 | - ./nut-exporter/ks.yaml 9 | - ./prometheus/ks.yaml 10 | - ./pyroscope/ks.yaml 11 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/nut-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | # patches: 7 | # - patch: |- 8 | # - op: replace 9 | # path: /metadata/name 10 | # value: nut-exporter 11 | # target: 12 | # kind: HelmRelease 13 | # name: .* 14 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/nut-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app nut-exporter 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/observability/nut-exporter/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | APP_UID: "9199" 30 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/daemonset/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - otel.yaml 6 | - rbac.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/daemonset/rbac.yaml.old: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: collector 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRole 9 | metadata: 10 | name: otel-collector 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["pods", "namespaces"] 14 | verbs: ["get", "watch", "list"] 15 | - apiGroups: ["apps"] 16 | resources: ["replicasets"] 17 | verbs: ["get", "list", "watch"] 18 | - apiGroups: ["extensions"] 19 | resources: ["replicasets"] 20 | verbs: ["get", "list", "watch"] 21 | --- 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | kind: ClusterRoleBinding 24 | metadata: 25 | name: otel-collector 26 | subjects: 27 | - kind: ServiceAccount 28 | name: collector 29 | namespace: observability 30 | roleRef: 31 | kind: ClusterRole 32 | name: otel-collector 33 | apiGroup: rbac.authorization.k8s.io 34 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/operator/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: otel-operator 6 | spec: 7 | interval: 60m 8 | timeout: 15m 9 | install: 10 | timeout: 20m 11 | chart: 12 | spec: 13 | chart: opentelemetry-operator 14 | version: 0.88.6 15 | sourceRef: 16 | kind: HelmRepository 17 | name: opentelemetry-charts 18 | namespace: flux-system 19 | values: 20 | securityContext: 21 | runAsGroup: 2265 22 | runAsNonRoot: true 23 | runAsUser: 2265 24 | fsGroup: 2265 25 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | - rbac.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/operator/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: otel-collector 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/scraper/cert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: otel-scraper-internal 6 | spec: 7 | # The secret name to store the signed certificate 8 | secretName: otel-scraper-internal-tls 9 | # Common Name 10 | commonName: otel-scraper.internal.${FAMILY_DOMAIN} 11 | # DNS SAN 12 | dnsNames: 13 | - otel-scraper.internal.${FAMILY_DOMAIN} 14 | # Duration of the certificate 15 | duration: 24h 16 | # Renew 8 hours before the certificate expiration 17 | renewBefore: 8h 18 | # The reference to the step issuer 19 | issuerRef: 20 | group: certmanager.step.sm 21 | kind: StepClusterIssuer 22 | name: step-issuer 23 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/scraper/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - otel.yaml 6 | - rbac.yaml 7 | - env.enc.yaml 8 | - cert.yaml 9 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/otel/syslogger/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - otel.yaml 6 | - service.yaml 7 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/prometheus/app/dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: ${APP}-internal 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - ${CLUSTER_LB_PROMETHEUS} 15 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/prometheus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - deployment.yaml 6 | - service.yaml 7 | - service-account.yaml 8 | - dns.yaml 9 | configMapGenerator: 10 | - name: prometheus-config 11 | files: 12 | - prometheus.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/prometheus/app/service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: prometheus 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRole 9 | metadata: 10 | name: prometheus 11 | rules: 12 | - apiGroups: [""] 13 | resources: 14 | - nodes 15 | - services 16 | - endpoints 17 | - pods 18 | verbs: ["get", "list", "watch"] 19 | - apiGroups: 20 | - extensions 21 | resources: 22 | - ingresses 23 | verbs: ["get", "list", "watch"] 24 | --- 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | kind: ClusterRoleBinding 27 | metadata: 28 | name: prometheus 29 | roleRef: 30 | apiGroup: rbac.authorization.k8s.io 31 | kind: ClusterRole 32 | name: cluster-admin 33 | subjects: 34 | - kind: ServiceAccount 35 | name: prometheus 36 | namespace: observability 37 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/prometheus/app/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: prometheus 6 | annotations: 7 | io.cilium/lb-ipam-ips: ${CLUSTER_LB_PROMETHEUS} 8 | labels: 9 | io.cilium/bgp-announce: worker 10 | spec: 11 | selector: 12 | app: prometheus 13 | type: LoadBalancer 14 | loadBalancerIP: ${CLUSTER_LB_PROMETHEUS} 15 | ports: 16 | - name: http 17 | port: 9090 18 | protocol: TCP 19 | targetPort: web 20 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/prometheus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app prometheus 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/observability/prometheus/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: cilium-bgp 28 | postBuild: 29 | substitute: 30 | APP: *app 31 | INGRESSROUTE_SUBDOMAIN: "prom-lyh" 32 | substituteFrom: 33 | - kind: Secret 34 | name: secrets-${CLUSTER_NAME} 35 | - kind: Secret 36 | name: secrets-generic 37 | - kind: ConfigMap 38 | name: settings-generic 39 | - kind: ConfigMap 40 | name: settings-${CLUSTER_NAME} 41 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/pyroscope/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app pyroscope 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/observability/pyroscope/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | substituteFrom: 30 | - kind: Secret 31 | name: secrets-${CLUSTER_NAME} 32 | - kind: Secret 33 | name: secrets-generic 34 | - kind: ConfigMap 35 | name: settings-generic 36 | - kind: ConfigMap 37 | name: settings-${CLUSTER_NAME} 38 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/speedtest-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/apps/env/production/observability/speedtest-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app speedtest-exporter 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/apps/env/production/observability/speedtest-exporter/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | -------------------------------------------------------------------------------- /clusters/apps/env/production/rook/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: ceph-dashboard 6 | namespace: rook-ceph 7 | annotations: 8 | kubernetes.io/ingress.class: "traefik-internal" 9 | spec: 10 | entryPoints: 11 | - websecure 12 | routes: 13 | - kind: Rule 14 | match: "Host(`ceph.${FAMILY_DOMAIN}`)" 15 | priority: 10 16 | services: 17 | - name: rook-ceph-mgr-dashboard 18 | port: 7000 19 | tls: 20 | secretName: heyjohn-wildcard-certificate 21 | domains: 22 | - main: ceph.${FAMILY_DOMAIN} 23 | --- 24 | apiVersion: externaldns.k8s.io/v1alpha1 25 | kind: DNSEndpoint 26 | metadata: 27 | name: ceph-internal 28 | namespace: rook-ceph 29 | annotations: 30 | external-dns/private: "true" 31 | spec: 32 | endpoints: 33 | - dnsName: ceph.${FAMILY_DOMAIN} 34 | recordTTL: 300 35 | recordType: A 36 | targets: 37 | - ${CLUSTER_LB_INGRESS_INTERNAL} 38 | -------------------------------------------------------------------------------- /clusters/apps/env/production/rook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./ingressroute.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/git-repositories/cert-manager-linode.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: cert-manager-linode-source 6 | namespace: flux-system 7 | spec: 8 | ignore: | 9 | # exclude all 10 | /* 11 | # path to chart 12 | !/chart 13 | interval: 30m 14 | ref: 15 | commit: 428e12f4a3dc47ef1d1925ae527003347afcc7f3 16 | timeout: 60s 17 | url: https://github.com/monostream/cert-manager-linode.git 18 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/git-repositories/cert-manager-webhook-linode.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: cert-manager-webhook-linode-source 6 | namespace: flux-system 7 | spec: 8 | ignore: | 9 | # exclude all 10 | /* 11 | # path to chart 12 | !/deploy/cert-manager-webhook-linode 13 | interval: 1h 14 | ref: 15 | commit: cd89b19a82618395c6f0bd488ef7b220e2098022 16 | timeout: 60s 17 | url: https://github.com/slicen/cert-manager-webhook-linode.git 18 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/git-repositories/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - cert-manager-linode.yaml 7 | - cert-manager-webhook-linode.yaml 8 | - ocis.yaml 9 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/git-repositories/ocis.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: ocis-charts 6 | namespace: flux-system 7 | spec: 8 | ignore: | 9 | # exclude all 10 | /* 11 | # path to chart 12 | !/charts/ocis 13 | interval: 5h 14 | ref: 15 | commit: 048be35054457a0eccf364baea8f7a9fd6e11a87 16 | timeout: 60s 17 | url: https://github.com/owncloud/ocis-charts.git 18 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/angelnu-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: angelnu-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://angelnu.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/ark-server-charts-custom.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: custom-ark-server-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h0m0s 9 | ignore: | 10 | # exclude all 11 | /* 12 | # include chart dir 13 | !/charts/ 14 | url: https://github.com/crutonjohn/ark-server-charts 15 | ref: 16 | branch: fix/kubernetes-custom 17 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/ark-server-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: ark-server-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://sickhub.github.io/ark-server-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/authentik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: authentik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.goauthentik.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/backube-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: backube-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://backube.github.io/helm-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/banzaicloud-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: banzaicloud-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://kubernetes-charts.banzaicloud.com 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/bitnami-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bitnami-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.bitnami.com/bitnami 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/bjw-s-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://bjw-s-labs.github.io/helm-charts 10 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/blakeshome-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: blakeshome-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://blakeblackshear.github.io/blakeshome-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/botkube-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: botkube-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://infracloudio.github.io/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/cnpg.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: cloudnative-pg 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://cloudnative-pg.github.io/charts 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/coredns-charts.yaml: -------------------------------------------------------------------------------- 1 | # https://github.com/coredns/helm 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: coredns-charts 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://coredns.github.io/helm 11 | timeout: 3m 12 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/crossplane-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: crossplane-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.crossplane.io/stable 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/crutonjohn-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: crutonjohn-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://crutonjohn.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/custom-bitwarden.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: custom-bitwarden-chart 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://github.com/crutonjohn/bitwarden-chart 10 | ref: 11 | branch: master 12 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/democratic-csi-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: democratic-csi-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://democratic-csi.github.io/charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/dex-chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: dex-chart 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.dexidp.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/emqx-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: emqx-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://repos.emqx.io/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/fairwinds-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: fairwinds-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.fairwinds.com/stable 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/flagger-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: flagger-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://flagger.app 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/gatekeeper-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: gatekeeper-charts 6 | namespace: flux-system 7 | creationTimestamp: null 8 | spec: 9 | interval: 2h 10 | url: https://open-policy-agent.github.io/gatekeeper/charts 11 | timeout: 3m 12 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/grafana-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://grafana.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/inlets-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: inlets-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://inlets.github.io/inlets-operator/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/istio-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: istio-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://istio-release.storage.googleapis.com/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/itzg-minecraft-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: itzg-minecraft-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://itzg.github.io/minecraft-server-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/jaeger-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jaeger-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://jaegertracing.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/jameswynn-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jameswynn-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: http://jameswynn.github.io/helm-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/jetstack-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.jetstack.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/k8s-at-home-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-at-home-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://k8s-at-home.com/charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/k8s-sigs-descheduler-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-sigs-descheduler-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://kubernetes-sigs.github.io/descheduler 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/k8s-sigs-external-dns-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-sigs-external-dns-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://kubernetes-sigs.github.io/external-dns/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/kubernetes-nginx-ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-ingress-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://kubernetes.github.io/ingress-nginx 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/kubernetes-stable-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-stable-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.helm.sh/stable 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/litmuschaos-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: litmuschaos-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://litmuschaos.github.io/litmus-helm/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/longhorn-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: longhorn-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.longhorn.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/metallb-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metallb-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://metallb.github.io/metallb 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/nextcloud-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: nextcloud-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://nextcloud.github.io/helm/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/node-feature-discovery-chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: node-feature-discovery-chart 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/oauth2-proxy-chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: oauth2-proxy-chart 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://oauth2-proxy.github.io/manifests 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/openfaas-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: openfaas-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://openfaas.github.io/faas-netes/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/opentelemetry-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: opentelemetry-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://open-telemetry.github.io/opentelemetry-helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/piraeus-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: piraeus-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://piraeus.io/helm-charts/ 10 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/replicator-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: kube-system-replicator 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://helm.mittwald.de 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/rook-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: rook-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: "https://charts.rook.io/release" 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/signoz-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: signoz-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://charts.signoz.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/smallstep-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: smallstep-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://smallstep.github.io/helm-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/stakater-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://stakater.github.io/stakater-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/tanzu-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: tanzu-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://vmware-tanzu.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/traefik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: traefik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://helm.traefik.io/traefik 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/vernemq-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: vernemq-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://vernemq.github.io/docker-vernemq 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/victoriametrics-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: victoriametrics-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://victoriametrics.github.io/helm-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/helm-repositories/weaveworks-kured-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: weaveworks-kured-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://weaveworks.github.io/kured 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /clusters/core/base/applications/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-repositories 6 | - git-repositories 7 | -------------------------------------------------------------------------------- /clusters/core/base/applications/kube-system/intel-gpu-plugin/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: intel-gpu-plugin 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: intel-gpu-plugin 11 | version: 4.4.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: k8s-at-home-charts 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | image: 19 | repository: ghcr.io/k8s-at-home/intel-gpu-plugin 20 | tag: v0.22.0 21 | -------------------------------------------------------------------------------- /clusters/core/base/applications/kube-system/intel-gpu-plugin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/kube-system/node-feature-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/kube-system/reloader/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: reloader 11 | version: 2.1.3 12 | sourceRef: 13 | kind: HelmRepository 14 | name: stakater-charts 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | reloader: 19 | deployment: 20 | image: 21 | name: ghcr.io/stakater/reloader 22 | tag: v1.0.27 23 | pod: 24 | annotations: 25 | prometheus.io/scrape: "true" 26 | prometheus.io/port: "9091" 27 | -------------------------------------------------------------------------------- /clusters/core/base/applications/kube-system/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/kube-system/replicator/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: replicator 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: kubernetes-replicator 11 | version: 2.11.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: kube-system-replicator 15 | namespace: flux-system 16 | interval: 5m 17 | values: 18 | image: 19 | repository: quay.io/mittwald/kubernetes-replicator 20 | tag: v2.11.1 21 | grantClusterAdmin: false 22 | args: 23 | - -resync-period=5m 24 | serviceAccount: 25 | create: true 26 | name: replicator-kubernetes-replicator 27 | privileges: 28 | - apiGroups: [""] 29 | resources: ["namespaces"] 30 | - apiGroups: [""] 31 | resources: ["secrets", "configmaps"] 32 | - apiGroups: ["rbac.authorization.k8s.io"] 33 | resources: ["roles", "rolebindings"] 34 | -------------------------------------------------------------------------------- /clusters/core/base/applications/kube-system/replicator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/network-system/cert-manager/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: cert-manager 11 | version: v1.17.2 12 | sourceRef: 13 | kind: HelmRepository 14 | name: jetstack-charts 15 | namespace: flux-system 16 | dependsOn: 17 | - name: external-dns-aws 18 | namespace: network-system 19 | - name: external-dns-linode 20 | namespace: network-system 21 | values: 22 | # nodeSelector: 23 | # ${FAMILY_DOMAIN}/role: apps 24 | crds: 25 | # This option decides if the CRDs should be installed 26 | # as part of the Helm installation. 27 | enabled: true 28 | 29 | # This option makes it so that the "helm.sh/resource-policy": keep 30 | # annotation is added to the CRD. This will prevent Helm from uninstalling 31 | # the CRD when the Helm release is uninstalled. 32 | # WARNING: when the CRDs are removed, all cert-manager custom resources 33 | # (Certificates, Issuers, ...) will be removed too by the garbage collector. 34 | keep: true 35 | prometheus: 36 | enabled: true 37 | -------------------------------------------------------------------------------- /clusters/core/base/applications/network-system/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/network-system/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/network-system/linode-cert-manager/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: linode-cert-manager 6 | spec: 7 | interval: 5m 8 | chart: 9 | spec: 10 | chart: ./chart 11 | sourceRef: 12 | kind: GitRepository 13 | name: cert-manager-linode-source 14 | namespace: flux-system 15 | values: 16 | image: 17 | repository: monostream/cert-manager-linode 18 | tag: latest 19 | pullPolicy: Always 20 | # nodeSelector: 21 | # ${FAMILY_DOMAIN}/role: apps 22 | -------------------------------------------------------------------------------- /clusters/core/base/applications/network-system/linode-cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/base/applications/network-system/linode-webhook/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: linode-webhook 6 | spec: 7 | interval: 1h 8 | chart: 9 | spec: 10 | chart: ./deploy/cert-manager-webhook-linode 11 | sourceRef: 12 | kind: GitRepository 13 | name: cert-manager-webhook-linode-source 14 | namespace: flux-system 15 | values: 16 | image: 17 | repository: slicen/cert-manager-webhook-linode 18 | tag: latest 19 | resources: 20 | limits: 21 | cpu: 100m 22 | memory: 128Mi 23 | requests: 24 | cpu: 100m 25 | memory: 128Mi 26 | # nodeSelector: 27 | # ${FAMILY_DOMAIN}/role: apps 28 | -------------------------------------------------------------------------------- /clusters/core/base/applications/network-system/linode-webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/crds/external-dns/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: external-dns-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | # renovate: datasource=github-releases 10 | url: https://github.com/kubernetes-sigs/external-dns.git 11 | ref: 12 | tag: v0.17.0 13 | ignore: | 14 | # exclude all 15 | /* 16 | # include deploy crds dir 17 | !/docs/contributing/crd-source/crd-manifest.yaml 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: external-dns-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: external-dns-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1beta1 32 | kind: CustomResourceDefinition 33 | name: dnsendpoints.externaldns.k8s.io 34 | -------------------------------------------------------------------------------- /clusters/core/crds/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - external-dns 6 | - traefik 7 | - multus 8 | # - otel 9 | -------------------------------------------------------------------------------- /clusters/core/crds/multus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/crds/otel/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: otel-operator-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | # renovate: datasource=github-releases 10 | url: https://github.com/open-telemetry/opentelemetry-operator.git 11 | ref: 12 | tag: v0.125.0 13 | ignore: | 14 | # exclude all 15 | /* 16 | # include deploy crds dir 17 | !/config 18 | # --- 19 | # apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 20 | # kind: Kustomization 21 | # metadata: 22 | # name: otel-operator-crds 23 | # namespace: flux-system 24 | # spec: 25 | # interval: 15m 26 | # path: config/default/ 27 | # prune: false 28 | # sourceRef: 29 | # kind: GitRepository 30 | # name: otel-operator-source 31 | # healthChecks: 32 | # - apiVersion: apiextensions.k8s.io/v1 33 | # kind: CustomResourceDefinition 34 | # name: opentelemetrycollector.opentelemetry.io/v1alpha1 35 | -------------------------------------------------------------------------------- /clusters/core/crds/otel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/crds/traefik/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: traefik-chart-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | # renovate: datasource=github-releases 10 | url: https://github.com/traefik/traefik-helm-chart.git 11 | ref: 12 | tag: v35.3.0 13 | ignore: | 14 | # exclude all 15 | /* 16 | # include deploy crds dir 17 | !/traefik/crds 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: traefik-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: traefik-chart-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1beta1 32 | kind: CustomResourceDefinition 33 | name: ingressroutes.traefik.io 34 | -------------------------------------------------------------------------------- /clusters/core/crds/traefik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/env/production/backups/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./snapshot-controller/ks.yaml 6 | - ./volsync/ks.yaml 7 | -------------------------------------------------------------------------------- /clusters/core/env/production/backups/snapshot-controller/app/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: snapshot-controller 7 | spec: 8 | interval: 30m 9 | timeout: 15m 10 | chart: 11 | spec: 12 | chart: snapshot-controller 13 | version: 4.0.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: piraeus-charts 17 | namespace: flux-system 18 | maxHistory: 2 19 | install: 20 | crds: CreateReplace 21 | remediation: 22 | retries: 5 23 | upgrade: 24 | cleanupOnFail: true 25 | crds: CreateReplace 26 | remediation: 27 | strategy: rollback 28 | retries: 5 29 | uninstall: 30 | keepHistory: false 31 | values: 32 | controller: 33 | replicaCount: 2 34 | -------------------------------------------------------------------------------- /clusters/core/env/production/backups/snapshot-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/env/production/backups/snapshot-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app snapshot-controller 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: backups 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/core/env/production/backups/snapshot-controller/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | substituteFrom: 30 | - kind: Secret 31 | name: secrets-${CLUSTER_NAME} 32 | - kind: Secret 33 | name: secrets-generic 34 | - kind: ConfigMap 35 | name: settings-generic 36 | - kind: ConfigMap 37 | name: settings-${CLUSTER_NAME} 38 | -------------------------------------------------------------------------------- /clusters/core/env/production/backups/volsync/app/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: volsync 6 | spec: 7 | interval: 30m 8 | timeout: 15m 9 | chart: 10 | spec: 11 | chart: volsync 12 | version: 0.12.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: backube-charts 16 | namespace: flux-system 17 | maxHistory: 5 18 | install: 19 | remediation: 20 | retries: 5 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | retries: 5 25 | uninstall: 26 | keepHistory: false 27 | dependsOn: 28 | - name: snapshot-controller 29 | namespace: backups 30 | values: 31 | manageCRDs: true 32 | metrics: 33 | disableAuth: true 34 | podAnnotations: 35 | prometheus.io/metric_path: /metrics 36 | prometheus.io/port: "8443" 37 | prometheus.io/scrape: "true" 38 | prometheus.io/scrape_scheme: "https" 39 | -------------------------------------------------------------------------------- /clusters/core/env/production/backups/volsync/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/env/production/backups/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app volsync 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: backups 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/core/env/production/backups/volsync/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: snapshot-controller 28 | - name: rook-terra 29 | - name: rook-codex 30 | postBuild: 31 | substitute: 32 | APP: *app 33 | substituteFrom: 34 | - kind: Secret 35 | name: secrets-${CLUSTER_NAME} 36 | - kind: Secret 37 | name: secrets-generic 38 | - kind: ConfigMap 39 | name: settings-generic 40 | - kind: ConfigMap 41 | name: settings-${CLUSTER_NAME} 42 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/cilium/bgp/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - peering.yaml 6 | - service-pool.yaml 7 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/cilium/bgp/peering.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cilium.io/v2alpha1 3 | kind: CiliumBGPPeeringPolicy 4 | metadata: 5 | name: bgp-peering-policy-worker 6 | spec: 7 | nodeSelector: 8 | matchLabels: 9 | kubernetes.io/os: linux 10 | virtualRouters: 11 | - localASN: 64513 12 | serviceSelector: 13 | matchExpressions: 14 | - {key: "io.cilium/bgp-announce", operator: In, values: ['worker']} 15 | neighbors: 16 | - peerAddress: '192.168.130.1/32' 17 | peerASN: 64512 18 | eBGPMultihopTTL: 10 19 | connectRetryTimeSeconds: 120 20 | holdTimeSeconds: 90 21 | keepAliveTimeSeconds: 30 22 | gracefulRestart: 23 | enabled: true 24 | restartTimeSeconds: 120 25 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/cilium/bgp/service-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cilium.io/v2alpha1 3 | kind: CiliumLoadBalancerIPPool 4 | metadata: 5 | name: service-pool 6 | spec: 7 | cidrs: 8 | - cidr: 192.168.142.0/24 9 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/cilium/hubble/dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: ${APP}-internal 6 | annotations: 7 | external-dns/private: "true" 8 | spec: 9 | endpoints: 10 | - dnsName: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 11 | recordTTL: 300 12 | recordType: A 13 | targets: 14 | - ${CLUSTER_LB_INGRESS_INTERNAL} 15 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/cilium/hubble/ingressroute.hubble.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: ${INGRESSROUTE_SUBDOMAIN} 6 | annotations: 7 | kubernetes.io/ingress.class: "traefik-internal" 8 | spec: 9 | entryPoints: 10 | - websecure 11 | routes: 12 | - kind: Rule 13 | match: "Host(`${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN}`)" 14 | priority: 10 15 | middlewares: 16 | - name: oauth-auth 17 | namespace: auth-system 18 | - name: oauth-errors 19 | namespace: auth-system 20 | services: 21 | - name: hubble-ui 22 | port: 80 23 | - kind: Rule 24 | match: Host(`${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN}`) && PathPrefix(`/oauth2/`) 25 | middlewares: 26 | - name: oauth-headers 27 | namespace: auth-system 28 | priority: 15 29 | services: 30 | - name: google-auth-oauth2-proxy 31 | namespace: auth-system 32 | port: 80 33 | tls: 34 | secretName: heyjohn-wildcard-certificate 35 | domains: 36 | - main: ${INGRESSROUTE_SUBDOMAIN}.${FAMILY_DOMAIN} 37 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/cilium/hubble/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ingressroute.hubble.yaml 6 | - dns.yaml 7 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/intel-gpu-plugin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/kube-system/intel-gpu-plugin 6 | patches: 7 | - path: patch.intel.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/intel-gpu-plugin/app/patch.intel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: intel-gpu-plugin 6 | spec: 7 | values: 8 | args: 9 | - -shared-dev-num 10 | - "2" 11 | affinity: 12 | nodeAffinity: 13 | requiredDuringSchedulingIgnoredDuringExecution: 14 | nodeSelectorTerms: 15 | - matchExpressions: 16 | - key: feature.node.kubernetes.io/custom-intel-gpu 17 | operator: In 18 | values: 19 | - "true" 20 | resources: 21 | requests: 22 | cpu: 15m 23 | memory: 53M 24 | limits: 25 | cpu: 32m 26 | memory: 69M 27 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/intel-gpu-plugin/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app intel-gpu-plugin 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: kube-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/core/env/production/kube-system/intel-gpu-plugin/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | substituteFrom: 30 | - kind: Secret 31 | name: secrets-${CLUSTER_NAME} 32 | - kind: Secret 33 | name: secrets-generic 34 | - kind: ConfigMap 35 | name: settings-generic 36 | - kind: ConfigMap 37 | name: settings-${CLUSTER_NAME} 38 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cilium/ks.yaml 6 | - ./intel-gpu-plugin/ks.yaml 7 | - ./node-feature-discovery/ks.yaml 8 | - ./reloader/ks.yaml 9 | - ./replicator/ks.yaml 10 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/node-feature-discovery/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/kube-system/node-feature-discovery 6 | patches: 7 | - path: patch.nfd.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/node-feature-discovery/app/patch.nfd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: node-feature-discovery 6 | spec: 7 | values: 8 | master: 9 | replicaCount: 1 10 | nodeSelector: 11 | kubernetes.io/arch: "amd64" 12 | resources: 13 | requests: 14 | cpu: 15m 15 | memory: 53M 16 | limits: 17 | cpu: 50m 18 | memory: 120M 19 | worker: 20 | resources: 21 | requests: 22 | cpu: 15m 23 | memory: 53M 24 | limits: 25 | cpu: 50m 26 | memory: 120M 27 | nodeSelector: 28 | kubernetes.io/arch: "amd64" 29 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/node-feature-discovery/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app node-feature-discovery 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: kube-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/core/env/production/kube-system/node-feature-discovery/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | substituteFrom: 30 | - kind: Secret 31 | name: secrets-${CLUSTER_NAME} 32 | - kind: Secret 33 | name: secrets-generic 34 | - kind: ConfigMap 35 | name: settings-generic 36 | - kind: ConfigMap 37 | name: settings-${CLUSTER_NAME} 38 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/reloader/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/kube-system/reloader 6 | patches: 7 | - path: patch.reloader.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/reloader/app/patch.reloader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | spec: 7 | values: 8 | nameOverride: reloader 9 | fullnameOverride: reloader 10 | reloader: 11 | deployment: 12 | securityContext: 13 | runAsNonRoot: true 14 | runAsUser: 65530 15 | containerSecurityContext: 16 | capabilities: 17 | drop: 18 | - ALL 19 | allowPrivilegeEscalation: false 20 | readOnlyRootFilesystem: true 21 | pod: 22 | annotations: 23 | prometheus.io/scrape: "true" 24 | prometheus.io/port: "9090" 25 | resources: 26 | requests: 27 | cpu: 15m 28 | memory: 53M 29 | limits: 30 | memory: 145M 31 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app replicator 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: kube-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/core/env/production/kube-system/replicator/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | substituteFrom: 30 | - kind: Secret 31 | name: secrets-${CLUSTER_NAME} 32 | - kind: Secret 33 | name: secrets-generic 34 | - kind: ConfigMap 35 | name: settings-generic 36 | - kind: ConfigMap 37 | name: settings-${CLUSTER_NAME} 38 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/replicator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/kube-system/replicator 6 | patches: 7 | - path: patch.replicator.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/replicator/app/patch.replicator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: replicator 6 | spec: 7 | values: 8 | nodeSelector: 9 | kubernetes.io/arch: amd64 10 | resources: 11 | requests: 12 | cpu: 15m 13 | memory: 53M 14 | limits: 15 | cpu: 32m 16 | memory: 145M 17 | -------------------------------------------------------------------------------- /clusters/core/env/production/kube-system/replicator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app reloader 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: kube-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/core/env/production/kube-system/reloader/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | substituteFrom: 30 | - kind: Secret 31 | name: secrets-${CLUSTER_NAME} 32 | - kind: Secret 33 | name: secrets-generic 34 | - kind: ConfigMap 35 | name: settings-generic 36 | - kind: ConfigMap 37 | name: settings-${CLUSTER_NAME} 38 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/aws/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/network-system/cert-manager 6 | patches: 7 | - path: app.patch.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/certificates/crj-wildcard-cert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: crj-wildcard-certificate 6 | namespace: network-system 7 | spec: 8 | secretName: crj-wildcard-certificate 9 | secretTemplate: 10 | annotations: 11 | replicator.v1.mittwald.de/replication-allowed: "true" 12 | replicator.v1.mittwald.de/replication-allowed-namespaces: "auth-system,flux-system,media,network-system,observability,home,kube-system,rook-ceph,database,ocis" 13 | duration: 2160h 14 | renewBefore: 360h 15 | subject: 16 | organizations: 17 | - CRJ Technologies LLC 18 | dnsNames: 19 | - crutonjohn.com 20 | - "*.crutonjohn.com" 21 | issuerRef: 22 | kind: ClusterIssuer 23 | name: letsencrypt-production 24 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/certificates/heyjohn-wildcard-cert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: heyjohn-wildcard-certificate 6 | namespace: network-system 7 | spec: 8 | secretName: heyjohn-wildcard-certificate 9 | secretTemplate: 10 | annotations: 11 | replicator.v1.mittwald.de/replication-allowed: "true" 12 | replicator.v1.mittwald.de/replication-allowed-namespaces: "auth-system,flux-system,media,network-system,observability,home,kube-system,rook-ceph,database,ocis" 13 | duration: 2160h 14 | renewBefore: 360h 15 | subject: 16 | organizations: 17 | - CRJ Technologies LLC 18 | dnsNames: 19 | - ${FAMILY_DOMAIN} 20 | - "*.${FAMILY_DOMAIN}" 21 | issuerRef: 22 | kind: ClusterIssuer 23 | name: letsencrypt-production 24 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/certificates/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crj-wildcard-cert.yaml 6 | - heyjohn-wildcard-cert.yaml 7 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - le-prod.yaml 6 | - le-stg.yaml 7 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/issuers/le-prod.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-production 6 | spec: 7 | acme: 8 | server: https://acme-v02.api.letsencrypt.org/directory 9 | email: admin+letsencrypt@curtisrayjohn.com 10 | privateKeySecretRef: 11 | name: letsencrypt-production 12 | solvers: 13 | - selector: 14 | dnsNames: 15 | - "*.${SECRET_DOMAIN}" 16 | - "${SECRET_DOMAIN}" 17 | dns01: 18 | route53: 19 | region: us-east-2 20 | - selector: 21 | dnsNames: 22 | - "*.${FAMILY_DOMAIN}" 23 | - "${FAMILY_DOMAIN}" 24 | dns01: 25 | webhook: 26 | groupName: linode-dns.${FAMILY_DOMAIN} 27 | solverName: linode 28 | config: 29 | #apiKey: ${CERT_MANAGER_LINODE_API_TOKEN} 30 | apiKeySecretRef: 31 | name: linode-credentials 32 | key: token 33 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/issuers/le-stg.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | spec: 7 | acme: 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | email: admin+letsencrypt@curtisrayjohn.com 10 | privateKeySecretRef: 11 | name: letsencrypt-staging 12 | solvers: 13 | - selector: 14 | dnsNames: 15 | - "*.${SECRET_DOMAIN}" 16 | - "${SECRET_DOMAIN}" 17 | dns01: 18 | route53: 19 | region: us-east-2 20 | - selector: 21 | dnsNames: 22 | - "*.${FAMILY_DOMAIN}" 23 | - "${FAMILY_DOMAIN}" 24 | dns01: 25 | webhook: 26 | groupName: linode-dns.${FAMILY_DOMAIN} 27 | solverName: linode 28 | config: 29 | #apiKey: ${CERT_MANAGER_LINODE_API_TOKEN} 30 | apiKeySecretRef: 31 | name: linode-credentials 32 | key: token 33 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/linode/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/network-system/linode-cert-manager 6 | patches: 7 | - path: patch.app.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/cert-manager/linode/patch.app.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: linode-cert-manager 6 | spec: 7 | values: 8 | fullnameOverride: "cert-manager-linode" 9 | groupName: linode-dns.cluster.local 10 | certManager: 11 | namespace: network-system 12 | serviceAccountName: cert-manager 13 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/external-dns/aws/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/network-system/external-dns 6 | - aws-creds.enc.yaml 7 | nameSuffix: -aws 8 | patches: 9 | - path: app.patch.yaml 10 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/external-dns/linode/app.patch.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: external-dns 6 | spec: 7 | values: 8 | domainFilters: ["${FAMILY_DOMAIN}"] 9 | provider: linode 10 | extraArgs: 11 | - --annotation-filter=external-dns/public in (true) 12 | - --ignore-ingress-tls-spec 13 | - --traefik-disable-legacy 14 | env: 15 | - name: LINODE_TOKEN 16 | value: "${EXTERNAL_DNS_LINODE_API_TOKEN}" 17 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/external-dns/linode/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/network-system/external-dns 6 | nameSuffix: -linode 7 | patches: 8 | - path: app.patch.yaml 9 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/external-dns/opnsense/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/network-system/external-dns 6 | - ./secret.enc.yaml 7 | patches: 8 | - path: patch.externaldns.yaml 9 | - patch: |- 10 | - op: replace 11 | path: /metadata/name 12 | value: external-dns-opnsense 13 | target: 14 | kind: HelmRelease 15 | name: .* 16 | configMapGenerator: 17 | - name: alloy-config 18 | files: 19 | - ./config.alloy 20 | generatorOptions: 21 | disableNameSuffixHash: true 22 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/external-dns/pihole/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./hr.yaml 6 | - ./secret.enc.yaml 7 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cert-manager/ks.yaml 6 | - ./external-dns/ks.yaml 7 | - ./linode-certmanager-webhook/ks.yaml 8 | - ./multus/ks.yaml 9 | - ./step/ks.yaml 10 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/linode-certmanager-webhook/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../../../../base/applications/network-system/linode-webhook 6 | - token.enc.yaml 7 | patches: 8 | - path: patch.app.yaml 9 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/linode-certmanager-webhook/app/patch.app.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: linode-webhook 6 | spec: 7 | values: 8 | deployment: 9 | secretName: linode-credentials 10 | secretKey: token 11 | logLevel: '' 12 | fullnameOverride: "cert-manager-webhook-linode" 13 | certManager: 14 | namespace: network-system 15 | serviceAccountName: cert-manager 16 | api: 17 | groupName: linode-dns.${FAMILY_DOMAIN} 18 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/linode-certmanager-webhook/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app linode-certmanager-webhook 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: network-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./clusters/core/env/production/network-system/linode-certmanager-webhook/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | decryption: 23 | provider: sops 24 | secretRef: 25 | name: sops-aws 26 | dependsOn: 27 | - name: secrets-generic 28 | - name: secrets-${CLUSTER_NAME} 29 | postBuild: 30 | substitute: 31 | APP: *app 32 | substituteFrom: 33 | - kind: Secret 34 | name: secrets-${CLUSTER_NAME} 35 | - kind: Secret 36 | name: secrets-generic 37 | - kind: ConfigMap 38 | name: settings-generic 39 | - kind: ConfigMap 40 | name: settings-${CLUSTER_NAME} 41 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/multus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./multus.yaml 6 | - ./rbac.yaml 7 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/multus/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: multus 6 | rules: 7 | - apiGroups: ["k8s.cni.cncf.io"] 8 | resources: 9 | - "*" 10 | verbs: 11 | - "*" 12 | - apiGroups: 13 | - "" 14 | resources: 15 | - pods 16 | - pods/status 17 | verbs: 18 | - get 19 | - list 20 | - update 21 | - watch 22 | - apiGroups: 23 | - "" 24 | - events.k8s.io 25 | resources: 26 | - events 27 | verbs: 28 | - create 29 | - patch 30 | - update 31 | --- 32 | apiVersion: rbac.authorization.k8s.io/v1 33 | kind: ClusterRoleBinding 34 | metadata: 35 | name: multus 36 | roleRef: 37 | apiGroup: rbac.authorization.k8s.io 38 | kind: ClusterRole 39 | name: multus 40 | subjects: 41 | - kind: ServiceAccount 42 | name: multus 43 | namespace: network-system 44 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/multus/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - network-attachment.iot-garbage.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/multus/config/network-attachment.server-vlan.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: "k8s.cni.cncf.io/v1" 3 | kind: NetworkAttachmentDefinition 4 | metadata: 5 | name: server-vlan 6 | spec: 7 | config: |- 8 | { 9 | "name": "server-vlan", 10 | "cniVersion": "0.3.1", 11 | "type": "vlan", 12 | "master": "eno1", 13 | "mtu": 1500, 14 | "vlanId": 3000, 15 | "linkInContainer": false, 16 | "ipam": { 17 | "type": "dhcp", 18 | "daemonSocketPath": "/run/cni/dhcp.sock", 19 | "request": [ 20 | { 21 | "skipDefault": false 22 | } 23 | ], 24 | "provide": [ 25 | { 26 | "option": "host-name", 27 | "fromArg": "K8S_POD_NAME" 28 | } 29 | ] 30 | } 31 | "dns": { 32 | "nameservers": [ "10.1.1.1", "8.8.8.8" ] 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/step/registration-authority/cert-req.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: registration-authority-tls 6 | spec: 7 | # The secret name to store the signed certificate 8 | secretName: registration-authority-tls 9 | # Common Name 10 | commonName: ra.${FAMILY_DOMAIN} 11 | # DNS SAN 12 | dnsNames: 13 | - ra.${FAMILY_DOMAIN} 14 | # Duration of the certificate 15 | duration: 24h 16 | # Renew 8 hours before the certificate expiration 17 | renewBefore: 8h 18 | # The reference to the step issuer 19 | issuerRef: 20 | group: certmanager.step.sm 21 | kind: StepClusterIssuer 22 | name: step-issuer 23 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/step/registration-authority/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./hr.yaml 6 | # seems like a bug? https://github.com/cert-manager/cert-manager/issues/3484 7 | - ./cert-req.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/step/step-issuer/hr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: step-issuer 6 | spec: 7 | interval: 4h 8 | chart: 9 | spec: 10 | chart: step-issuer 11 | version: 1.9.8 12 | sourceRef: 13 | kind: HelmRepository 14 | name: smallstep-charts 15 | namespace: flux-system 16 | values: 17 | serviceAccount: 18 | # Specifies whether a service account should be created 19 | create: true 20 | 21 | # For the cert-manager approver 22 | certManager: 23 | serviceAccount: 24 | name: cert-manager 25 | namespace: network-system 26 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/step/step-issuer/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./hr.yaml 6 | - ./step-issuer-provisioner-password.enc.yaml 7 | - ./step-issuer.yaml 8 | -------------------------------------------------------------------------------- /clusters/core/env/production/network-system/step/step-issuer/step-issuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: certmanager.step.sm/v1beta1 3 | kind: StepClusterIssuer 4 | metadata: 5 | name: step-issuer 6 | spec: 7 | # The CA URL. 8 | url: ${SMALLSTEP_CA_URL} 9 | caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJsekNDQVQyZ0F3SUJBZ0lRVXBRQlF4WklxbVJNN0cyVFhxRys2VEFLQmdncWhrak9QUVFEQWpBcU1TZ3cKSmdZRFZRUURFeDlvWlhscWIyaHVMbVpoYldsc2VTQkpiblJsY201aGJDQlNiMjkwSUVOQk1CNFhEVEkxTURNdwpNakEzTURFMU1Gb1hEVE0xTURJeU9EQTNNREUxTUZvd0tqRW9NQ1lHQTFVRUF4TWZhR1Y1YW05b2JpNW1ZVzFwCmJIa2dTVzUwWlhKdVlXd2dVbTl2ZENCRFFUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJKM1gKbU5ZUlliTExLYkdpekFLWlIzbFl4UHFuc25YbVBvdFlva3VZK3ZLSjhpdWM3bkZiU0tMYmw5NUVLUjFnTVk2dQppTzl6bXhxc0JNR2ZmNmt2YjY2alJUQkRNQTRHQTFVZER3RUIvd1FFQXdJQmhqQVNCZ05WSFJNQkFmOEVDREFHCkFRSC9BZ0VCTUIwR0ExVWREZ1FXQkJUbGZCM2pFdVRTNlZ2SmRsdjdaWnhyT1k0Zm5EQUtCZ2dxaGtqT1BRUUQKQWdOSUFEQkZBaUVBcjhSVjBpeExiMGMyekNRZUpjMVNmQ1JEQzZyaFQ5eFdleTYycCtxcG16WUNJQlh6NjNiYQp0Qk9VN1dGQzhndVlUQU85eE11MzVNblRnWUQ3SzBPTExHdkcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" 10 | provisioner: 11 | name: step-issuer 12 | kid: ${SMALLSTEP_STEP_ISSUER_KID} 13 | passwordRef: 14 | name: step-issuer-provisioner-password 15 | namespace: network-system 16 | key: password 17 | -------------------------------------------------------------------------------- /clusters/core/env/production/rook/ceph/codex/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/env/production/rook/ceph/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/env/production/rook/ceph/terra/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./hr.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/env/production/rook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./ceph/ks.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/namespaces/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ns.yaml 6 | -------------------------------------------------------------------------------- /clusters/core/namespaces/production/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: auth-system 6 | --- 7 | apiVersion: v1 8 | kind: Namespace 9 | metadata: 10 | name: n8n 11 | --- 12 | apiVersion: v1 13 | kind: Namespace 14 | metadata: 15 | name: games 16 | --- 17 | apiVersion: v1 18 | kind: Namespace 19 | metadata: 20 | name: media 21 | --- 22 | apiVersion: v1 23 | kind: Namespace 24 | metadata: 25 | name: network-system 26 | --- 27 | apiVersion: v1 28 | kind: Namespace 29 | metadata: 30 | name: observability 31 | --- 32 | apiVersion: v1 33 | kind: Namespace 34 | metadata: 35 | name: home 36 | --- 37 | apiVersion: v1 38 | kind: Namespace 39 | metadata: 40 | name: social 41 | --- 42 | apiVersion: v1 43 | kind: Namespace 44 | metadata: 45 | name: rook-ceph 46 | --- 47 | apiVersion: v1 48 | kind: Namespace 49 | metadata: 50 | name: rook-codex 51 | --- 52 | apiVersion: v1 53 | kind: Namespace 54 | metadata: 55 | name: rook-terra 56 | --- 57 | apiVersion: v1 58 | kind: Namespace 59 | metadata: 60 | name: backups 61 | --- 62 | apiVersion: v1 63 | kind: Namespace 64 | metadata: 65 | name: database 66 | --- 67 | apiVersion: v1 68 | kind: Namespace 69 | metadata: 70 | name: actions-runner-system 71 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/ark/workbench-backups.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: ark-backup-workbench 6 | namespace: games 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | storageClassName: apollo 11 | volumeName: ark-backup-workbench 12 | resources: 13 | requests: 14 | storage: 40Gi 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolume 18 | metadata: 19 | name: ark-backup-workbench 20 | namespace: games 21 | spec: 22 | capacity: 23 | storage: 40Gi 24 | volumeMode: Filesystem 25 | accessModes: 26 | - ReadWriteMany 27 | persistentVolumeReclaimPolicy: Retain 28 | storageClassName: apollo 29 | nfs: 30 | server: 192.168.130.4 31 | path: "/mnt/apollo/games/ark/backups" 32 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/audiobook-library.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: audiobook-library 6 | spec: 7 | capacity: 8 | storage: 1024Gi 9 | accessModes: 10 | - ReadWriteMany 11 | claimRef: 12 | namespace: media 13 | name: audiobook-library 14 | storageClassName: apollo 15 | nfs: 16 | server: 192.168.130.50 17 | path: "/mnt/apollo/media/audiobooks/library/" 18 | --- 19 | apiVersion: v1 20 | kind: PersistentVolumeClaim 21 | metadata: 22 | name: audiobook-library 23 | namespace: media 24 | spec: 25 | accessModes: 26 | - ReadWriteMany 27 | storageClassName: apollo 28 | resources: 29 | requests: 30 | storage: 1024Gi 31 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/changedetection.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: changedetection-config 6 | namespace: observability 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 2Gi 13 | volumeName: changedetection-nvmeof 14 | storageClassName: nvmeof-manual 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolume 18 | metadata: 19 | name: changedetection-nvmeof 20 | spec: 21 | capacity: 22 | storage: 2Gi 23 | accessModes: 24 | - ReadWriteOnce 25 | persistentVolumeReclaimPolicy: Retain 26 | storageClassName: nvmeof-manual 27 | mountOptions: [] 28 | csi: 29 | driver: org.democratic-csi.node-manual 30 | readOnly: false 31 | fsType: xfs 32 | volumeHandle: changedetection-nvmeof 33 | volumeAttributes: 34 | transport: tcp://192.168.130.50:4420 35 | # transports: ,,... 36 | nqn: changedetection 37 | nsid: "1" 38 | node_attach_driver: "nvmeof" 39 | provisioner_driver: node-manual 40 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - changedetection.yaml 6 | - frigate.yaml 7 | - lidarr.yaml 8 | - music-library.yaml 9 | - navidrome.yaml 10 | # - nextcloud.yaml 11 | # - paperless.yaml 12 | - prometheus.yaml 13 | - prowlarr.yaml 14 | - syncthing.yaml 15 | - thelounge.yaml 16 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/music-library.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: music-library 6 | spec: 7 | capacity: 8 | storage: 1024Gi 9 | accessModes: 10 | - ReadWriteMany 11 | claimRef: 12 | namespace: media 13 | name: music-library 14 | storageClassName: apollo 15 | nfs: 16 | server: 192.168.130.50 17 | path: "/mnt/apollo/media/music/library/" 18 | --- 19 | apiVersion: v1 20 | kind: PersistentVolumeClaim 21 | metadata: 22 | name: music-library 23 | namespace: media 24 | spec: 25 | accessModes: 26 | - ReadWriteMany 27 | storageClassName: apollo 28 | resources: 29 | requests: 30 | storage: 1024Gi 31 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/navidrome.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: navidrome-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 30Gi 13 | volumeName: navidrome-nvmeof 14 | storageClassName: nvmeof-manual 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolume 18 | metadata: 19 | name: navidrome-nvmeof 20 | spec: 21 | capacity: 22 | storage: 30Gi 23 | accessModes: 24 | - ReadWriteOnce 25 | persistentVolumeReclaimPolicy: Retain 26 | storageClassName: nvmeof-manual 27 | mountOptions: [] 28 | csi: 29 | driver: org.democratic-csi.node-manual 30 | readOnly: false 31 | fsType: xfs 32 | volumeHandle: navidrome-nvmeof 33 | volumeAttributes: 34 | transport: tcp://192.168.130.50:4420 35 | # transports: ,,... 36 | nqn: navidrome 37 | nsid: "1" 38 | node_attach_driver: "nvmeof" 39 | provisioner_driver: node-manual 40 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/podcast-library.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: podcast-library 6 | spec: 7 | capacity: 8 | storage: 1024Gi 9 | accessModes: 10 | - ReadWriteMany 11 | claimRef: 12 | namespace: media 13 | name: podcast-library 14 | storageClassName: apollo 15 | nfs: 16 | server: 192.168.130.50 17 | path: "/mnt/apollo/media/podcasts/library/" 18 | --- 19 | apiVersion: v1 20 | kind: PersistentVolumeClaim 21 | metadata: 22 | name: podcast-library 23 | namespace: media 24 | spec: 25 | accessModes: 26 | - ReadWriteMany 27 | storageClassName: apollo 28 | resources: 29 | requests: 30 | storage: 1024Gi 31 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/prometheus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: prometheus 6 | namespace: observability 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 50Gi 13 | volumeName: prometheus-nvmeof 14 | storageClassName: nvmeof-manual 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolume 18 | metadata: 19 | name: prometheus-nvmeof 20 | spec: 21 | capacity: 22 | storage: 50Gi 23 | accessModes: 24 | - ReadWriteOnce 25 | persistentVolumeReclaimPolicy: Retain 26 | storageClassName: nvmeof-manual 27 | mountOptions: [] 28 | csi: 29 | driver: org.democratic-csi.node-manual 30 | readOnly: false 31 | fsType: xfs 32 | volumeHandle: prometheus-nvmeof 33 | volumeAttributes: 34 | transport: tcp://192.168.130.50:4420 35 | # transports: ,,... 36 | nqn: prometheus 37 | nsid: "1" 38 | node_attach_driver: "nvmeof" 39 | provisioner_driver: node-manual 40 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/prowlarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: prowlarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | volumeName: prowlarr-nvmeof 14 | storageClassName: nvmeof-manual 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolume 18 | metadata: 19 | name: prowlarr-nvmeof 20 | spec: 21 | capacity: 22 | storage: 5Gi 23 | accessModes: 24 | - ReadWriteOnce 25 | persistentVolumeReclaimPolicy: Retain 26 | storageClassName: nvmeof-manual 27 | mountOptions: [] 28 | csi: 29 | driver: org.democratic-csi.node-manual 30 | readOnly: false 31 | fsType: xfs 32 | volumeHandle: prowlarr-nvmeof 33 | volumeAttributes: 34 | transport: tcp://192.168.130.50:4420 35 | # transports: ,,... 36 | nqn: prowlarr 37 | nsid: "1" 38 | node_attach_driver: "nvmeof" 39 | provisioner_driver: node-manual 40 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/readarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: readarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 40Gi 13 | volumeName: readarr-config 14 | storageClassName: apollo 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolume 18 | metadata: 19 | name: readarr-config 20 | spec: 21 | capacity: 22 | storage: 40Gi 23 | accessModes: 24 | - ReadWriteOnce 25 | claimRef: 26 | namespace: media 27 | name: readarr-config 28 | storageClassName: apollo 29 | nfs: 30 | server: 192.168.130.50 31 | path: "/mnt/apollo/media/audiobooks/readarr/config" 32 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/syncthing.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: music-sync 6 | spec: 7 | capacity: 8 | storage: 1024Gi 9 | accessModes: 10 | - ReadWriteMany 11 | claimRef: 12 | namespace: media 13 | name: music-sync 14 | storageClassName: apollo 15 | nfs: 16 | server: 192.168.130.50 17 | path: "/mnt/apollo/media/music/syncthing/" 18 | --- 19 | apiVersion: v1 20 | kind: PersistentVolumeClaim 21 | metadata: 22 | name: music-sync 23 | namespace: media 24 | spec: 25 | accessModes: 26 | - ReadWriteMany 27 | storageClassName: apollo 28 | resources: 29 | requests: 30 | storage: 1024Gi 31 | -------------------------------------------------------------------------------- /clusters/core/pvc/production/thelounge.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: thelounge-config 6 | namespace: social 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | volumeName: thelounge-nvmeof 14 | storageClassName: nvmeof-manual 15 | --- 16 | apiVersion: v1 17 | kind: PersistentVolume 18 | metadata: 19 | name: thelounge-nvmeof 20 | spec: 21 | capacity: 22 | storage: 5Gi 23 | accessModes: 24 | - ReadWriteOnce 25 | persistentVolumeReclaimPolicy: Retain 26 | storageClassName: nvmeof-manual 27 | mountOptions: [] 28 | csi: 29 | driver: org.democratic-csi.node-manual 30 | readOnly: false 31 | fsType: xfs 32 | volumeHandle: thelounge-nvmeof 33 | volumeAttributes: 34 | transport: tcp://192.168.130.50:4420 35 | # transports: ,,... 36 | nqn: thelounge 37 | nsid: "1" 38 | node_attach_driver: "nvmeof" 39 | provisioner_driver: node-manual 40 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/database/minio.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: minio-data 6 | namespace: database 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | storageClassName: terra-blockpool 11 | resources: 12 | requests: 13 | storage: 150Gi 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/games/ark/fjordur.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | # existingClaim name is appended with server name 6 | # ark-save will become ark-save-theisland or ark-save-extinction 7 | # these volumes will have to be created manually every time a new server is spun up 8 | name: ark-save-fjordur 9 | namespace: games 10 | spec: 11 | accessModes: 12 | - ReadWriteOnce 13 | storageClassName: codex-block 14 | resources: 15 | requests: 16 | storage: 10Gi 17 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/games/ark/theisland.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | # existingClaim name is appended with server name 6 | # ark-save will become ark-save-theisland or ark-save-extinction 7 | # these volumes will have to be created manually every time a new server is spun up 8 | name: ark-save-theisland 9 | namespace: games 10 | spec: 11 | accessModes: 12 | - ReadWriteOnce 13 | storageClassName: codex-block 14 | resources: 15 | requests: 16 | storage: 10Gi 17 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/games/retrom/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: retrom-library 6 | namespace: games 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | storageClassName: ceph-blockpool 11 | resources: 12 | requests: 13 | storage: 500Gi 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/esphome/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: esphome-config 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/frigate/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: frigate-data 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/frigate/recordings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: frigate-recordings 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | storageClassName: terra-filesystem 11 | resources: 12 | requests: 13 | storage: 1024Gi 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/grocy/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: grocy-data 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 50Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/home-assistant/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: home-assistant-config 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 50Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/mosquitto/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: mosquitto-data 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/music-assistant/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: music-assistant-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 2Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/nextcloud/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: nextcloud-config 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 15Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/nextcloud/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: nextcloud-data 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 2Ti 13 | storageClassName: terra-filesystem 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/paperless/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: paperless-config 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 30Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/paperless/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: paperless-data 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 200Gi 13 | storageClassName: terra-filesystem 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/home/zwavejs/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: zwavejs-config 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 2Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/audiobookshelf/audiobook-library.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: audiobook-library 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1024Gi 13 | storageClassName: terra-filesystem 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/audiobookshelf/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: audiobookshelf-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 20Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/audiobookshelf/ebook-library.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: ebook-library 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | storageClassName: terra-filesystem 11 | resources: 12 | requests: 13 | storage: 50Gi 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/audiobookshelf/metadata.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: audiobookshelf-metadata 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: terra-blockpool 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/audiobookshelf/podcast-library.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: podcast-library 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | storageClassName: terra-filesystem 11 | resources: 12 | requests: 13 | storage: 40Gi 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/downloads.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: media-downloads 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 80Gi 13 | storageClassName: terra-filesystem 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/lidarr/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: lidarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 50Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/linkwarden/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: linkwarden-data 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 75Gi 13 | storageClassName: terra-blockpool 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/music-library.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: music-library 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1024Gi 13 | storageClassName: terra-filesystem 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/navidrome/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: navidrome-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/prowlarr/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: prowlarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 3Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/readarr/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: readarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 3Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/slskd/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: slskd-data 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 30Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/media/syncthing/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: syncthing-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 2Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/network-system/registration-authority/db.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: step-request-authority-db 6 | namespace: network-system 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/observability/changedetection/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: changedetection-config 6 | namespace: observability 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 2Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/observability/prometheus/prometheus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: prometheus 6 | namespace: observability 7 | spec: 8 | storageClassName: codex-block 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: 20Gi 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/ocis/data.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: storageusers-data 6 | namespace: ocis 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 2Ti 13 | storageClassName: terra-filesystem 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/ocis/idm.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: idm-data 6 | namespace: ocis 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/ocis/nats.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: nats-data 6 | namespace: ocis 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/ocis/search.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: search-data 6 | namespace: ocis 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: codex-block 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/ocis/storage.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: storagesystem-data 6 | namespace: ocis 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 15Gi 13 | storageClassName: codex-file 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/ocis/thumbnails.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: thumbnail-data 6 | namespace: ocis 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: codex-file 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/ocis/web.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: web-data 6 | namespace: ocis 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: codex-file 14 | -------------------------------------------------------------------------------- /clusters/core/pvc/rook/social/thelounge/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: thelounge-config 6 | namespace: social 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: ceph-blockpool 14 | -------------------------------------------------------------------------------- /clusters/env/production/bootstrap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: bootstrap 6 | spec: 7 | interval: 1h0m0s 8 | path: ./clusters/env/production/bootstrap 9 | prune: true 10 | sourceRef: 11 | kind: GitRepository 12 | name: flux-system 13 | postBuild: 14 | substitute: 15 | CLUSTER_NAME: production 16 | -------------------------------------------------------------------------------- /clusters/env/production/bootstrap/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - install.yaml 7 | -------------------------------------------------------------------------------- /clusters/env/production/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This manifest was generated by flux. DO NOT EDIT. 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: GitRepository 5 | metadata: 6 | name: flux-system 7 | namespace: flux-system 8 | spec: 9 | interval: 1m0s 10 | ref: 11 | branch: main 12 | secretRef: 13 | name: flux-system 14 | url: ssh://git@github.com/crutonjohn/gitops 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./clusters/env/production 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | -------------------------------------------------------------------------------- /clusters/env/production/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | - gotk-sync.yaml 6 | -------------------------------------------------------------------------------- /clusters/env/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - bootstrap.yaml 7 | -------------------------------------------------------------------------------- /clusters/secrets/generic/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - secrets.yaml 7 | - settings.yaml 8 | -------------------------------------------------------------------------------- /clusters/secrets/generic/settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: settings-generic 6 | data: 7 | # L2 Announcements have been removed 8 | # now using BGP but i am 9 | # KEEPING THESE COMMENTS FOR FUTURE USE 10 | # production 192.168.130.96/28 11 | # 192.168.130.97 - 192.168.130.110 12 | # CLUSTER_LB_PRODUCTION_RANGE: "192.168.130.96/28" 13 | CLUSTER_LB_INGRESS_EXTERNAL: "192.168.142.1" 14 | CLUSTER_LB_INGRESS_INTERNAL: "192.168.142.2" 15 | CLUSTER_LB_OTEL_SYSLOG_TCP: "192.168.142.3" 16 | CLUSTER_LB_PROMETHEUS: "192.168.142.4" 17 | CLUSTER_LB_MUSIC_SYNC: "192.168.142.5" 18 | CLUSTER_LB_ARK_SERVER: "192.168.142.6" 19 | CLUSTER_LB_MESH_API_MAIN: "192.168.142.7" 20 | CLUSTER_LB_MESH_API_CASA: "192.168.142.8" 21 | CLUSTER_LB_OTEL_SYSLOG_UDP: "192.168.142.9" 22 | CLUSTER_LB_HOME_ASSISTANT: "192.168.142.10" 23 | CLUSTER_LB_MQTT: "192.168.142.11" 24 | CLUSTER_LB_CNPG: "192.168.142.12" 25 | CLUSTER_LB_JAEGER: "192.168.142.13" 26 | CLUSTER_LB_SMALLSTEP: "192.168.142.14" 27 | -------------------------------------------------------------------------------- /clusters/secrets/production/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - secrets.yaml 7 | - settings.yaml 8 | -------------------------------------------------------------------------------- /clusters/secrets/production/settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: settings-${CLUSTER_NAME} 6 | data: 7 | CLUSTER_POD_CIDR: "10.42.0.0/16" 8 | CLUSTER_SVC_CIDR: "10.43.0.0/16" 9 | CLUSTER_LB_CIDR: "192.168.130.96/28" 10 | CLUSTER_NAME: "production" 11 | -------------------------------------------------------------------------------- /clusters/secrets/truenas/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - secrets.yaml 7 | - settings.yaml 8 | -------------------------------------------------------------------------------- /clusters/secrets/truenas/secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | stringData: 3 | SECRET_NAME: ENC[AES256_GCM,data:eG7VYmA=,iv:wLhn40NvoZEGJqASbbGAIe+NUMeGSY/jtaBPsVCxhsc=,tag:QOYL5CjYe5vMyZM/eA/riQ==,type:str] 4 | kind: Secret 5 | metadata: 6 | name: secrets-${CLUSTER_NAME} 7 | type: Opaque 8 | sops: 9 | kms: 10 | - arn: arn:aws:kms:us-east-2:300851077188:key/b797e748-1c53-462c-9c4c-50eebebc3130 11 | created_at: "2024-02-09T22:50:11Z" 12 | enc: AQICAHjVtcO/v540ZKcn1JNHjpqxHudubzP0wst32mS/Cuj1RwErSrXSJ0FIR513qFHO9TONAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmz8mMGuKAAVbMk+CAgEQgDu0uahSngq7IQQ0aAlOQ96cgoUn2qmhRA409s1oTIapshtJbLTqYAV73F3katfpQxo3tbChc7uS9sNl4w== 13 | aws_profile: "" 14 | gcp_kms: [] 15 | azure_kv: [] 16 | hc_vault: [] 17 | age: [] 18 | lastmodified: "2024-02-09T23:33:25Z" 19 | mac: ENC[AES256_GCM,data:PedKv0fLAhP2mzdV+93h8baOAvqBnoN3wYlQE8/IyglO0xJbxU/TQ6II97gCmTYA1CGqoUllHUCvNjn/Z/V84n7KgZxjMcVWahTI/yaHmQEQSvlXayi7FqElrHVZMQR6LLqgay0XzacHMoErjcqMvn4bRMlHSNPVZuHTkjUT1PA=,iv:bBdkbWPCDfcrHyCGcb1W6Bzchsy9ND7LaTxBLCZWOQ4=,tag:5E+/PBYvefExLEQP8w94rg==,type:str] 20 | pgp: [] 21 | encrypted_regex: ^(data|stringData)$ 22 | version: 3.8.1 23 | -------------------------------------------------------------------------------- /clusters/secrets/truenas/settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: settings-${CLUSTER_NAME} 6 | data: 7 | CLUSTER_POD_CIDR: "172.16.0.0/16" 8 | CLUSTER_SVC_CIDR: "172.17.0.0/16" 9 | CLUSTER_LB_CIDR: "192.168.130.112/28" 10 | CLUSTER_NAME: "truenas" 11 | -------------------------------------------------------------------------------- /default.nix: -------------------------------------------------------------------------------- 1 | # shell.nix 2 | { pkgs ? import {} }: 3 | pkgs.mkShell { 4 | # nativeBuildInputs is usually what you want -- tools you need to run 5 | nativeBuildInputs = with pkgs.buildPackages; [ 6 | cilium-cli 7 | k0sctl 8 | android-tools 9 | envsubst 10 | ceph 11 | restic 12 | pre-commit 13 | ]; 14 | } 15 | -------------------------------------------------------------------------------- /hack/cert-service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: cert-sync-service-account 6 | namespace: network-system 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: Role 10 | metadata: 11 | name: cert-sync-service-account 12 | namespace: network-system 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["secrets"] 16 | verbs: ["get"] 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | metadata: 21 | name: cert-sync-service-account 22 | namespace: network-system 23 | subjects: 24 | - namespace: network-system 25 | kind: ServiceAccount 26 | name: cert-sync-service-account 27 | roleRef: 28 | apiGroup: rbac.authorization.k8s.io 29 | kind: Role 30 | name: cert-sync-service-account 31 | --- 32 | apiVersion: v1 33 | kind: Secret 34 | metadata: 35 | name: cert-sync-service-account 36 | namespace: network-system 37 | annotations: 38 | kubernetes.io/service-account.name: cert-sync-service-account 39 | type: kubernetes.io/service-account-token 40 | -------------------------------------------------------------------------------- /hack/delete-ns.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ( 3 | kubectl proxy & 4 | kubectl get namespace $NAMESPACE -o json |jq '.spec = {"finalizers":[]}' >temp.json 5 | curl -k -H "Content-Type: application/json" -X PUT --data-binary @temp.json 127.0.0.1:8001/api/v1/namespaces/$NAMESPACE/finalize 6 | rm -f temp.json 7 | ) 8 | -------------------------------------------------------------------------------- /hack/pvc-debugger.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # See https://justyn.io/til/migrate-kubernetes-pvc-to-another-pvc/ for details 3 | 4 | set -exu 5 | 6 | pvc=$1 7 | 8 | echo "Debugging $1" 9 | 10 | echo "please cancel this script if this doesn't look right" 11 | 12 | echo "sleeping to allow interrupt" 13 | 14 | sleep 7 15 | 16 | echo "proceeding with copy job" 17 | 18 | echo "Creating job yaml" 19 | cat > debug-pvc-$1.yaml << EOF 20 | kind: Pod 21 | apiVersion: v1 22 | metadata: 23 | name: volume-debugger 24 | spec: 25 | volumes: 26 | - name: volume-to-debug 27 | persistentVolumeClaim: 28 | claimName: $pvc 29 | containers: 30 | - name: debugger 31 | image: busybox 32 | command: ['sleep', '3600'] 33 | volumeMounts: 34 | - mountPath: "/data" 35 | name: volume-to-debug 36 | securityContext: 37 | fsGroup: 7843 38 | runAsGroup: 7843 39 | runAsUser: 7843 40 | EOF 41 | 42 | kubectl create -f debug-pvc-$1.yaml 43 | kubectl get po -o wide | grep volume-debugger 44 | kubectl get po -o name | grep volume-debugger 45 | kubectl get pods | grep migrate 46 | -------------------------------------------------------------------------------- /zigbee/default.nix: -------------------------------------------------------------------------------- 1 | # shell.nix 2 | { pkgs ? import {} }: 3 | let 4 | my-python-packages = p: with p; [ 5 | pyserial 6 | intelhex 7 | #( 8 | # buildPythonPackage rec { 9 | # pname = "python-gilt"; 10 | # version = "1.2.3"; 11 | # src = fetchPypi { 12 | # inherit pname version; 13 | # sha256 = "sha256-0aozmQ4Eb5zL4rtNHSFjEynfObUkYlid1PgMDVmRkwY="; 14 | # }; 15 | # doCheck = false; 16 | # propagatedBuildInputs = [ 17 | # # Specify dependencies 18 | # ]; 19 | # } 20 | #) 21 | ]; 22 | my-python = pkgs.python3.withPackages my-python-packages; 23 | in my-python.env 24 | --------------------------------------------------------------------------------