├── .archive ├── actual-finance │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ └── ks.yaml ├── ai │ ├── kustomization.yaml │ ├── ollama │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ └── openwebui │ │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ │ └── ks.yaml ├── atuin │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ └── ks.yaml ├── dependency-track │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ └── ks.yaml ├── dragonfly │ └── cluster │ │ ├── cluster.yaml │ │ ├── kustomization.yaml │ │ └── pod-monitor.yaml ├── gateway-api │ ├── gateway-api-crds │ │ └── kustomization.yaml │ ├── gateways │ │ └── internal │ │ │ ├── http-redirect.yaml │ │ │ ├── internal-gateway.yaml │ │ │ └── kustomization.yaml │ └── ks.yaml ├── intel-device-plugin-operator │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── gpu │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ └── ks.yaml └── wekan │ ├── app │ ├── externalsecret.yaml │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── pvc.yaml │ └── ks.yaml ├── .editorconfig ├── .gitattributes ├── .github ├── labeler.yaml ├── labels.yaml ├── release.yaml ├── renovate.json5 └── workflows │ ├── flux-diff.yaml │ ├── label-sync.yaml │ ├── labeler.yaml │ └── release.yaml ├── .gitignore ├── .minijinja.toml ├── .mise.toml ├── .python-version ├── .sops.yaml ├── .taskfiles ├── Kubernetes │ └── Taskfile.yaml ├── Sops │ └── Taskfile.yaml ├── Talos │ └── Taskfile.yaml ├── bootstrap │ └── Taskfile.yaml └── flux │ └── Taskfile.yaml ├── .vscode ├── extensions.json └── settings.json ├── .yamllint.yaml ├── LICENSE ├── README.md ├── Taskfile.yaml ├── docs ├── assets │ ├── kubernetes.png │ └── talos.svg ├── bootstrap.md └── observability.md └── kubernetes ├── apps ├── actions-runner-system │ ├── actions-runner-controller │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── ks.yaml │ │ └── runners │ │ │ ├── homelab │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ │ │ └── kustomization.yaml │ └── kustomization.yaml ├── cert-manager │ ├── cert-manager │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ ├── prometheusrule.yaml │ │ │ └── values.yaml │ │ ├── issuers │ │ │ ├── externalsecret.yaml │ │ │ ├── issuers.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── kustomization.yaml ├── databases │ ├── cnpg-operator │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── dragonfly │ │ ├── ks.yaml │ │ └── operator │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ ├── emqx │ │ ├── cluster │ │ │ ├── cluster.yaml │ │ │ ├── kustomization.yaml │ │ │ └── route.yaml │ │ ├── ks.yaml │ │ └── operator │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ └── kustomization.yaml ├── downloads │ ├── bazarr │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── resources │ │ │ │ └── subcleaner.sh │ │ └── ks.yaml │ ├── cross-seed │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── prowlarr │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── qbittorrent │ │ ├── app │ │ │ ├── config │ │ │ │ └── dnsdist.conf │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── radarr │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── recyclarr │ │ ├── app │ │ │ ├── config │ │ │ │ └── recyclarr.yml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── sabnzbd │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── resources │ │ │ │ └── post-process.sh │ │ └── ks.yaml │ └── sonarr │ │ ├── app │ │ ├── externalsecret.yaml │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ │ └── ks.yaml ├── flux-system │ ├── flux-operator │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ ├── instance │ │ │ ├── github │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── notifications │ │ │ │ │ ├── externalsecret.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ └── notification.yaml │ │ │ │ └── webhooks │ │ │ │ │ ├── externalsecret.yaml │ │ │ │ │ ├── kustomization.yaml │ │ │ │ │ ├── receiver.yaml │ │ │ │ │ └── route.yaml │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ └── prometheusrule.yaml │ │ └── ks.yaml │ └── kustomization.yaml ├── home-automation │ ├── esphome │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── home-assistant │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ └── zigbee2mqtt │ │ ├── app │ │ ├── externalsecret.yaml │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ │ └── ks.yaml ├── kube-system │ ├── cilium │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── kustomizeconfig.yaml │ │ │ └── route.yaml │ │ ├── config │ │ │ ├── cilium-l2.yaml │ │ │ └── kustomization.yaml │ │ ├── gateway │ │ │ ├── certificate.yaml │ │ │ ├── external.yaml │ │ │ ├── gatewayclass.yaml │ │ │ ├── internal.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pushsecret.yaml │ │ └── ks.yaml │ ├── coredns │ │ ├── app │ │ │ ├── helm-values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── kustomizeconfig.yaml │ │ └── ks.yaml │ ├── csi-driver-nfs │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── metrics-server │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── reloader │ │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── media │ ├── jellyseerr │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc-cache.yaml │ │ │ └── pvc-config.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── plex │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc-cache.yaml │ │ │ └── pvc-config.yaml │ │ └── ks.yaml │ └── tautulli │ │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ │ └── ks.yaml ├── network │ ├── cloudflared │ │ ├── app │ │ │ ├── dnsEndpoint.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── resources │ │ │ │ └── config.yaml │ │ └── ks.yaml │ ├── echo-server │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── external-dns │ │ ├── cloudflare │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── ks.yaml │ │ └── pihole │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── kustomization.yaml │ └── multus │ │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── rbac.yaml │ │ ├── ks.yaml │ │ └── networks │ │ ├── iot.yaml │ │ └── kustomization.yaml ├── observability │ ├── blackbox-exporter │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── prometheusrule.yaml │ │ └── ks.yaml │ ├── grafana │ │ ├── app │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kromgo │ │ ├── app │ │ │ ├── config │ │ │ │ └── config.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kube-prometheus-stack │ │ ├── app │ │ │ ├── alertmanagerconfig.yaml │ │ │ ├── alerts │ │ │ │ ├── kustomization.yaml │ │ │ │ └── prometheusrule.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── node-exporter │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── prometheus-operator-crds │ │ ├── crd │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── openebs-system │ ├── kustomization.yaml │ └── openebs │ │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── security │ ├── external-secrets │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── ks.yaml │ │ └── stores │ │ │ ├── clustersecretstore.yaml │ │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── onepassword-connect │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── ks.yaml │ └── trivy-operator │ │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── selfhosted │ ├── forgejo │ │ ├── app │ │ │ ├── cluster.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── route.yaml │ │ ├── ks.yaml │ │ └── runner │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── harbor │ │ ├── app │ │ │ ├── cluster.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── route.yaml │ │ └── ks.yaml │ ├── kustomization.yaml │ ├── n8n │ │ ├── app │ │ │ ├── cluster.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ ├── nocodb │ │ ├── app │ │ │ ├── cluster.yaml │ │ │ ├── dragonfly │ │ │ │ ├── cluster.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── podmonitor.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── ks.yaml │ └── prlx │ │ ├── backend │ │ ├── cluster.yaml │ │ ├── deployment.yaml │ │ ├── externalsecret.yaml │ │ ├── kustomization.yaml │ │ └── service.yaml │ │ ├── ks.yaml │ │ └── operator │ │ ├── deployment.yaml │ │ └── kustomization.yaml ├── storage │ ├── kustomization.yaml │ └── minio │ │ ├── app │ │ ├── externalsecret.yaml │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ │ └── ks.yaml ├── system-upgrade │ ├── .env │ ├── kustomization.yaml │ └── system-upgrade-controller │ │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── rbac.yaml │ │ ├── ks.yaml │ │ └── plans │ │ ├── kubernetes.yaml │ │ ├── kustomization.yaml │ │ └── talos.yaml └── volsync-system │ ├── kustomization.yaml │ ├── snapshot-controller │ ├── app │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ └── ks.yaml │ └── volsync │ ├── app │ ├── helmrelease.yaml │ ├── kustomization.yaml │ └── prometheusrule.yaml │ └── ks.yaml ├── bootstrap ├── .sourceignore └── apps │ ├── .secrets.env │ ├── helmfile.yaml │ └── templates │ └── resources.yaml.j2 ├── components └── common │ ├── alerts │ ├── alertmanager │ │ ├── alert.yaml │ │ ├── kustomization.yaml │ │ └── provider.yaml │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── repos │ ├── app-template │ │ ├── kustomization.yaml │ │ └── ocirepository.yaml │ └── kustomization.yaml │ └── sops │ ├── kustomization.yaml │ └── secret.sops.yaml ├── flux ├── cluster │ └── ks.yaml └── metadata │ ├── kustomization.yaml │ └── repositories │ ├── git │ └── kustomization.yaml │ ├── helm │ ├── actions-runner-controller.yaml │ ├── aqua.yaml │ ├── backube.yaml │ ├── bjw-s.yaml │ ├── cilium.yaml │ ├── cnpg.yaml │ ├── controlplaneio.yaml │ ├── coredns.yaml │ ├── csi-nfs-driver.yaml │ ├── dependency-track.yaml │ ├── emqx.yaml │ ├── external-dns.yaml │ ├── external-secrets.yaml │ ├── grafana.yaml │ ├── harbor.yaml │ ├── ingress-nginx.yaml │ ├── intel.yaml │ ├── jetstack.yaml │ ├── k8s-gateway.yaml │ ├── kustomization.yaml │ ├── metrics-server.yaml │ ├── ollama.yaml │ ├── openebs.yaml │ ├── pireaus.yaml │ ├── prometheus-community.yaml │ ├── rook-ceph.yaml │ ├── spegel.yaml │ └── stakater.yaml │ ├── kustomization.yaml │ └── oci │ └── kustomization.yaml └── talos ├── clusterconfig └── .gitignore ├── patches ├── README.md ├── controller │ ├── cluster.yaml │ └── disable-admission-controller.yaml └── global │ ├── machine-features.yaml │ ├── machine-files.yaml │ ├── machine-kubelet.yaml │ ├── machine-network.yaml │ ├── machine-openebs-local.yaml │ ├── machine-sysctl.yaml │ └── machine-time.yaml ├── talconfig.yaml └── talsecret.sops.yaml /.archive/actual-finance/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | bases: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /.archive/actual-finance/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: actual 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 10Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /.archive/actual-finance/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app actual-finance 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: selfhosted 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/selfhosted/actual-finance/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | postBuild: 24 | substitute: 25 | APP: *app 26 | -------------------------------------------------------------------------------- /.archive/ai/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: ai 5 | resources: 6 | - ./openwebui/ks.yaml 7 | - ./ollama/ks.yaml 8 | components: 9 | - ../../components/common 10 | -------------------------------------------------------------------------------- /.archive/ai/ollama/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: &app ollama 6 | spec: 7 | interval: 30m 8 | chart: 9 | spec: 10 | chart: ollama 11 | version: 1.15.0 12 | sourceRef: 13 | kind: HelmRepository 14 | name: *app 15 | namespace: flux-system 16 | maxHistory: 2 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | uninstall: 25 | keepHistory: false 26 | values: 27 | replicaCount: 1 28 | updateStrategy: 29 | type: RollingUpdate 30 | image: 31 | repository: ollama/ollama 32 | tag: 0.6.8 33 | pullPolicy: IfNotPresent 34 | ollama: 35 | gpu: 36 | enabled: false 37 | models: 38 | pull: 39 | - deepseek-r1 40 | extraEnv: 41 | - name: OLLAMA_DEBUG 42 | value: "1" 43 | service: 44 | type: ClusterIP 45 | port: 11434 46 | persistentVolume: 47 | enabled: true 48 | existingClaim: ollama 49 | resources: 50 | requests: 51 | cpu: 200m 52 | memory: 2Gi 53 | limits: 54 | memory: 12Gi 55 | -------------------------------------------------------------------------------- /.archive/ai/ollama/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /.archive/ai/ollama/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: ollama 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 100Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /.archive/ai/ollama/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app ollama 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: ai 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/ai/ollama/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: true 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /.archive/ai/openwebui/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /.archive/ai/openwebui/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: openwebui 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 51Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /.archive/ai/openwebui/ks.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 2 | --- 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app openwebui 7 | namespace: &namespace ai 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/ai/openwebui/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | postBuild: 24 | substitute: 25 | APP: *app 26 | -------------------------------------------------------------------------------- /.archive/atuin/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /.archive/atuin/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: atuin 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 1Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /.archive/atuin/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app atuin 7 | namespace: &namespace selfhosted 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: volsync 14 | namespace: volsync-system 15 | interval: 30m 16 | path: ./kubernetes/apps/selfhosted/atuin/app 17 | postBuild: 18 | substitute: 19 | APP: *app 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: *namespace 26 | timeout: 5m 27 | wait: false 28 | -------------------------------------------------------------------------------- /.archive/dependency-track/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: dependency-track 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: dependency-track 12 | version: 0.26.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: dependency-track 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | values: 26 | apiServer: 27 | resources: 28 | requests: 29 | cpu: "500m" 30 | memory: 4.5Gi 31 | limits: 32 | cpu: "2" 33 | memory: 5Gi 34 | 35 | frontend: 36 | resources: 37 | requests: 38 | cpu: "50m" 39 | memory: "32Mi" 40 | limits: 41 | cpu: "200m" 42 | memory: "64Mi" 43 | 44 | ingress: 45 | enabled: true 46 | hostname: depcheck.altena.io 47 | ingressClassName: internal 48 | -------------------------------------------------------------------------------- /.archive/dependency-track/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /.archive/dependency-track/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app dependency-track 7 | namespace: &namespace security 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/security/dependency-track/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /.archive/dragonfly/cluster/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/dragonflydb.io/dragonfly_v1alpha1.json 3 | apiVersion: dragonflydb.io/v1alpha1 4 | kind: Dragonfly 5 | metadata: 6 | name: dragonfly 7 | spec: 8 | image: ghcr.io/dragonflydb/dragonfly:v1.29.0 9 | replicas: 3 10 | env: 11 | - name: MAX_MEMORY 12 | valueFrom: 13 | resourceFieldRef: 14 | resource: limits.memory 15 | divisor: 1Mi 16 | args: 17 | - --maxmemory=$(MAX_MEMORY)Mi 18 | - --proactor_threads=2 19 | - --cluster_mode=emulated 20 | resources: 21 | requests: 22 | cpu: 100m 23 | limits: 24 | memory: 512Mi 25 | -------------------------------------------------------------------------------- /.archive/dragonfly/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster.yaml 7 | - ./pod-monitor.yaml 8 | -------------------------------------------------------------------------------- /.archive/dragonfly/cluster/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kube-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PodMonitor 5 | metadata: 6 | name: dragonfly 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: dragonfly 11 | podTargetLabels: ["app"] 12 | podMetricsEndpoints: 13 | - port: admin 14 | fallbackScrapeProtocol: PrometheusText0.0.4 15 | -------------------------------------------------------------------------------- /.archive/gateway-api/gateway-api-crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | resources: 3 | - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml 4 | -------------------------------------------------------------------------------- /.archive/gateway-api/gateways/internal/http-redirect.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: http-https-redirect 6 | namespace: network 7 | spec: 8 | parentRefs: 9 | - name: internal-gateway 10 | sectionName: http-redirect 11 | rules: 12 | - filters: 13 | - type: RequestRedirect 14 | requestRedirect: 15 | scheme: https 16 | statusCode: 301 17 | -------------------------------------------------------------------------------- /.archive/gateway-api/gateways/internal/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | resources: 3 | - ./http-redirect.yaml 4 | - ./internal-gateway.yaml 5 | -------------------------------------------------------------------------------- /.archive/gateway-api/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app gateway-api-crd 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: cilium 14 | namespace: kube-system 15 | path: ./kubernetes/apps/network/gateway-api/gateway-api-crds 16 | prune: false # never should be deleted 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | interval: 30m 23 | retryInterval: 1m 24 | timeout: 5m 25 | --- 26 | apiVersion: kustomize.toolkit.fluxcd.io/v1 27 | kind: Kustomization 28 | metadata: 29 | name: &app gateway-api-internal-gateway 30 | namespace: flux-system 31 | spec: 32 | targetNamespace: network 33 | commonMetadata: 34 | labels: 35 | app.kubernetes.io/name: *app 36 | dependsOn: 37 | - name: cilium 38 | namespace: kube-system 39 | - name: gateway-api-crd 40 | path: ./kubernetes/apps/network/gateway-api/gateways/internal 41 | prune: false # never should be deleted 42 | sourceRef: 43 | kind: GitRepository 44 | name: flux-system 45 | namespace: flux-system 46 | wait: false 47 | interval: 30m 48 | retryInterval: 1m 49 | timeout: 5m 50 | -------------------------------------------------------------------------------- /.archive/intel-device-plugin-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: intel-device-plugin-operator 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | chart: intel-device-plugins-operator 12 | version: 0.32.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: intel 16 | namespace: flux-system 17 | install: 18 | crds: CreateReplace 19 | remediation: 20 | retries: 3 21 | upgrade: 22 | cleanupOnFail: true 23 | crds: CreateReplace 24 | remediation: 25 | strategy: rollback 26 | retries: 3 27 | values: 28 | manager: 29 | devices: 30 | gpu: true 31 | -------------------------------------------------------------------------------- /.archive/intel-device-plugin-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /.archive/intel-device-plugin-operator/gpu/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: intel-device-plugin-gpu 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | chart: intel-device-plugins-gpu 12 | version: 0.32.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: intel 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | values: 26 | name: i915 27 | nodeFeatureRule: false 28 | sharedDevNum: 99 29 | -------------------------------------------------------------------------------- /.archive/intel-device-plugin-operator/gpu/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /.archive/wekan/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: wekan-env 6 | namespace: apps 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | name: onepassword-connect 11 | kind: ClusterSecretStore 12 | target: 13 | name: wekan-env 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: MONGO_URL 17 | remoteRef: 18 | key: wekan 19 | property: MONGO_URL 20 | - secretKey: MONGO_INITDB_ROOT_PASSWORD 21 | remoteRef: 22 | key: wekan 23 | property: MONGO_INITDB_ROOT_PASSWORD 24 | - secretKey: MONGO_INITDB_ROOT_USERNAME 25 | remoteRef: 26 | key: wekan 27 | property: MONGO_INITDB_ROOT_USERNAME 28 | - secretKey: MONGO_INITDB_DATABASE 29 | remoteRef: 30 | key: wekan 31 | property: MONGO_INITDB_DATABASE 32 | -------------------------------------------------------------------------------- /.archive/wekan/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | bases: 5 | - ./externalsecret.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /.archive/wekan/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Separate PVC manifest 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: wekan 7 | spec: 8 | accessModes: ["ReadWriteMany"] 9 | resources: 10 | requests: 11 | storage: 20Gi 12 | storageClassName: nfs-csi-sc 13 | -------------------------------------------------------------------------------- /.archive/wekan/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname wekan 7 | namespace: &namespace selfhosted 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/selfhosted/wekan/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | dependsOn: 23 | - name: external-secrets-stores 24 | namespace: security 25 | postBuild: 26 | substitute: 27 | APP: *appname 28 | APP_UID: "1000" 29 | APP_GID: "1000" 30 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # editorconfig.org 2 | root = true 3 | 4 | [*] 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | charset = utf-8 9 | trim_trailing_whitespace = true 10 | insert_final_newline = true 11 | 12 | [*.{bash,py,sh}] 13 | indent_style = space 14 | indent_size = 4 15 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto eol=lf 2 | *.yaml.j2 linguist-language=YAML 3 | *.sops.* diff=sopsdiffer 4 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | area/bootstrap: 3 | - changed-files: 4 | - any-glob-to-any-file: bootstrap/**/* 5 | area/github: 6 | - changed-files: 7 | - any-glob-to-any-file: .github/**/* 8 | area/kubernetes: 9 | - changed-files: 10 | - any-glob-to-any-file: kubernetes/**/* 11 | area/taskfile: 12 | - changed-files: 13 | - any-glob-to-any-file: .taskfiles/**/* 14 | - any-glob-to-any-file: Taskfile* 15 | -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Area 3 | - { name: "area/bootstrap", color: "0e8a16" } 4 | - { name: "area/github", color: "0e8a16" } 5 | - { name: "area/kubernetes", color: "0e8a16" } 6 | - { name: "area/taskfile", color: "0e8a16" } 7 | # Distro 8 | - { name: "distro/talos", color: "ffc300" } 9 | # Renovate 10 | - { name: "renovate/container", color: "027fa0" } 11 | - { name: "renovate/github-action", color: "027fa0" } 12 | - { name: "renovate/github-release", color: "027fa0" } 13 | - { name: "renovate/helm", color: "027fa0" } 14 | # Semantic Type 15 | - { name: "type/patch", color: "ffec19" } 16 | - { name: "type/minor", color: "ff9800" } 17 | - { name: "type/major", color: "f6412d" } 18 | - { name: "type/break", color: "f6412d" } 19 | # Uncategorized 20 | - { name: "hold/upstream", color: "ee0701" } 21 | -------------------------------------------------------------------------------- /.github/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | changelog: 3 | exclude: 4 | authors: 5 | - renovate 6 | -------------------------------------------------------------------------------- /.github/workflows/label-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: "Label Sync" 4 | 5 | on: 6 | workflow_dispatch: 7 | push: 8 | branches: ["main"] 9 | paths: [".github/labels.yaml"] 10 | 11 | jobs: 12 | label-sync: 13 | name: Label Sync 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | 19 | - name: Sync Labels 20 | uses: EndBug/label-sync@v2 21 | with: 22 | config-file: .github/labels.yaml 23 | delete-other-labels: true 24 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: "Labeler" 4 | 5 | on: 6 | workflow_dispatch: 7 | pull_request_target: 8 | branches: ["main"] 9 | 10 | jobs: 11 | labeler: 12 | name: Labeler 13 | runs-on: ubuntu-latest 14 | permissions: 15 | contents: read 16 | pull-requests: write 17 | steps: 18 | - name: Labeler 19 | uses: actions/labeler@v5 20 | with: 21 | configuration-path: .github/labeler.yaml 22 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Trash 2 | .DS_Store 3 | .venv 4 | Thumbs.db 5 | # k8s 6 | kubeconfig 7 | kubeconfig.yaml 8 | talosconfig 9 | .decrypted~*.yaml 10 | *.agekey 11 | *.pub 12 | *.key 13 | # Private 14 | .private 15 | .bin 16 | # Taskfile 17 | .task 18 | # Brew 19 | Brewfile.lock.json 20 | -------------------------------------------------------------------------------- /.minijinja.toml: -------------------------------------------------------------------------------- 1 | autoescape = "none" 2 | newline = true 3 | trim-blocks = true 4 | lstrip-blocks = true 5 | env = true 6 | -------------------------------------------------------------------------------- /.mise.toml: -------------------------------------------------------------------------------- 1 | [env] 2 | KUBERNETES_DIR = '{{config_root}}/kubernetes' 3 | KUBECONFIG = '{{config_root}}/kubernetes/kubeconfig' 4 | MINIJINJA_CONFIG_FILE = '{{config_root}}/.minijinja.toml' 5 | TALOSCONFIG = '{{config_root}}/kubernetes/talos/clusterconfig/talosconfig' 6 | -------------------------------------------------------------------------------- /.python-version: -------------------------------------------------------------------------------- 1 | 3.13.4 2 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | age: 3 | key_file: /Users/fleurplanje/git/homelab/age.key 4 | creation_rules: 5 | - # IMPORTANT: This rule MUST be above the others 6 | path_regex: kubernetes/talos/.*\.sops\.ya?ml 7 | key_groups: 8 | - age: 9 | - "age1yrzd67uvapjjawwjgfc7drkyu8pk2m800w4knjzrg69jxkm0afcqnr9qfz" 10 | - path_regex: kubernetes/.*\.sops\.ya?ml 11 | encrypted_regex: "^(data|stringData)$" 12 | key_groups: 13 | - age: 14 | - "age1yrzd67uvapjjawwjgfc7drkyu8pk2m800w4knjzrg69jxkm0afcqnr9qfz" 15 | -------------------------------------------------------------------------------- /.taskfiles/Kubernetes/Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: '3' 4 | 5 | tasks: 6 | 7 | cleanup-pods: 8 | desc: Clean up pods with a Failed/Pending/Succeeded phase 9 | preconditions: 10 | - which kubectl 11 | cmds: 12 | - for: 13 | matrix: 14 | PHASE: 15 | - Failed 16 | - Pending 17 | - Succeeded 18 | cmd: kubectl delete pods --field-selector status.phase={{.ITEM.PHASE}} -A --ignore-not-found=true 19 | 20 | sync-externalsecrets: 21 | desc: Force sync all ExternalSecret resources 22 | preconditions: 23 | - which kubectl 24 | vars: 25 | SECRETS: 26 | sh: kubectl get externalsecret --all-namespaces --no-headers --output=jsonpath='{range .items[*]}{.metadata.namespace},{.metadata.name}{"\n"}{end}' 27 | cmds: 28 | - for: 29 | var: SECRETS 30 | split: "\n" 31 | cmd: kubectl --namespace {{splitList "," .ITEM | first}} annotate externalsecret {{splitList "," .ITEM | last}} force-sync="{{now | unixEpoch}}" --overwrite 32 | -------------------------------------------------------------------------------- /.taskfiles/Sops/Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | tasks: 6 | 7 | encrypt: 8 | desc: Encrypt all Kubernetes SOPS secrets 9 | cmds: 10 | - for: { var: file } 11 | task: .encrypt-file 12 | vars: 13 | file: "{{.ITEM}}" 14 | vars: 15 | file: 16 | sh: find "{{.KUBERNETES_DIR}}" -type f -name "*.sops.*" -exec grep -L "ENC\[AES256_GCM" {} \; 17 | 18 | .encrypt-file: 19 | internal: true 20 | cmd: sops --encrypt --in-place {{.file}} 21 | requires: 22 | vars: ["file"] 23 | preconditions: 24 | - msg: Missing Sops config file 25 | sh: test -f {{.SOPS_CONFIG_FILE}} 26 | - msg: Missing Sops Age key file 27 | sh: test -f {{.AGE_FILE}} 28 | 29 | .reset: 30 | internal: true 31 | cmd: rm -rf {{.SOPS_CONFIG_FILE}} 32 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "albert.TabOut", 4 | "britesnow.vscode-toggle-quotes", 5 | "fcrespo82.markdown-table-formatter", 6 | "mikestead.dotenv", 7 | "mitchdenny.ecdc", 8 | "signageos.signageos-vscode-sops", 9 | "will-stone.in-any-case", 10 | "EditorConfig.editorconfig", 11 | "PKief.material-icon-theme", 12 | "Gruntfuggly.todo-tree" 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "*.json5": "jsonc", 4 | "./kubernetes/**/*.sops.toml": "plaintext" 5 | }, 6 | "sops.defaults.ageKeyFile": "age.key", 7 | "yaml.schemas": { 8 | "Kubernetes": "./kubernetes/*.yaml" 9 | }, 10 | } 11 | -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ignore: | 3 | .vscode/ 4 | *.sops.* 5 | .github/labels.yaml 6 | kubernetes/talos/clusterconfig/* 7 | 8 | extends: default 9 | 10 | rules: 11 | truthy: 12 | allowed-values: ["true", "false", "on"] 13 | 14 | comments: 15 | min-spaces-from-content: 1 16 | 17 | line-length: disable 18 | 19 | braces: 20 | min-spaces-inside: 0 21 | max-spaces-inside: 1 22 | 23 | brackets: 24 | min-spaces-inside: 0 25 | max-spaces-inside: 0 26 | 27 | indentation: enable 28 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | set: 6 | - pipefail 7 | shopt: 8 | - globstar 9 | 10 | includes: 11 | flux: .taskfiles/flux/Taskfile.yaml 12 | kubernetes: .taskfiles/kubernetes/Taskfile.yaml 13 | bootstrap: .taskfiles/bootstrap/Taskfile.yaml 14 | sops: .taskfiles/sops/Taskfile.yaml 15 | talos: .taskfiles/talos/Taskfile.yaml 16 | 17 | vars: 18 | BOOTSTRAP_DIR: "{{.ROOT_DIR}}/kubernetes/bootstrap" 19 | KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes" 20 | TALOSCONFIG: "{{.KUBERNETES_DIR}}/talos/clusterconfig/talosconfig" 21 | TALHELPER_CLUSTER_DIR: '{{.KUBERNETES_DIR}}/talos/clusterconfig' 22 | TALHELPER_SECRET_FILE: '{{.KUBERNETES_DIR}}/talos/talsecret.sops.yaml' 23 | TALHELPER_CONFIG_FILE: '{{.KUBERNETES_DIR}}/talos/talconfig.yaml' 24 | 25 | env: 26 | KUBECONFIG: "{{.KUBECONFIG}}" 27 | TALOSCONFIG: "{{.TALOSCONFIG}}" 28 | MINIJINJA_CONFIG_FILE: "{{.ROOT_DIR}}/.minijinja.toml" 29 | 30 | tasks: 31 | default: 32 | silent: true 33 | cmd: task --list 34 | 35 | noop: 36 | internal: true 37 | silent: true 38 | cmd: noop() { :; } 39 | -------------------------------------------------------------------------------- /docs/assets/kubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/davealtena/homelab/b38448987788805e9bbf15e52bf027e17ba5cc16/docs/assets/kubernetes.png -------------------------------------------------------------------------------- /docs/bootstrap.md: -------------------------------------------------------------------------------- 1 | # Bootstrapping a new cluster 2 | 3 | Currently the cluster uses taskfiles to bootstrap a new cluster. In the [.taskfiles/bootstrap](https://github.com/davealtena/homelab/tree/main/.taskfiles/bootstrap) are the steps defined to bootstrap a new cluster. 4 | 5 | -------------------------------------------------------------------------------- /docs/observability.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | 3 | I have installed most components of the Prometheus/Grafana stack for observability. 4 | 5 | ## Grafana 6 | Open Source Monitoring 7 | 8 | ## kube-prometheus-stack 9 | 10 | ## node-exporter 11 | Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors. 12 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: actions-runner-controller 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: actions-runner-controller-secret 13 | template: 14 | data: 15 | ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID: |- 16 | {{ .ACTION_RUNNER_CONTROLLER_GITHUB_APP_ID }} 17 | ACTION_RUNNER_CONTROLLER_GITHUB_INSTALLATION_ID: |- 18 | {{ .ACTION_RUNNER_CONTROLLER_GITHUB_INSTALLATION_ID }} 19 | ACTION_RUNNER_CONTROLLER_GITHUB_PRIVATE_KEY: |- 20 | {{ .ACTION_RUNNER_CONTROLLER_GITHUB_PRIVATE_KEY }} 21 | dataFrom: 22 | - extract: 23 | key: actions-runner-controller 24 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: gha-runner-scale-set-controller 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.11.0 14 | url: oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: &name actions-runner-controller 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: gha-runner-scale-set-controller 26 | install: 27 | crds: CreateReplace 28 | remediation: 29 | retries: 3 30 | upgrade: 31 | cleanupOnFail: true 32 | crds: CreateReplace 33 | remediation: 34 | strategy: rollback 35 | retries: 3 36 | values: 37 | fullnameOverride: *name 38 | replicaCount: 1 39 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/homelab/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./rbac.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/homelab/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: homelab-runner 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: homelab-runner 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: homelab-runner 18 | namespace: actions-runner-system 19 | --- 20 | apiVersion: talos.dev/v1alpha1 21 | kind: ServiceAccount 22 | metadata: 23 | name: homelab-runner 24 | spec: 25 | roles: ["os:admin"] 26 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/actions-runner-controller/runners/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./homelab 7 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: actions-runner-system 5 | resources: 6 | - ./actions-runner-controller/ks.yaml 7 | components: 8 | - ../../components/common 9 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: cert-manager 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: v1.17.2 14 | url: oci://quay.io/jetstack/charts/cert-manager 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: cert-manager 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: cert-manager 25 | install: 26 | remediation: 27 | retries: 3 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | valuesFrom: 33 | - kind: ConfigMap 34 | name: cert-manager-helm-values 35 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./prometheusrule.yaml 7 | configMapGenerator: 8 | - name: cert-manager-helm-values 9 | files: 10 | - values.yaml=./values.yaml 11 | configurations: 12 | - kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/app/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | installCRDs: true 3 | dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query 4 | dns01RecursiveNameserversOnly: true 5 | prometheus: 6 | enabled: true 7 | servicemonitor: 8 | enabled: true 9 | config: 10 | apiVersion: controller.config.cert-manager.io/v1alpha1 11 | kind: ControllerConfiguration 12 | enableGatewayAPI: true 13 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: &name cloudflare-secret 7 | spec: 8 | refreshInterval: 1m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: *name 14 | template: 15 | engineVersion: v2 16 | data: 17 | CLOUDFLARE_API_TOKEN: "{{ .CLOUDFLARE_API_TOKEN }}" 18 | dataFrom: 19 | - extract: 20 | key: cloudflare 21 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: letsencrypt-production 7 | spec: 8 | acme: 9 | server: https://acme-v02.api.letsencrypt.org/directory 10 | email: dave@altena.io 11 | privateKeySecretRef: 12 | name: letsencrypt-production 13 | solvers: 14 | - dns01: 15 | cloudflare: 16 | email: dave@altena.io 17 | apiTokenSecretRef: 18 | name: cloudflare-secret 19 | key: CLOUDFLARE_API_TOKEN 20 | selector: 21 | dnsZones: ["altena.io"] 22 | --- 23 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json 24 | apiVersion: cert-manager.io/v1 25 | kind: ClusterIssuer 26 | metadata: 27 | name: letsencrypt-staging 28 | spec: 29 | acme: 30 | server: https://acme-staging-v02.api.letsencrypt.org/directory 31 | email: dave@altena.io 32 | privateKeySecretRef: 33 | name: letsencrypt-staging 34 | solvers: 35 | - dns01: 36 | cloudflare: 37 | email: dave@altena.io 38 | apiTokenSecretRef: 39 | name: cloudflare-secret 40 | key: CLOUDFLARE_API_TOKEN 41 | selector: 42 | dnsZones: ["altena.io"] 43 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./issuers.yaml 7 | - ./externalsecret.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/cert-manager/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app cert-manager 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: cert-manager 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/cert-manager/cert-manager/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: true 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | --- 23 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: &app cert-manager-issuers 28 | namespace: flux-system 29 | spec: 30 | targetNamespace: cert-manager 31 | commonMetadata: 32 | labels: 33 | app.kubernetes.io/name: *app 34 | dependsOn: 35 | - name: cert-manager 36 | - name: external-secrets-stores 37 | namespace: security 38 | path: ./kubernetes/apps/cert-manager/cert-manager/issuers 39 | prune: true 40 | sourceRef: 41 | kind: GitRepository 42 | name: flux-system 43 | namespace: flux-system 44 | wait: true 45 | interval: 30m 46 | retryInterval: 1m 47 | timeout: 5m 48 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: cert-manager 5 | resources: 6 | - ./cert-manager/ks.yaml 7 | components: 8 | - ../../components/common 9 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/cnpg-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cnpg 6 | spec: 7 | interval: 1h 8 | driftDetection: 9 | mode: enabled 10 | chart: 11 | # No OCI repo available, yet. 12 | spec: 13 | chart: cloudnative-pg 14 | version: 0.23.0 15 | sourceRef: 16 | kind: HelmRepository 17 | namespace: flux-system 18 | name: cnpg 19 | interval: 1h 20 | install: 21 | crds: Create 22 | upgrade: 23 | crds: CreateReplace 24 | values: 25 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/cnpg-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | resources: 3 | - helmrelease.yaml 4 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/cnpg-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: cnpg-operator 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: databases 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: cloudnative-pg 12 | path: ./kubernetes/apps/databases/cnpg-operator/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/dragonfly/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname dragonfly-operator 7 | namespace: &namespace databases 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: ./kubernetes/apps/databases/dragonfly/operator 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: cert-manager 24 | namespace: cert-manager 25 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/dragonfly/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator 7 | - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.11/manifests/crd.yaml 8 | - ./helmrelease.yaml 9 | - ./rbac.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/dragonfly/operator/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: dragonfly-operator 6 | rules: 7 | - apiGroups: ["coordination.k8s.io"] 8 | resources: ["leases"] 9 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 10 | - apiGroups: [""] 11 | resources: ["events"] 12 | verbs: ["create", "patch"] 13 | - apiGroups: [""] 14 | resources: ["pods", "services"] 15 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 16 | - apiGroups: ["apps"] 17 | resources: ["statefulsets"] 18 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 19 | - apiGroups: ["dragonflydb.io"] 20 | resources: ["dragonflies"] 21 | verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] 22 | - apiGroups: ["dragonflydb.io"] 23 | resources: ["dragonflies/finalizers"] 24 | verbs: ["update"] 25 | - apiGroups: ["dragonflydb.io"] 26 | resources: ["dragonflies/status"] 27 | verbs: ["get", "patch", "update"] 28 | --- 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | kind: ClusterRoleBinding 31 | metadata: 32 | name: dragonfly-operator 33 | roleRef: 34 | apiGroup: rbac.authorization.k8s.io 35 | kind: ClusterRole 36 | name: dragonfly-operator 37 | subjects: 38 | - kind: ServiceAccount 39 | name: dragonfly-operator 40 | namespace: databases 41 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/emqx/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster.yaml 7 | - ./route.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/emqx/cluster/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1beta1 3 | kind: HTTPRoute 4 | metadata: 5 | name: emqx-dashboard 6 | spec: 7 | parentRefs: 8 | - name: internal 9 | kind: Gateway 10 | group: gateway.networking.k8s.io 11 | hostnames: 12 | - "emqx.altena.io" 13 | rules: 14 | - matches: 15 | - path: 16 | type: PathPrefix 17 | value: / 18 | backendRefs: 19 | - name: emqx-dashboard 20 | kind: Service 21 | port: 18083 22 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/emqx/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname emqx-operator 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: databases 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: ./kubernetes/apps/databases/emqx/operator 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: cert-manager 24 | namespace: cert-manager 25 | --- 26 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 27 | apiVersion: kustomize.toolkit.fluxcd.io/v1 28 | kind: Kustomization 29 | metadata: 30 | name: &appname emqx-cluster 31 | namespace: flux-system 32 | spec: 33 | targetNamespace: databases 34 | commonMetadata: 35 | labels: 36 | app.kubernetes.io/name: *appname 37 | interval: 30m 38 | timeout: 5m 39 | path: ./kubernetes/apps/databases/emqx/cluster 40 | prune: true 41 | sourceRef: 42 | kind: GitRepository 43 | name: flux-system 44 | namespace: flux-system 45 | wait: true 46 | dependsOn: 47 | - name: emqx-operator 48 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/emqx/operator/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: emqx-operator 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 2.2.29 14 | url: oci://ghcr.io/home-operations/charts-mirror/emqx-operator 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: emqx-operator 21 | spec: 22 | interval: 30m 23 | chartRef: 24 | kind: OCIRepository 25 | name: emqx-operator 26 | install: 27 | crds: CreateReplace 28 | upgrade: 29 | crds: CreateReplace 30 | values: 31 | fullnameOverride: emqx-operator 32 | image: 33 | repository: ghcr.io/emqx/emqx-operator 34 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/emqx/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./externalsecret.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/databases/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: databases 6 | resources: 7 | - ./cnpg-operator/ks.yaml 8 | - ./dragonfly/ks.yaml 9 | - ./emqx/ks.yaml 10 | components: 11 | - ../../components/common 12 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/bazarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: bazarr 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: bazarr-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | PLEX_TOKEN: "{{ .PLEX_TOKEN }}" 17 | dataFrom: 18 | - extract: 19 | key: plex 20 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/bazarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | configMapGenerator: 9 | - name: bazarr-scripts 10 | files: 11 | - subcleaner.sh=./resources/subcleaner.sh 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/bazarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: bazarr 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 10Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/bazarr/app/resources/subcleaner.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | printf "Cleaning subtitles for '%s' ...\n" "$1" 4 | python3 /add-ons/subcleaner/subcleaner.py "$1" -s 5 | 6 | case $1 in 7 | *movies*) section="1";; 8 | *shows*) section="2";; 9 | esac 10 | 11 | if [[ -n "$section" ]]; then 12 | printf "Refreshing Plex section '%s' for '%s' ...\n" "$section" "$(dirname "$1")" 13 | /usr/bin/curl -I -X GET -G \ 14 | --data-urlencode "path=$(dirname "$1")" \ 15 | --data-urlencode "X-Plex-Token=${PLEX_TOKEN}" \ 16 | --no-progress-meter \ 17 | "http://plex.default.svc.cluster.local:32400/library/sections/${section}/refresh" 18 | fi 19 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/bazarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app bazarr 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: security 16 | path: ./kubernetes/apps/downloads/bazarr/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 5m 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | VOLSYNC_CAPACITY: 5Gi 30 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/cross-seed/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./externalsecret.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/cross-seed/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname cross-seed 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/downloads/cross-seed/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | dependsOn: 23 | - name: external-secrets-stores 24 | namespace: security 25 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: downloads 6 | resources: 7 | - ./bazarr/ks.yaml 8 | - ./cross-seed/ks.yaml 9 | - ./prowlarr/ks.yaml 10 | - ./qbittorrent/ks.yaml 11 | - ./radarr/ks.yaml 12 | - ./recyclarr/ks.yaml 13 | - ./sabnzbd/ks.yaml 14 | - ./sonarr/ks.yaml 15 | components: 16 | - ../../components/common 17 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/prowlarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: prowlarr 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: prowlarr-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | api_key: "{{ .PROWLARR_API_KEY }}" 17 | dataFrom: 18 | - extract: 19 | key: prowlarr-secret 20 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/prowlarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/prowlarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: prowlarr 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/prowlarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname prowlarr 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 10m 14 | path: ./kubernetes/apps/downloads/prowlarr/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | wait: false 21 | dependsOn: 22 | - name: volsync 23 | namespace: volsync-system 24 | - name: external-secrets-stores 25 | namespace: security 26 | postBuild: 27 | substitute: 28 | APP: *appname 29 | APP_UID: "2000" 30 | APP_GID: "2000" 31 | VOLSYNC_CLAIM: prowlarr-config 32 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/qbittorrent/app/config/dnsdist.conf: -------------------------------------------------------------------------------- 1 | -- udp/tcp dns listening 2 | setLocal("127.0.0.2:53", {}) 3 | 4 | -- K8S DNS 5 | newServer({ 6 | address = "10.96.0.10", 7 | pool = "k8s", 8 | healthCheckMode = "lazy", 9 | lazyHealthCheckMode = 'TimeoutOnly', 10 | }) 11 | 12 | -- CloudFlare DNS over TLS 13 | newServer({ 14 | address = "1.1.1.1:853", 15 | tls = "openssl", 16 | subjectName = "cloudflare-dns.com", 17 | validateCertificates = true, 18 | healthCheckMode = "lazy", 19 | lazyHealthCheckMode = 'TimeoutOnly', 20 | }) 21 | newServer({ 22 | address = "1.0.0.1:853", 23 | tls = "openssl", 24 | subjectName = "cloudflare-dns.com", 25 | validateCertificates = true, 26 | healthCheckMode = "lazy", 27 | lazyHealthCheckMode = 'TimeoutOnly', 28 | }) 29 | 30 | -- Routing rules 31 | addAction('cluster.local', PoolAction('k8s')) 32 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/qbittorrent/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: &name gluetun-secrets 6 | spec: 7 | refreshInterval: 5m 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: *name 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: WIREGUARD_ENDPOINT_IP 16 | remoteRef: 17 | key: *name 18 | property: WIREGUARD_ENDPOINT_IP 19 | - secretKey: WIREGUARD_PUBLIC_KEY 20 | remoteRef: 21 | key: *name 22 | property: WIREGUARD_PUBLIC_KEY 23 | - secretKey: WIREGUARD_PRIVATE_KEY 24 | remoteRef: 25 | key: *name 26 | property: WIREGUARD_PRIVATE_KEY 27 | - secretKey: WIREGUARD_ADDRESSES 28 | remoteRef: 29 | key: *name 30 | property: WIREGUARD_ADDRESSES 31 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/qbittorrent/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | configMapGenerator: 10 | - name: qbittorrent-dnsdist 11 | files: 12 | - ./config/dnsdist.conf 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | annotations: 16 | kustomize.toolkit.fluxcd.io/substitute: disabled 17 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/qbittorrent/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: qbittorrent 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 75Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/qbittorrent/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app qbittorrent 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: security 16 | path: ./kubernetes/apps/downloads/qbittorrent/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 5m 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/radarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: radarr 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: &name radarr-secret 13 | template: 14 | data: 15 | api_key: "{{ .RADARR_API_KEY }}" 16 | dataFrom: 17 | - extract: 18 | key: *name 19 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/radarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/radarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radarr 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/radarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname radarr 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 10m 14 | path: ./kubernetes/apps/downloads/radarr/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | wait: false 21 | dependsOn: 22 | - name: volsync 23 | namespace: volsync-system 24 | - name: external-secrets-stores 25 | namespace: security 26 | postBuild: 27 | substitute: 28 | APP: *appname 29 | VOLSYNC_CLAIM: radarr-config 30 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/recyclarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: recyclarr 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: recyclarr-secret 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: RADARR_API_KEY 17 | remoteRef: 18 | key: radarr-secret 19 | property: RADARR_API_KEY 20 | - secretKey: SONARR_API_KEY 21 | remoteRef: 22 | key: sonarr-secret 23 | property: SONARR_API_KEY 24 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/recyclarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | configMapGenerator: 10 | - name: recyclarr-configmap 11 | files: 12 | - config/recyclarr.yml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | annotations: 16 | kustomize.toolkit.fluxcd.io/substitute: disabled 17 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/recyclarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Separate PVC manifest 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: recyclarr-config 7 | namespace: downloads 8 | spec: 9 | accessModes: ["ReadWriteMany"] 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: nfs-csi-sc 14 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/recyclarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname recyclarr 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: ./kubernetes/apps/downloads/recyclarr/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | dependsOn: 23 | - name: volsync 24 | namespace: volsync-system 25 | - name: external-secrets-stores 26 | namespace: security 27 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sabnzbd/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: sabnzbd 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: sabnzbd-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | CROSS_SEED_API_KEY: "{{ .CROSS_SEED_API_KEY }}" 17 | PUSHOVER_TOKEN: "{{ .SABNZBD_PUSHOVER_TOKEN }}" 18 | PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" 19 | SABNZBD__API_KEY: &apiKey "{{ .SABNZBD_API_KEY }}" 20 | SABNZBD__NZB_KEY: *apiKey 21 | dataFrom: 22 | - extract: 23 | key: cross-seed-secret 24 | - extract: 25 | key: pushover 26 | - extract: 27 | key: sabnzbd-secret 28 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sabnzbd/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | configMapGenerator: 10 | - name: sabnzbd-scripts 11 | files: 12 | - post-process.sh=./resources/post-process.sh 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | annotations: 16 | kustomize.toolkit.fluxcd.io/substitute: disabled 17 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sabnzbd/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sabnzbd 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 75Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sabnzbd/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app sabnzbd 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: security 16 | path: ./kubernetes/apps/downloads/sabnzbd/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 5m 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | GATUS_SUBDOMAIN: sab 30 | VOLSYNC_CAPACITY: 1Gi 31 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sonarr/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: sonarr 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: sonarr-secret 13 | template: 14 | data: 15 | api_key: "{{ .SONARR_AUTH_APIKEY }}" 16 | dataFrom: 17 | - extract: 18 | key: sonarr-secret 19 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sonarr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sonarr/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sonarr 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/downloads/sonarr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &name sonarr 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: downloads 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *name 13 | interval: 10m 14 | path: ./kubernetes/apps/downloads/sonarr/app 15 | prune: true 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | wait: false 21 | dependsOn: 22 | - name: volsync 23 | namespace: volsync-system 24 | - name: external-secrets-stores 25 | namespace: security 26 | postBuild: 27 | substitute: 28 | APP: *name 29 | VOLSYNC_CLAIM: sonarr-config 30 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | serviceMonitor: 3 | create: true 4 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: flux-operator 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.22.0 14 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: flux-operator 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: flux-operator 26 | install: 27 | remediation: 28 | retries: 3 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | strategy: rollback 33 | retries: 3 34 | valuesFrom: 35 | - kind: ConfigMap 36 | name: flux-operator-helm-values 37 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: flux-operator-helm-values 9 | files: 10 | - values.yaml=./helm-values.yaml 11 | configurations: 12 | - kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./notifications 7 | - ./webhooks 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/notifications/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: github-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: github-token-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | token: "{{ .FLUX_GITHUB_TOKEN }}" 17 | dataFrom: 18 | - extract: 19 | key: flux 20 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/notifications/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./notification.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/notifications/notification.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Provider 5 | metadata: 6 | name: github 7 | spec: 8 | type: github 9 | address: https://github.com/onedr0p/home-ops 10 | secretRef: 11 | name: github-token-secret 12 | --- 13 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json 14 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 15 | kind: Alert 16 | metadata: 17 | name: github 18 | spec: 19 | providerRef: 20 | name: github 21 | eventSeverity: info 22 | eventSources: 23 | - kind: Kustomization 24 | name: "*" 25 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: github-webhook-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: github-webhook-token-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | token: "{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}" 17 | dataFrom: 18 | - extract: 19 | key: flux 20 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./receiver.yaml 8 | - ./route.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/receiver_v1.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1 4 | kind: Receiver 5 | metadata: 6 | name: home-ops 7 | spec: 8 | type: github 9 | events: 10 | - ping 11 | - push 12 | secretRef: 13 | name: github-webhook-token-secret 14 | resources: 15 | - apiVersion: source.toolkit.fluxcd.io/v1 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | - apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | name: flux-system 22 | namespace: flux-system 23 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/github/webhooks/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: webhook-receiver 6 | spec: 7 | parentRefs: 8 | - name: external 9 | kind: Gateway 10 | hostnames: 11 | - "flux-webhook.altena.io" 12 | rules: 13 | - matches: 14 | - path: 15 | type: PathPrefix 16 | value: /hook/ 17 | backendRefs: 18 | - name: webhook-receiver 19 | kind: Service 20 | port: 80 21 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: flux-instance 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.22.0 14 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: flux-instance 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: flux-instance 26 | install: 27 | remediation: 28 | retries: 3 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | strategy: rollback 33 | retries: 3 34 | valuesFrom: 35 | - kind: ConfigMap 36 | name: flux-instance-helm-values 37 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./github 7 | - ./helmrelease.yaml 8 | - ./prometheusrule.yaml 9 | configMapGenerator: 10 | - name: flux-instance-helm-values 11 | files: 12 | - values.yaml=./helm-values.yaml 13 | configurations: 14 | - kustomizeconfig.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/instance/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: flux-instance-rules 7 | namespace: flux-system 8 | spec: 9 | groups: 10 | - name: flux-instance.rules 11 | rules: 12 | - alert: FluxInstanceAbsent 13 | expr: absent(flux_instance_info{exported_namespace="flux-system", name="flux"}) 14 | for: 15m 15 | annotations: 16 | summary: Flux instance metric is missing 17 | description: | 18 | The flux_instance_info metric for the Flux instance in namespace {{ $labels.exported_namespace }} is not available. 19 | labels: 20 | severity: critical 21 | - alert: FluxInstanceNotReady 22 | expr: flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"} 23 | for: 15m 24 | annotations: 25 | summary: Flux instance {{ $labels.name }} is not ready 26 | description: | 27 | The Flux instance in namespace {{ $labels.exported_namespace }} is not ready. 28 | Reason: {{ $labels.reason }} 29 | labels: 30 | severity: critical 31 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/flux-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-operator 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: flux-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/flux-system/flux-operator/app 14 | prune: false # never should be deleted 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | wait: false 19 | interval: 30m 20 | timeout: 5m 21 | --- 22 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 23 | apiVersion: kustomize.toolkit.fluxcd.io/v1 24 | kind: Kustomization 25 | metadata: 26 | name: &app flux-instance 27 | namespace: flux-system 28 | spec: 29 | targetNamespace: flux-system 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | dependsOn: 34 | - name: flux-operator 35 | path: ./kubernetes/apps/flux-system/flux-operator/instance 36 | prune: false # never should be deleted 37 | sourceRef: 38 | kind: GitRepository 39 | name: flux-system 40 | wait: false 41 | interval: 30m 42 | timeout: 5m 43 | -------------------------------------------------------------------------------- /kubernetes/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: flux-system 5 | resources: 6 | - ./flux-operator/ks.yaml 7 | components: 8 | - ../../components/common 9 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/esphome/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: esphome-secrets 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: esphome-secrets 14 | creationPolicy: Owner 15 | template: 16 | data: 17 | secrets.yaml: |- 18 | wifi_ssid: "{{ .esphome_wifi_ssid }}" 19 | wifi_pwd: "{{ .esphome_wifi_password }}" 20 | 21 | mqtt_host: mqtt.altena.io 22 | mqtt_user: "{{ .emqx_user_mqtt_username }}" 23 | mqtt_pwd: "{{ .emqx_user_mqtt_password }}" 24 | 25 | domain_devices: local.altena.io 26 | dataFrom: 27 | - extract: 28 | key: esphome 29 | rewrite: 30 | - regexp: 31 | source: "(.*)" 32 | target: "esphome_$1" 33 | - extract: 34 | key: emqx 35 | rewrite: 36 | - regexp: 37 | source: "(.*)" 38 | target: "emqx_$1" 39 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/esphome/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./externalsecret.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/esphome/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: esphome-config 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 10Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/esphome/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname esphome 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: home-automation 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | dependsOn: 15 | - name: external-secrets-stores 16 | namespace: security 17 | timeout: 5m 18 | path: "./kubernetes/apps/home-automation/esphome/app" 19 | prune: true 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | wait: false 25 | postBuild: 26 | substitute: 27 | APP: *appname 28 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/home-assistant/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: home-assistant 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: home-assistant-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | HASS_DARKSKY_API_KEY: "{{ .HASS_DARKSKY_API_KEY }}" 17 | HASS_ECOBEE_API_KEY: "{{ .HASS_ECOBEE_API_KEY }}" 18 | HASS_ELEVATION: "{{ .HASS_ELEVATION }}" 19 | HASS_GOOGLE_PROJECT_ID: "{{ .HASS_GOOGLE_PROJECT_ID }}" 20 | HASS_GOOGLE_SECURE_DEVICES_PIN: "{{ .HASS_GOOGLE_SECURE_DEVICES_PIN }}" 21 | HASS_LATITUDE: "{{ .HASS_LATITUDE }}" 22 | HASS_LONGITUDE: "{{ .HASS_LONGITUDE }}" 23 | HASS_PIRATE_WEATHER_API_KEY: "{{ .HASS_PIRATE_WEATHER_API_KEY }}" 24 | dataFrom: 25 | - extract: 26 | key: home-assistant 27 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/home-assistant/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/home-assistant/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: home-assistant 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/home-assistant/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app home-assistant 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: home-automation 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/home-automation/home-assistant/app 14 | dependsOn: 15 | - name: external-secrets-stores 16 | namespace: security 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 5m 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | VOLSYNC_CAPACITY: 5Gi 30 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: home-automation 6 | resources: 7 | - ./esphome/ks.yaml 8 | - ./home-assistant/ks.yaml 9 | - ./zigbee2mqtt/ks.yaml 10 | components: 11 | - ../../components/common 12 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/zigbee2mqtt/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: zigbee2mqtt 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: zigbee2mqtt-secret 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: mqtt_user 17 | remoteRef: 18 | key: EMQX 19 | property: user_mqtt_username 20 | - secretKey: mqtt_password 21 | remoteRef: 22 | key: EMQX 23 | property: user_mqtt_password 24 | - secretKey: zigbee_pan_id 25 | remoteRef: 26 | key: zigbee2mqtt 27 | property: config_pan_id 28 | - secretKey: zigbee_ext_pan_id 29 | remoteRef: 30 | key: zigbee2mqtt 31 | property: config_ext_pan_id 32 | - secretKey: zigbee_network_key 33 | remoteRef: 34 | key: zigbee2mqtt 35 | property: config_network_key 36 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/zigbee2mqtt/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./externalsecret.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/zigbee2mqtt/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: zigbee2mqtt 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 5Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/zigbee2mqtt/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app zigbee2mqtt 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: home-automation 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: security 16 | path: ./kubernetes/apps/home-automation/zigbee2mqtt/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: cilium 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 1.17.4 14 | url: oci://ghcr.io/home-operations/charts-mirror/cilium 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: cilium 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: cilium 25 | install: 26 | remediation: 27 | retries: 3 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | valuesFrom: 33 | - kind: ConfigMap 34 | name: cilium-helm-values 35 | values: 36 | operator: 37 | prometheus: 38 | enabled: true 39 | serviceMonitor: 40 | enabled: true 41 | dashboards: 42 | enabled: true 43 | annotations: 44 | grafana_folder: Cilium 45 | prometheus: 46 | enabled: true 47 | serviceMonitor: 48 | enabled: true 49 | trustCRDsExist: true 50 | dashboards: 51 | enabled: true 52 | annotations: 53 | grafana_folder: Cilium 54 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./route.yaml 7 | - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/experimental-install.yaml 8 | configMapGenerator: 9 | - name: cilium-helm-values 10 | files: 11 | - values.yaml=./helm-values.yaml 12 | configurations: 13 | - kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/app/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1beta1 3 | kind: HTTPRoute 4 | metadata: 5 | name: hubble-ui 6 | namespace: kube-system 7 | spec: 8 | parentRefs: 9 | - name: internal 10 | kind: Gateway 11 | group: gateway.networking.k8s.io 12 | hostnames: 13 | - "hubble.altena.io" 14 | rules: 15 | - matches: 16 | - path: 17 | type: PathPrefix 18 | value: / 19 | backendRefs: 20 | - name: hubble-ui 21 | kind: Service 22 | group: "" 23 | port: 80 24 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # https://docs.cilium.io/en/latest/network/l2-announcements 3 | apiVersion: cilium.io/v2alpha1 4 | kind: CiliumL2AnnouncementPolicy 5 | metadata: 6 | name: l2-policy 7 | spec: 8 | externalIPs: true 9 | loadBalancerIPs: true 10 | 11 | --- 12 | apiVersion: cilium.io/v2alpha1 13 | kind: CiliumLoadBalancerIPPool 14 | metadata: 15 | name: l2-pool 16 | spec: 17 | allowFirstLastIPs: "Yes" 18 | blocks: 19 | - cidr: "192.168.2.128/27" 20 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cilium-l2.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: altena-io 7 | spec: 8 | secretName: altena-io 9 | issuerRef: 10 | name: letsencrypt-production 11 | kind: ClusterIssuer 12 | commonName: altena.io 13 | dnsNames: 14 | - altena.io 15 | - "*.altena.io" 16 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: Gateway 5 | metadata: 6 | name: external 7 | annotations: 8 | external-dns.alpha.kubernetes.io/target: &hostname external.altena.io 9 | labels: 10 | gateway: external 11 | spec: 12 | gatewayClassName: cilium 13 | addresses: 14 | - type: IPAddress 15 | value: 192.168.2.131 16 | infrastructure: 17 | annotations: 18 | external-dns.alpha.kubernetes.io/hostname: *hostname 19 | listeners: 20 | - name: http 21 | protocol: HTTP 22 | port: 80 23 | hostname: "*.altena.io" 24 | allowedRoutes: 25 | namespaces: 26 | from: All 27 | - name: https 28 | protocol: HTTPS 29 | port: 443 30 | hostname: "*.altena.io" 31 | allowedRoutes: 32 | namespaces: 33 | from: All 34 | tls: 35 | certificateRefs: 36 | - kind: Secret 37 | name: altena-io 38 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/gatewayclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # gateway/gateway-class.yaml 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: GatewayClass 5 | metadata: 6 | name: cilium 7 | spec: 8 | controllerName: io.cilium/gateway-controller 9 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/internal.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: Gateway 5 | metadata: 6 | name: internal 7 | annotations: 8 | external-dns.alpha.kubernetes.io/target: &hostname internal.altena.io 9 | labels: 10 | gateway: internal 11 | spec: 12 | gatewayClassName: cilium 13 | addresses: 14 | - type: IPAddress 15 | value: 192.168.2.130 16 | infrastructure: 17 | annotations: 18 | external-dns.alpha.kubernetes.io/hostname: *hostname 19 | listeners: 20 | - name: http 21 | protocol: HTTP 22 | port: 80 23 | hostname: "*.altena.io" 24 | allowedRoutes: 25 | namespaces: 26 | from: All 27 | - name: https 28 | protocol: HTTPS 29 | port: 443 30 | hostname: "*.altena.io" 31 | allowedRoutes: 32 | namespaces: 33 | from: All 34 | tls: 35 | certificateRefs: 36 | - kind: Secret 37 | name: altena-io 38 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./certificate.yaml 6 | - ./external.yaml 7 | - ./gatewayclass.yaml 8 | - ./internal.yaml 9 | - ./pushsecret.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/cilium/gateway/pushsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/pushsecret_v1alpha1.json 3 | apiVersion: external-secrets.io/v1alpha1 4 | kind: PushSecret 5 | metadata: 6 | name: altena-io-tls 7 | spec: 8 | refreshInterval: 1m 9 | secretStoreRefs: 10 | - name: onepassword-connect 11 | kind: ClusterSecretStore 12 | selector: 13 | secret: 14 | name: altena-io-key 15 | template: 16 | engineVersion: v2 17 | data: 18 | tls.crt: '{{ index . "tls.crt" | b64enc }}' 19 | tls.key: '{{ index . "tls.key" | b64enc }}' 20 | data: 21 | - match: 22 | secretKey: &key tls.crt 23 | remoteRef: 24 | remoteKey: altena-io-tls 25 | property: *key 26 | - match: 27 | secretKey: &key tls.key 28 | remoteRef: 29 | remoteKey: altena-io-tls 30 | property: *key 31 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helm-values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fullnameOverride: coredns 3 | k8sAppLabelOverride: kube-dns 4 | serviceAccount: 5 | create: true 6 | service: 7 | name: kube-dns 8 | clusterIP: "10.96.0.10" 9 | servers: 10 | - zones: 11 | - zone: . 12 | scheme: dns:// 13 | use_tcp: true 14 | port: 53 15 | plugins: 16 | - name: errors 17 | - name: health 18 | configBlock: |- 19 | lameduck 5s 20 | - name: ready 21 | - name: log 22 | configBlock: |- 23 | class error 24 | - name: prometheus 25 | parameters: 0.0.0.0:9153 26 | - name: kubernetes 27 | parameters: cluster.local in-addr.arpa ip6.arpa 28 | configBlock: |- 29 | pods insecure 30 | fallthrough in-addr.arpa ip6.arpa 31 | - name: forward 32 | parameters: . /etc/resolv.conf 33 | - name: cache 34 | parameters: 30 35 | - name: loop 36 | - name: reload 37 | - name: loadbalance 38 | affinity: 39 | nodeAffinity: 40 | requiredDuringSchedulingIgnoredDuringExecution: 41 | nodeSelectorTerms: 42 | - matchExpressions: 43 | - key: node-role.kubernetes.io/control-plane 44 | operator: Exists 45 | tolerations: 46 | - key: CriticalAddonsOnly 47 | operator: Exists 48 | - key: node-role.kubernetes.io/control-plane 49 | operator: Exists 50 | effect: NoSchedule 51 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: coredns 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 1.42.2 14 | url: oci://ghcr.io/coredns/charts/coredns 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: coredns 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: coredns 25 | install: 26 | remediation: 27 | retries: 3 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | strategy: rollback 32 | retries: 3 33 | valuesFrom: 34 | - kind: ConfigMap 35 | name: coredns-helm-values 36 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: coredns-helm-values 8 | files: 9 | - values.yaml=./helm-values.yaml 10 | configurations: 11 | - kustomizeconfig.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/coredns/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app coredns 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/coredns/app 13 | prune: false # never should be deleted 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/csi-driver-nfs/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: csi-driver-nfs 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 4.11.0 14 | url: oci://ghcr.io/home-operations/charts-mirror/csi-driver-nfs 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: csi-driver-nfs 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: csi-driver-nfs 25 | install: 26 | remediation: 27 | retries: 3 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | values: 33 | storageClass: 34 | create: true 35 | name: nfs-csi-sc 36 | annotations: 37 | storageclass.kubernetes.io/is-default-class: "false" 38 | parameters: 39 | server: 192.168.2.100 40 | share: /mnt/zfs/pvc 41 | subDir: "${pvc.metadata.namespace}/${pvc.metadata.name}" 42 | reclaimPolicy: Retain 43 | volumeBindingMode: Immediate 44 | mountOptions: 45 | - nfsvers=3 46 | - nolock 47 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/csi-driver-nfs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/csi-driver-nfs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app csi-driver-nfs 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/csi-driver-nfs/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: kube-system 5 | resources: 6 | - ./cilium/ks.yaml 7 | - ./coredns/ks.yaml 8 | - ./csi-driver-nfs/ks.yaml 9 | - ./metrics-server/ks.yaml 10 | - ./reloader/ks.yaml 11 | components: 12 | - ../../components/common 13 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: metrics-server 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 3.12.2 14 | url: oci://ghcr.io/home-operations/charts-mirror/metrics-server 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: metrics-server 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: metrics-server 25 | install: 26 | remediation: 27 | retries: 3 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | values: 33 | args: 34 | - --kubelet-insecure-tls 35 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 36 | - --kubelet-use-node-status-port 37 | - --metric-resolution=10s 38 | - --kubelet-request-timeout=2s 39 | metrics: 40 | enabled: true 41 | serviceMonitor: 42 | enabled: true 43 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/metrics-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app metrics-server 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/metrics-server/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: reloader 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 2.1.3 14 | url: oci://ghcr.io/stakater/charts/reloader 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: reloader 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: reloader 25 | install: 26 | remediation: 27 | retries: 3 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | values: 33 | fullnameOverride: reloader 34 | reloader: 35 | readOnlyRootFileSystem: true 36 | podMonitor: 37 | enabled: true 38 | namespace: "{{ .Release.Namespace }}" 39 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/kube-system/reloader/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app reloader 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: kube-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/kube-system/reloader/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/media/jellyseerr/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./pvc-cache.yaml 8 | - ./pvc-config.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/media/jellyseerr/app/pvc-cache.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: jellyseerr-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: openebs-hostpath 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/jellyseerr/app/pvc-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: jellyseerr 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/jellyseerr/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app jellyseerr 7 | namespace: flux-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: onepassword-connect 14 | namespace: security 15 | interval: 30m 16 | path: ./kubernetes/apps/media/jellyseerr/app 17 | postBuild: 18 | substitute: 19 | APP: *app 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: media 26 | timeout: 5m 27 | wait: false 28 | -------------------------------------------------------------------------------- /kubernetes/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: media 6 | resources: 7 | - ./jellyseerr/ks.yaml 8 | - ./plex/ks.yaml 9 | - ./tautulli/ks.yaml 10 | components: 11 | - ../../components/common 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | resources: 3 | - ./helmrelease.yaml 4 | - ./pvc-cache.yaml 5 | - ./pvc-config.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/pvc-cache.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: plex-cache 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 50Gi 11 | storageClassName: openebs-hostpath 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/app/pvc-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: plex-config 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 15Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/plex/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname plex 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: media 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: ./kubernetes/apps/media/plex/app 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: volsync 24 | namespace: volsync-system 25 | - name: external-secrets-stores 26 | namespace: security 27 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tautulli 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | resources: 9 | requests: 10 | storage: 10Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/media/tautulli/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname tautulli 7 | namespace: &namespace media 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/media/tautulli/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | dependsOn: 23 | - name: onepassword-connect 24 | namespace: security 25 | postBuild: 26 | substitute: 27 | APP: *appname 28 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/dnsEndpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: cloudflared-tunnel 6 | spec: 7 | endpoints: 8 | - dnsName: external.altena.io 9 | recordType: CNAME 10 | targets: ["eba50d97-d1c7-4981-87ef-93c4fe1d49f4.cfargotunnel.com"] 11 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: cloudflared-tunnel 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: cloudflared-tunnel-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | credentials.json: | 17 | { 18 | "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}", 19 | "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}", 20 | "TunnelID": "eba50d97-d1c7-4981-87ef-93c4fe1d49f4" 21 | } 22 | dataFrom: 23 | - extract: 24 | key: cloudflare 25 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./dnsEndpoint.yaml 8 | - ./helmrelease.yaml 9 | configMapGenerator: 10 | - name: cloudflared-configmap 11 | files: 12 | - config.yaml=./resources/config.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/app/resources/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | originRequest: 3 | originServerName: external.altena.io 4 | 5 | ingress: 6 | - hostname: altena.io 7 | service: &svc https://cilium-gateway-external.kube-system.svc.cluster.local 8 | - hostname: "*.altena.io" 9 | service: *svc 10 | - service: http_status:404 11 | -------------------------------------------------------------------------------- /kubernetes/apps/network/cloudflared/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cloudflared 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: network 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-dns-external 15 | - name: external-secrets-stores 16 | namespace: security 17 | path: ./kubernetes/apps/network/cloudflared/app 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | wait: true 24 | interval: 30m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/apps/network/echo-server/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/network/echo-server/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app echo-server 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: network 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/network/echo-server/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | timeout: 5m 22 | postBuild: 23 | substitute: 24 | APP: *app 25 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: external-dns-cloudflare 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: external-dns-cloudflare-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | CF_API_TOKEN: "{{ .CLOUDFLARE_API_TOKEN }}" 17 | dataFrom: 18 | - extract: 19 | key: cloudflare 20 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/cloudflare/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/pihole/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: external-dns-pihole-password 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: &name pihole-password 13 | template: 14 | engineVersion: v2 15 | data: 16 | EXTERNAL_DNS_PIHOLE_PASSWORD: "{{ .PIHOLE_PASSWORD }}" 17 | dataFrom: 18 | - extract: 19 | key: *name 20 | -------------------------------------------------------------------------------- /kubernetes/apps/network/external-dns/pihole/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/network/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: network 6 | resources: 7 | - ./cloudflared/ks.yaml 8 | - ./external-dns/ks.yaml 9 | - ./echo-server/ks.yaml 10 | - ./multus/ks.yaml 11 | components: 12 | - ../../components/common 13 | -------------------------------------------------------------------------------- /kubernetes/apps/network/multus/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # renovate: depName=k8snetworkplumbingwg/network-attachment-definition-client datasource=github-releases 7 | - https://raw.githubusercontent.com/k8snetworkplumbingwg/network-attachment-definition-client/refs/tags/v1.7.5/artifacts/networks-crd.yaml 8 | - ./helmrelease.yaml 9 | - ./rbac.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/network/multus/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: multus 6 | rules: 7 | - apiGroups: 8 | - "k8s.cni.cncf.io" 9 | resources: 10 | - "*" 11 | verbs: 12 | - "*" 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - "pods" 17 | - "pods/status" 18 | verbs: 19 | - "get" 20 | - "update" 21 | - apiGroups: 22 | - "" 23 | - "events.k8s.io" 24 | resources: 25 | - "events" 26 | verbs: 27 | - "create" 28 | - "patch" 29 | - "update" 30 | --- 31 | apiVersion: rbac.authorization.k8s.io/v1 32 | kind: ClusterRoleBinding 33 | metadata: 34 | name: multus 35 | roleRef: 36 | kind: ClusterRole 37 | name: multus 38 | apiGroup: rbac.authorization.k8s.io 39 | subjects: 40 | - kind: ServiceAccount 41 | name: multus 42 | namespace: network 43 | -------------------------------------------------------------------------------- /kubernetes/apps/network/multus/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname multus 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: network 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/network/multus/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: true 22 | dependsOn: 23 | - name: cilium 24 | namespace: kube-system 25 | --- 26 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 27 | apiVersion: kustomize.toolkit.fluxcd.io/v1 28 | kind: Kustomization 29 | metadata: 30 | name: &appname multus-networks 31 | namespace: flux-system 32 | spec: 33 | targetNamespace: network 34 | commonMetadata: 35 | labels: 36 | app.kubernetes.io/name: *appname 37 | interval: 30m 38 | timeout: 5m 39 | path: "./kubernetes/apps/network/multus/networks" 40 | prune: true 41 | sourceRef: 42 | kind: GitRepository 43 | name: flux-system 44 | namespace: flux-system 45 | wait: true 46 | dependsOn: 47 | - name: multus 48 | -------------------------------------------------------------------------------- /kubernetes/apps/network/multus/networks/iot.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: "k8s.cni.cncf.io/v1" 3 | kind: NetworkAttachmentDefinition 4 | metadata: 5 | name: multus-iot 6 | spec: 7 | config: |- 8 | { 9 | "cniVersion": "0.3.1", 10 | "name": "multus-iot", 11 | "plugins": [ 12 | { 13 | "type": "macvlan", 14 | "master": "ens18", 15 | "mode": "bridge", 16 | "ipam": { 17 | "type": "static", 18 | "routes": [ 19 | { "dst": "192.168.2.0/24", "gw": "192.168.2.254" } 20 | ] 21 | } 22 | } 23 | ] 24 | } 25 | -------------------------------------------------------------------------------- /kubernetes/apps/network/multus/networks/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./iot.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./prometheusrule.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: blackbox-alerts 6 | labels: 7 | app: prometheus-operator 8 | release: prometheus 9 | spec: 10 | groups: 11 | - name: blackbox-alerts 12 | rules: 13 | - alert: BlackboxSslCertificateWillExpireSoon 14 | expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 3 15 | for: 15m 16 | labels: 17 | severity: critical 18 | annotations: 19 | summary: The SSL certificate for {{ $labels.target }} will expire in less than 3 days 20 | 21 | - alert: BlackboxSslCertificateExpired 22 | expr: probe_ssl_earliest_cert_expiry - time() <= 0 23 | for: 15m 24 | labels: 25 | severity: critical 26 | annotations: 27 | summary: The SSL certificate for {{ $labels.target }} has expired 28 | 29 | - alert: BlackboxProbeFailed 30 | expr: probe_success == 0 31 | for: 15m 32 | labels: 33 | severity: critical 34 | annotations: 35 | summary: The host {{ $labels.instance }} is currently unreachable 36 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/blackbox-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname blackbox-exporter 7 | namespace: &namespace observability 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/observability/blackbox-exporter/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: grafana-admin 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: grafana-admin-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | admin-user: "{{ .GRAFANA_ADMIN_USERNAME }}" 17 | admin-password: "{{ .GRAFANA_ADMIN_PASSWORD }}" 18 | dataFrom: 19 | - extract: 20 | key: grafana 21 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app grafana 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: security 16 | path: ./kubernetes/apps/observability/grafana/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: kromgo-configmap 9 | files: 10 | - config/config.yaml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | annotations: 14 | kustomize.toolkit.fluxcd.io/substitute: disabled 15 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kromgo/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname kromgo 7 | namespace: &namespace observability 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/observability/kromgo/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/alerts/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./prometheusrule.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: alertmanager-secret 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: alertmanager-secret 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: ALERTMANAGER_TOKEN 17 | remoteRef: 18 | key: Pushover 19 | property: ALERTMANAGER_TOKEN 20 | - secretKey: PUSHOVER_USER_KEY 21 | remoteRef: 22 | key: Pushover 23 | property: PUSHOVER_USER_KEY 24 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./alerts/prometheusrule.yaml 7 | - ./alertmanagerconfig.yaml 8 | - ./externalsecret.yaml 9 | - ./helmrelease.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kube-prometheus-stack/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app kube-prometheus-stack 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: security 16 | path: ./kubernetes/apps/observability/kube-prometheus-stack/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 15m 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: observability 5 | resources: 6 | - ./blackbox-exporter/ks.yaml 7 | - ./grafana/ks.yaml 8 | - ./kube-prometheus-stack/ks.yaml 9 | - ./kromgo/ks.yaml 10 | - ./node-exporter/ks.yaml 11 | - ./prometheus-operator-crds/ks.yaml 12 | components: 13 | - ../../components/common 14 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/node-exporter/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/node-exporter/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname node-exporter 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: observability 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/observability/node-exporter/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/crd/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: prometheus-operator-crds 6 | spec: 7 | interval: 30m 8 | chart: 9 | spec: 10 | chart: prometheus-operator-crds 11 | version: 20.0.1 12 | sourceRef: 13 | kind: HelmRepository 14 | name: prometheus-community 15 | namespace: flux-system 16 | install: 17 | remediation: 18 | retries: 3 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app prometheus-operator-crds 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: observability 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/observability/prometheus-operator-crds/crd 13 | prune: false # never should be deleted 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: openebs-system 5 | resources: 6 | - ./openebs/ks.yaml 7 | components: 8 | - ../../components/common 9 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: openebs 6 | spec: 7 | # OCI not available, yet: https://github.com/home-operations/charts-mirror/issues/8 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: openebs 12 | version: 4.2.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: openebs 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | values: 25 | engines: 26 | local: 27 | lvm: 28 | enabled: false 29 | zfs: 30 | enabled: false 31 | replicated: 32 | mayastor: 33 | enabled: false 34 | openebs-crds: 35 | csi: 36 | volumeSnapshots: 37 | enabled: false 38 | localpv-provisioner: 39 | localpv: 40 | image: 41 | registry: quay.io/ 42 | helperPod: 43 | image: 44 | registry: quay.io/ 45 | hostpathClass: 46 | enabled: true 47 | name: openebs-hostpath 48 | isDefaultClass: false 49 | basePath: /var/openebs/local 50 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/openebs-system/openebs/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: &app openebs 6 | namespace: flux-system 7 | spec: 8 | targetNamespace: openebs-system 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | path: ./kubernetes/apps/openebs-system/openebs/app 13 | prune: true 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | wait: false 19 | interval: 30m 20 | retryInterval: 1m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/apps/security/external-secrets/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/refs/heads/main/ocirepository-source-v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: external-secrets 7 | spec: 8 | interval: 10m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.17.0 14 | url: oci://ghcr.io/external-secrets/charts/external-secrets 15 | verify: 16 | provider: cosign 17 | --- 18 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 19 | apiVersion: helm.toolkit.fluxcd.io/v2 20 | kind: HelmRelease 21 | metadata: 22 | name: external-secrets 23 | spec: 24 | interval: 30m 25 | chartRef: 26 | kind: OCIRepository 27 | name: external-secrets 28 | install: 29 | remediation: 30 | retries: 3 31 | upgrade: 32 | cleanupOnFail: true 33 | remediation: 34 | strategy: rollback 35 | retries: 3 36 | dependsOn: 37 | - name: onepassword-connect 38 | namespace: security 39 | values: 40 | installCRDs: true 41 | serviceMonitor: 42 | enabled: true 43 | interval: 1m 44 | webhook: 45 | serviceMonitor: 46 | enabled: true 47 | interval: 1m 48 | certController: 49 | serviceMonitor: 50 | enabled: true 51 | interval: 1m 52 | -------------------------------------------------------------------------------- /kubernetes/apps/security/external-secrets/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/security/external-secrets/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-secrets 7 | namespace: &namespace security 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/security/external-secrets/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: true 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | --- 24 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 25 | apiVersion: kustomize.toolkit.fluxcd.io/v1 26 | kind: Kustomization 27 | metadata: 28 | name: &app external-secrets-stores 29 | namespace: &namespace security 30 | spec: 31 | targetNamespace: *namespace 32 | commonMetadata: 33 | labels: 34 | app.kubernetes.io/name: *app 35 | dependsOn: 36 | - name: external-secrets 37 | namespace: security 38 | path: ./kubernetes/apps/security/external-secrets/stores 39 | prune: true 40 | sourceRef: 41 | kind: GitRepository 42 | name: flux-system 43 | namespace: flux-system 44 | wait: true 45 | interval: 30m 46 | retryInterval: 1m 47 | timeout: 5m 48 | -------------------------------------------------------------------------------- /kubernetes/apps/security/external-secrets/stores/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/clustersecretstore_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ClusterSecretStore 5 | metadata: 6 | name: onepassword-connect 7 | spec: 8 | provider: 9 | onepassword: 10 | connectHost: http://onepassword-connect.security.svc.cluster.local 11 | vaults: 12 | Homelab: 1 13 | auth: 14 | secretRef: 15 | connectTokenSecretRef: 16 | name: onepassword-secret 17 | key: token 18 | namespace: security 19 | -------------------------------------------------------------------------------- /kubernetes/apps/security/external-secrets/stores/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./clustersecretstore.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/security/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: security 6 | resources: 7 | - ./external-secrets/ks.yaml 8 | - ./onepassword-connect/ks.yaml 9 | - ./trivy-operator/ks.yaml 10 | components: 11 | - ../../components/common 12 | -------------------------------------------------------------------------------- /kubernetes/apps/security/onepassword-connect/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/security/onepassword-connect/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app onepassword-connect 7 | namespace: &namespace security 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/security/onepassword-connect/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/security/trivy-operator/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: trivy-operator 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: '0.28.1' 14 | url: oci://ghcr.io/aquasecurity/helm-charts/trivy-operator 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: trivy-operator 21 | namespace: security 22 | spec: 23 | interval: 30m 24 | chartRef: 25 | kind: OCIRepository 26 | name: trivy-operator 27 | values: 28 | operator: 29 | scanJobsConcurrentLimit: 3 30 | vulnerabilityScannerScanOnlyCurrentRevisions: true 31 | configAuditScannerScanOnlyCurrentRevisions: true 32 | infraAssessmentScannerEnabled: false # No node scanning available as Talos is Read-Only 33 | nodeCollector: 34 | excludeNodes: "*" 35 | serviceMonitor: 36 | enabled: true 37 | trivy: 38 | ignoreUnfixed: true 39 | interval: 10m0s 40 | -------------------------------------------------------------------------------- /kubernetes/apps/security/trivy-operator/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helmrelease.yaml 6 | -------------------------------------------------------------------------------- /kubernetes/apps/security/trivy-operator/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app trivy-operator 7 | namespace: &namespace security 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/security/trivy-operator/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/forgejo/app/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: postgresql.cnpg.io/v1 3 | kind: Cluster 4 | metadata: 5 | name: forgejo-postgres 6 | spec: 7 | instances: 1 8 | primaryUpdateStrategy: unsupervised 9 | 10 | storage: 11 | size: 2Gi 12 | storageClass: nfs-csi-sc 13 | 14 | postgresql: 15 | parameters: 16 | max_connections: "100" 17 | shared_buffers: 128MB 18 | 19 | bootstrap: 20 | initdb: 21 | database: n8n 22 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/forgejo/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | bases: 5 | - ./cluster.yaml 6 | - ./helmrelease.yaml 7 | - ./pvc.yaml 8 | - ./route.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/forgejo/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: forgejo 6 | spec: 7 | storageClassName: nfs-csi-sc 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/forgejo/app/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: forgejo 6 | namespace: selfhosted 7 | spec: 8 | hostnames: 9 | - git.altena.io 10 | parentRefs: 11 | - name: internal 12 | namespace: kube-system 13 | sectionName: https 14 | rules: 15 | - backendRefs: 16 | - name: forgejo-http 17 | port: 3000 18 | matches: 19 | - path: 20 | value: / 21 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/forgejo/runner/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: &name forgejo-runner 6 | spec: 7 | refreshInterval: 15m 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: *name 13 | template: 14 | engineVersion: v2 15 | data: 16 | FORGEJO_INSTANCE_URL: "{{ .FORGEJO_INSTANCE_URL }}" 17 | RUNNER_TOKEN: "{{ .RUNNER_TOKEN }}" 18 | dataFrom: 19 | - extract: 20 | key: *name 21 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/forgejo/runner/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./externalsecret.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/harbor/app/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: postgresql.cnpg.io/v1 3 | kind: Cluster 4 | metadata: 5 | name: harbor-postgres 6 | spec: 7 | instances: 1 8 | primaryUpdateStrategy: unsupervised 9 | 10 | storage: 11 | size: 15Gi 12 | storageClass: nfs-csi-sc 13 | 14 | postgresql: 15 | parameters: 16 | max_connections: "100" 17 | shared_buffers: 128MB 18 | 19 | bootstrap: 20 | initdb: 21 | database: harbor 22 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/harbor/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kube-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 2 | --- 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: harbor-encryption 7 | spec: 8 | secretStoreRef: 9 | name: onepassword-connect 10 | kind: ClusterSecretStore 11 | target: 12 | deletionPolicy: Delete 13 | template: 14 | type: Opaque 15 | data: 16 | secretKey: |- 17 | {{ .encryption_key }} 18 | refreshInterval: 15m 19 | dataFrom: 20 | - extract: 21 | key: harbor 22 | --- 23 | apiVersion: external-secrets.io/v1 24 | kind: ExternalSecret 25 | metadata: 26 | name: harbor 27 | spec: 28 | secretStoreRef: 29 | name: onepassword-connect 30 | kind: ClusterSecretStore 31 | target: 32 | deletionPolicy: Delete 33 | template: 34 | type: Opaque 35 | data: 36 | password: |- 37 | {{ .admin_password }} 38 | refreshInterval: 15m 39 | dataFrom: 40 | - extract: 41 | key: harbor 42 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/harbor/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster.yaml 7 | - ./externalsecret.yaml 8 | - ./helmrelease.yaml 9 | - ./pvc.yaml 10 | - ./route.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/harbor/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: harbor-registry 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | resources: 10 | requests: 11 | storage: 200Gi 12 | storageClassName: nfs-csi-sc 13 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/harbor/app/route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: harbor 6 | namespace: selfhosted 7 | spec: 8 | parentRefs: 9 | - name: internal 10 | namespace: kube-system 11 | sectionName: https 12 | hostnames: 13 | - harbor.altena.io 14 | rules: 15 | - matches: 16 | - path: 17 | type: PathPrefix 18 | value: /api/ 19 | - path: 20 | type: PathPrefix 21 | value: /service/ 22 | - path: 23 | type: PathPrefix 24 | value: /v2/ 25 | - path: 26 | type: PathPrefix 27 | value: /c/ 28 | backendRefs: 29 | - name: harbor-core 30 | namespace: selfhosted 31 | port: 80 32 | - matches: 33 | - path: 34 | type: PathPrefix 35 | value: / 36 | backendRefs: 37 | - name: harbor-portal 38 | namespace: selfhosted 39 | port: 80 40 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/harbor/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname harbor 7 | namespace: &namespace selfhosted 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/selfhosted/harbor/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | dependsOn: 23 | - name: external-secrets-stores 24 | namespace: security 25 | postBuild: 26 | substitute: 27 | APP: *appname 28 | APP_UID: "1000" 29 | APP_GID: "1000" 30 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: selfhosted 6 | resources: 7 | - ./forgejo/ks.yaml 8 | - ./harbor/ks.yaml 9 | - ./n8n/ks.yaml 10 | - ./nocodb/ks.yaml 11 | - ./prlx/ks.yaml 12 | components: 13 | - ../../components/common 14 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/n8n/app/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: postgresql.cnpg.io/v1 3 | kind: Cluster 4 | metadata: 5 | name: n8n 6 | spec: 7 | instances: 1 8 | primaryUpdateStrategy: unsupervised 9 | 10 | storage: 11 | size: 2Gi 12 | storageClass: nfs-csi-sc 13 | 14 | postgresql: 15 | parameters: 16 | max_connections: "100" 17 | shared_buffers: 128MB 18 | 19 | bootstrap: 20 | initdb: 21 | database: n8n 22 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/n8n/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: n8n 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: n8n 14 | creationPolicy: Owner 15 | template: 16 | data: 17 | N8N_ENCRYPTION_KEY: "{{ .n8n_encryption_key }}" 18 | dataFrom: 19 | - extract: 20 | key: n8n 21 | rewrite: 22 | - regexp: 23 | source: "(.*)" 24 | target: "n8n_$1" 25 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/n8n/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | bases: 5 | - ./cluster.yaml 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./pvc.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/n8n/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Separate PVC manifest 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: n8n 7 | spec: 8 | accessModes: ["ReadWriteMany"] 9 | resources: 10 | requests: 11 | storage: 20Gi 12 | storageClassName: nfs-csi-sc 13 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/n8n/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname n8n 7 | namespace: &namespace selfhosted 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/selfhosted/n8n/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | dependsOn: 23 | - name: external-secrets-stores 24 | namespace: security 25 | postBuild: 26 | substitute: 27 | APP: *appname 28 | APP_UID: "1000" 29 | APP_GID: "1000" 30 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/app/cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: postgresql.cnpg.io/v1 2 | kind: Cluster 3 | metadata: 4 | name: nocodb 5 | spec: 6 | instances: 1 7 | storage: 8 | size: 15Gi 9 | storageClass: nfs-csi-sc 10 | 11 | imageName: ghcr.io/tensorchord/cloudnative-pgvecto.rs:16.3 12 | 13 | postgresql: 14 | shared_preload_libraries: 15 | - "vectors.so" 16 | parameters: 17 | search_path: '"$user", public, vectors' 18 | 19 | monitoring: 20 | enablePodMonitor: true 21 | 22 | resources: 23 | requests: 24 | cpu: 300m 25 | limits: 26 | memory: 1Gi 27 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/app/dragonfly/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/dragonflydb.io/dragonfly_v1alpha1.json 3 | apiVersion: dragonflydb.io/v1alpha1 4 | kind: Dragonfly 5 | metadata: 6 | name: nocodb-dragonfly 7 | spec: 8 | image: ghcr.io/dragonflydb/dragonfly:v1.30.3 9 | replicas: 1 # set to the number of nodes in the cluster 10 | env: 11 | - name: MAX_MEMORY 12 | valueFrom: 13 | resourceFieldRef: 14 | resource: limits.memory 15 | divisor: 1Mi 16 | args: 17 | - --maxmemory=$(MAX_MEMORY)Mi 18 | - --proactor_threads=2 19 | - --cluster_mode=emulated 20 | resources: 21 | requests: 22 | cpu: 100m 23 | limits: 24 | memory: 512Mi 25 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/app/dragonfly/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster.yaml 7 | - ./podmonitor.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/app/dragonfly/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PodMonitor 5 | metadata: 6 | name: dragonfly 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: dragonfly 11 | podTargetLabels: [app] 12 | podMetricsEndpoints: 13 | - port: admin 14 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: nocodb 7 | spec: 8 | refreshInterval: 5m 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: nocodb 14 | creationPolicy: Owner 15 | template: 16 | type: Opaque 17 | data: 18 | NC_ADMIN_EMAIL: "{{ .NOCODB_ADMIN_EMAIL }}" 19 | NC_ADMIN_PASSWORD: "{{ .NOCODB_ADMIN_PASSWORD }}" 20 | dataFrom: 21 | - extract: 22 | key: nocodb 23 | 24 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./cluster.yaml 7 | - ./dragonfly/ 8 | - ./externalsecret.yaml 9 | - ./helmrelease.yaml 10 | - ./pvc.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: nocodb 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | resources: 9 | requests: 10 | storage: 10Gi 11 | storageClassName: nfs-csi-sc 12 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/nocodb/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &appname nocodb 7 | namespace: &namespace selfhosted 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *appname 13 | interval: 30m 14 | timeout: 5m 15 | path: "./kubernetes/apps/selfhosted/nocodb/app" 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | wait: false 22 | dependsOn: 23 | - name: external-secrets-stores 24 | namespace: security 25 | postBuild: 26 | substitute: 27 | APP: *appname 28 | APP_UID: "1000" 29 | APP_GID: "1000" 30 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/prlx/backend/cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: postgresql.cnpg.io/v1 2 | kind: Cluster 3 | metadata: 4 | name: prlx-db 5 | spec: 6 | instances: 1 7 | imageName: ghcr.io/clevyr/cloudnativepg-timescale:16-ts2 8 | 9 | postgresql: 10 | parameters: 11 | shared_buffers: "256MB" 12 | shared_preload_libraries: 13 | - timescaledb 14 | 15 | bootstrap: 16 | initdb: 17 | postInitTemplateSQL: 18 | - CREATE EXTENSION IF NOT EXISTS timescaledb; 19 | 20 | storage: 21 | size: 20Gi 22 | storageClass: nfs-csi-sc 23 | 24 | walStorage: 25 | size: 5Gi 26 | storageClass: nfs-csi-sc 27 | 28 | monitoring: 29 | enablePodMonitor: true 30 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/prlx/backend/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: &name prlx-backend 6 | spec: 7 | secretStoreRef: 8 | name: onepassword-connect 9 | kind: ClusterSecretStore 10 | target: 11 | deletionPolicy: Delete 12 | template: 13 | type: Opaque 14 | data: 15 | jwt-secret: |- 16 | {{ .jwt_secret }} 17 | refreshInterval: 15m 18 | dataFrom: 19 | - extract: 20 | key: *name 21 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/prlx/backend/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | bases: 5 | - ./cluster.yaml 6 | - ./deployment.yaml 7 | - ./externalsecret.yaml 8 | - ./service.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/prlx/backend/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: prlx-backend 6 | spec: 7 | selector: 8 | app: prlx-backend 9 | ports: 10 | - port: 8080 11 | targetPort: 8080 12 | type: ClusterIP 13 | -------------------------------------------------------------------------------- /kubernetes/apps/selfhosted/prlx/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - deployment.yaml 6 | 7 | commonLabels: 8 | app.kubernetes.io/name: security-operator 9 | app.kubernetes.io/part-of: prlx-security 10 | app.kubernetes.io/component: operator 11 | -------------------------------------------------------------------------------- /kubernetes/apps/storage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: storage 6 | resources: 7 | - ./minio/ks.yaml 8 | components: 9 | - ../../components/common 10 | -------------------------------------------------------------------------------- /kubernetes/apps/storage/minio/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: minio 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: minio-secret 13 | template: 14 | engineVersion: v2 15 | data: 16 | MINIO_ROOT_USER: "{{ .MINIO_ROOT_USER }}" 17 | MINIO_ROOT_PASSWORD: "{{ .MINIO_ROOT_PASSWORD }}" 18 | dataFrom: 19 | - extract: 20 | key: minio 21 | -------------------------------------------------------------------------------- /kubernetes/apps/storage/minio/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/storage/minio/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app minio 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: storage 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | dependsOn: 14 | - name: external-secrets-stores 15 | namespace: security 16 | path: ./kubernetes/apps/storage/minio/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | wait: false 23 | interval: 30m 24 | retryInterval: 1m 25 | timeout: 5m 26 | postBuild: 27 | substitute: 28 | APP: *app 29 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/.env: -------------------------------------------------------------------------------- 1 | # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 2 | KUBERNETES_VERSION=v1.33.1 3 | # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 4 | TALOS_VERSION=v1.10.3 5 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: system-upgrade 6 | components: 7 | - ../../components/common 8 | resources: 9 | - ./system-upgrade-controller/ks.yaml 10 | configMapGenerator: 11 | - name: system-upgrade-plan-versions 12 | env: ./.env 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./rbac.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: system-upgrade-controller 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: system-upgrade-controller 13 | namespace: system-upgrade 14 | --- 15 | apiVersion: talos.dev/v1alpha1 16 | kind: ServiceAccount 17 | metadata: 18 | name: system-upgrade-controller 19 | spec: 20 | roles: ["os:admin"] 21 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kubernetes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json 3 | apiVersion: upgrade.cattle.io/v1 4 | kind: Plan 5 | metadata: 6 | name: kubernetes 7 | spec: 8 | version: ${KUBERNETES_VERSION} 9 | concurrency: 1 10 | exclusive: true 11 | serviceAccountName: system-upgrade-controller 12 | secrets: 13 | - name: system-upgrade-controller 14 | path: /var/run/secrets/talos.dev 15 | ignoreUpdates: true 16 | nodeSelector: 17 | matchExpressions: 18 | - key: node-role.kubernetes.io/control-plane 19 | operator: Exists 20 | upgrade: 21 | image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION} 22 | args: 23 | - --nodes=$(SYSTEM_UPGRADE_NODE_NAME) 24 | - upgrade-k8s 25 | - --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) 26 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/system-upgrade-controller/plans/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./kubernetes.yaml 7 | - ./talos.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade/system-upgrade-controller/plans/talos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/upgrade.cattle.io/plan_v1.json 3 | apiVersion: upgrade.cattle.io/v1 4 | kind: Plan 5 | metadata: 6 | name: talos 7 | spec: 8 | version: ${TALOS_VERSION} 9 | concurrency: 1 10 | postCompleteDelay: 2m 11 | exclusive: true 12 | serviceAccountName: system-upgrade-controller 13 | secrets: 14 | - name: system-upgrade-controller 15 | path: /var/run/secrets/talos.dev 16 | ignoreUpdates: true 17 | nodeSelector: 18 | matchExpressions: 19 | - key: kubernetes.io/hostname 20 | operator: Exists 21 | upgrade: 22 | image: ghcr.io/jfroy/tnu:0.4.3 23 | args: 24 | - --node=$(SYSTEM_UPGRADE_NODE_NAME) 25 | - --tag=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) 26 | - --powercycle 27 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: volsync-system 6 | resources: 7 | - ./snapshot-controller/ks.yaml 8 | - ./volsync/ks.yaml 9 | components: 10 | - ../../components/common 11 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: volsync 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.12.1 14 | url: oci://ghcr.io/home-operations/charts-mirror/volsync 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: snapshot-controller 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: volsync 26 | install: 27 | crds: CreateReplace 28 | remediation: 29 | retries: 3 30 | upgrade: 31 | cleanupOnFail: true 32 | crds: CreateReplace 33 | remediation: 34 | strategy: rollback 35 | retries: 3 36 | values: 37 | controller: 38 | serviceMonitor: 39 | create: true 40 | webhook: 41 | enabled: false 42 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/snapshot-controller/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app snapshot-controller 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: volsync-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/volsync-system/snapshot-controller/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | name: volsync 7 | spec: 8 | interval: 30m 9 | chart: 10 | spec: 11 | chart: volsync 12 | version: 0.12.1 13 | sourceRef: 14 | kind: HelmRepository 15 | name: backube 16 | namespace: flux-system 17 | install: 18 | remediation: 19 | retries: 3 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | strategy: rollback 24 | retries: 3 25 | dependsOn: 26 | - name: minio 27 | namespace: storage 28 | - name: snapshot-controller 29 | namespace: volsync-system 30 | values: 31 | manageCRDs: true 32 | metrics: 33 | disableAuth: true 34 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | # - ./prometheusrule.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/app/prometheusrule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: PrometheusRule 5 | metadata: 6 | name: volsync 7 | spec: 8 | groups: 9 | - name: volsync.rules 10 | rules: 11 | - alert: VolSyncComponentAbsent 12 | annotations: 13 | summary: VolSync component has disappeared from Prometheus target discovery. 14 | expr: | 15 | absent(up{job="volsync-metrics"}) 16 | for: 15m 17 | labels: 18 | severity: critical 19 | - alert: VolSyncVolumeOutOfSync 20 | annotations: 21 | summary: >- 22 | {{ $labels.obj_namespace }}/{{ $labels.obj_name }} volume 23 | is out of sync. 24 | expr: | 25 | volsync_volume_out_of_sync == 1 26 | for: 15m 27 | labels: 28 | severity: critical 29 | -------------------------------------------------------------------------------- /kubernetes/apps/volsync-system/volsync/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app volsync 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: volsync-system 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/volsync-system/volsync/app 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | wait: false 20 | interval: 30m 21 | retryInterval: 1m 22 | timeout: 5m 23 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/.sourceignore: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/apps/.secrets.env: -------------------------------------------------------------------------------- 1 | FLUX_SOPS_PRIVATE_KEY=op://Homelab/sops/SOPS_PRIVATE_KEY 2 | ONEPASSWORD_CREDENTIALS=op://Homelab/1password/OP_CREDENTIALS_JSON 3 | ONEPASSWORD_CONNECT_TOKEN=op://Homelab/1password/OP_CONNECT_TOKEN 4 | -------------------------------------------------------------------------------- /kubernetes/bootstrap/apps/templates/resources.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: security 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: onepassword-secret 11 | namespace: security 12 | stringData: 13 | 1password-credentials.json: {{ ENV.ONEPASSWORD_CREDENTIALS }} 14 | token: {{ ENV.ONEPASSWORD_CONNECT_TOKEN }} 15 | --- 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: flux-system 20 | --- 21 | apiVersion: v1 22 | kind: Secret 23 | metadata: 24 | name: sops-age 25 | namespace: flux-system 26 | stringData: 27 | age.agekey: | 28 | {{ ENV.FLUX_SOPS_PRIVATE_KEY | indent(4) }} 29 | -------------------------------------------------------------------------------- /kubernetes/components/common/alerts/alertmanager/alert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Alert 5 | metadata: 6 | name: alertmanager 7 | spec: 8 | providerRef: 9 | name: alertmanager 10 | eventSeverity: error 11 | eventSources: 12 | - kind: FluxInstance 13 | name: "*" 14 | - kind: GitRepository 15 | name: "*" 16 | - kind: HelmRelease 17 | name: "*" 18 | - kind: HelmRepository 19 | name: "*" 20 | - kind: Kustomization 21 | name: "*" 22 | - kind: OCIRepository 23 | name: "*" 24 | exclusionList: 25 | - "error.*lookup github\\.com" 26 | - "error.*lookup raw\\.githubusercontent\\.com" 27 | - "dial.*tcp.*timeout" 28 | - "waiting.*socket" 29 | suspend: false 30 | -------------------------------------------------------------------------------- /kubernetes/components/common/alerts/alertmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./alert.yaml 7 | - ./provider.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/components/common/alerts/alertmanager/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Provider 5 | metadata: 6 | name: alertmanager 7 | spec: 8 | type: alertmanager 9 | address: http://alertmanager.observability.svc.cluster.local:9093/api/v2/alerts/ 10 | -------------------------------------------------------------------------------- /kubernetes/components/common/alerts/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./alertmanager 7 | -------------------------------------------------------------------------------- /kubernetes/components/common/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./namespace.yaml 7 | - ./alerts 8 | - ./repos 9 | - ./sops 10 | -------------------------------------------------------------------------------- /kubernetes/components/common/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: not-used 6 | annotations: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | volsync.backube/privileged-movers: "true" 9 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/app-template/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./ocirepository.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/app-template/ocirepository.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: app-template 7 | spec: 8 | interval: 1h 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 3.7.3 14 | url: oci://ghcr.io/bjw-s/helm/app-template 15 | verify: 16 | provider: cosign 17 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./app-template 7 | -------------------------------------------------------------------------------- /kubernetes/components/common/sops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./secret.sops.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/common/sops/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: sops-age 5 | stringData: 6 | age.agekey: ENC[AES256_GCM,data:jgxwXOR7x2O780pSEHLNbtPqIFFo1ILeA7V6iHV02V3HWaPONd4iVNRcxLowfeVDe7PKIeKC1fw1XBRsWgFFbrJDQauIoadVBoyZ,iv:q1KyS96UhTUmXixYAY/HHjQ6RWB9/LXdTTb9IQxHRBU=,tag:v/uOSl87qZzTjtKq2IWOcA==,type:str] 7 | sops: 8 | kms: [] 9 | gcp_kms: [] 10 | azure_kv: [] 11 | hc_vault: [] 12 | age: 13 | - recipient: age1yrzd67uvapjjawwjgfc7drkyu8pk2m800w4knjzrg69jxkm0afcqnr9qfz 14 | enc: | 15 | -----BEGIN AGE ENCRYPTED FILE----- 16 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVW0reThJRTk0Uzh0bzQx 17 | SGE1bFpCU2pNcGpIQS9saDUxelZoUDBKd1RnCjRRZVpiekljZVk1RDJPQkpWVDV3 18 | djhTRVBITlM3NzEvcjJKY0ZiK0JlWHMKLS0tIDVEdGc4eUNvaTFHUGRiSWVPeVI3 19 | azh0enVBQUltcmIxNG5IM0g1QkJvc3cKF/Utj5nx7eBNZlFB38ijXWfPXGI3JBIe 20 | gX2lhI5g0GuCVSPhH9vsTH1V4Ogj+y0WZlGQt1f5H9RlTMrjb7RVGA== 21 | -----END AGE ENCRYPTED FILE----- 22 | lastmodified: "2025-02-01T21:34:26Z" 23 | mac: ENC[AES256_GCM,data:NRdH2S47Uw9ujpGowfViCIOjw1s95bXhB1NSGBPEiWb4Ktvwrjpo5Yv0BaR/AmA+JGFzPb2ZwJ095pLESlXvDDRNiwV6zo3KRFJlaQesRj8pXz1SoM8bqqklF4SFQOwjrKgtG9fFtg1Y14fWZkP8UGqZMVhN6w577bbH79sUQu8=,iv:7mM43VMEsIFLxoYJK8EQopGtRMtlrFS6dIgWdd9nFdA=,tag:N193m/WfKXaVTPtMJMRyvQ==,type:str] 24 | pgp: [] 25 | encrypted_regex: ^(data|stringData)$ 26 | version: 3.9.1 27 | -------------------------------------------------------------------------------- /kubernetes/flux/cluster/ks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-metadata 7 | namespace: flux-system 8 | spec: 9 | targetNamespace: flux-system 10 | interval: 30m 11 | path: ./kubernetes/flux/metadata 12 | prune: true 13 | wait: false 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | --- 18 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1 20 | kind: Kustomization 21 | metadata: 22 | name: cluster-apps 23 | namespace: flux-system 24 | spec: 25 | interval: 10m 26 | path: ./kubernetes/apps 27 | prune: true 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux-system 31 | decryption: 32 | provider: sops 33 | secretRef: 34 | name: sops-age 35 | dependsOn: 36 | - name: cluster-metadata 37 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./repositories 7 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/git/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: [] 5 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/actions-runner-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: actions-runner-controller 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 30m 11 | url: oci://ghcr.io/actions/actions-runner-controller-charts 12 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/aqua.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: aqua 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://aquasecurity.github.io/helm-charts/ 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/backube.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: backube 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://backube.github.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/bjw-s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/bjw-s/helm 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: cilium 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://helm.cilium.io 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/cnpg.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: cnpg 6 | namespace: databases 7 | spec: 8 | interval: 1h 9 | url: https://cloudnative-pg.github.io/charts 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/controlplaneio.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: controlplaneio 7 | namespace: flux-system 8 | spec: 9 | type: oci 10 | interval: 5m 11 | url: oci://ghcr.io/controlplaneio-fluxcd/charts 12 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/coredns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: coredns 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://coredns.github.io/helm 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/csi-nfs-driver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: csi-driver-nfs 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/dependency-track.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: dependency-track 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://dependencytrack.github.io/helm-charts 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/emqx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: emqx 7 | namespace: databases 8 | spec: 9 | interval: 2h 10 | url: https://repos.emqx.io/charts 11 | timeout: 3m 12 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/external-dns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: external-dns 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes-sigs.github.io/external-dns 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: external-secrets 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://charts.external-secrets.io 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/grafana.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: grafana 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://grafana.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/harbor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://github.com/fluxcd-community/flux2-schemas/raw/main/helmrepository-source-v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: harbor 7 | namespace: flux-system 8 | spec: 9 | interval: 30m 10 | url: https://helm.goharbor.io 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: ingress-nginx 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes.github.io/ingress-nginx 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/intel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: intel 7 | namespace: flux-system 8 | spec: 9 | interval: 12h 10 | url: https://intel.github.io/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/jetstack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://charts.jetstack.io 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/k8s-gateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-gateway 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://ori-edge.github.io/k8s_gateway 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./actions-runner-controller.yaml 6 | - ./aqua.yaml 7 | - ./backube.yaml 8 | - ./bjw-s.yaml 9 | - ./cilium.yaml 10 | - ./cnpg.yaml 11 | - ./controlplaneio.yaml 12 | - ./coredns.yaml 13 | - ./csi-nfs-driver.yaml 14 | - ./dependency-track.yaml 15 | - ./emqx.yaml 16 | - ./external-dns.yaml 17 | - ./external-secrets.yaml 18 | - ./grafana.yaml 19 | - ./harbor.yaml 20 | - ./intel.yaml 21 | - ./jetstack.yaml 22 | - ./k8s-gateway.yaml 23 | - ./metrics-server.yaml 24 | - ./ingress-nginx.yaml 25 | - ./ollama.yaml 26 | - ./openebs.yaml 27 | - ./pireaus.yaml 28 | - ./prometheus-community.yaml 29 | - ./rook-ceph.yaml 30 | - ./spegel.yaml 31 | - ./stakater.yaml 32 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metrics-server 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://kubernetes-sigs.github.io/metrics-server 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/ollama.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: ollama 7 | namespace: flux-system 8 | spec: 9 | interval: 1h 10 | url: https://otwld.github.io/ollama-helm/ 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/openebs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: openebs 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://openebs.github.io/openebs 10 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/pireaus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: piraeus 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://piraeus.io/helm-charts/ 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/prometheus-community.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-community 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/prometheus-community/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: rook-ceph 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://charts.rook.io/release 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: spegel 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/spegel-org/helm-charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/helm/stakater.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 5m 10 | url: oci://ghcr.io/stakater/charts 11 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./git 6 | - ./helm 7 | - ./oci 8 | -------------------------------------------------------------------------------- /kubernetes/flux/metadata/repositories/oci/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: [] 5 | -------------------------------------------------------------------------------- /kubernetes/talos/clusterconfig/.gitignore: -------------------------------------------------------------------------------- 1 | 192.168.2.102.yaml 2 | 192.168.2.103.yaml 3 | 192.168.2.104.yaml 4 | talosconfig -------------------------------------------------------------------------------- /kubernetes/talos/patches/README.md: -------------------------------------------------------------------------------- 1 | # Talos Patching 2 | 3 | This directory contains Kustomization patches that are added to the talhelper configuration file. 4 | 5 | 6 | 7 | ## Patch Directories 8 | 9 | Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. 10 | Each directory is optional and therefore might not created by default. 11 | 12 | - `global/`: patches that are applied to both the controller and worker configurations 13 | - `controller/`: patches that are applied to the controller configurations 14 | - `worker/`: patches that are applied to the worker configurations 15 | - `${node-hostname}/`: patches that are applied to the node with the specified name 16 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/controller/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster: 3 | allowSchedulingOnControlPlanes: true 4 | apiServer: 5 | extraArgs: 6 | # https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/ 7 | enable-aggregator-routing: true 8 | controllerManager: 9 | extraArgs: 10 | bind-address: 0.0.0.0 11 | coreDNS: 12 | disabled: true 13 | etcd: 14 | advertisedSubnets: 15 | - 192.168.2.0/24 16 | proxy: 17 | disabled: true 18 | scheduler: 19 | extraArgs: 20 | bind-address: 0.0.0.0 21 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/controller/disable-admission-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - op: remove 3 | path: /cluster/apiServer/admissionControl 4 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/global/machine-features.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | features: 4 | hostDNS: 5 | enabled: true 6 | resolveMemberNames: true 7 | forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false` 8 | kubernetesTalosAPIAccess: 9 | enabled: true 10 | allowedRoles: 11 | - os:admin 12 | allowedKubernetesNamespaces: 13 | - actions-runner-system 14 | - system-upgrade 15 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/global/machine-files.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | files: 4 | - op: create 5 | path: /etc/cri/conf.d/20-customization.part 6 | permissions: 0o644 7 | content: |- 8 | [plugins."io.containerd.cri.v1.images"] 9 | discard_unpacked_layers = false 10 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/global/machine-kubelet.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | kubelet: 4 | extraConfig: 5 | serializeImagePulls: false 6 | nodeIP: 7 | validSubnets: 8 | - 192.168.2.0/24 9 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/global/machine-network.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | network: 4 | disableSearchDomain: true 5 | nameservers: 6 | - 192.168.2.111 7 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/global/machine-openebs-local.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | kubelet: 4 | extraMounts: 5 | - destination: /var/openebs/local 6 | type: bind 7 | source: /var/openebs/local 8 | options: 9 | - bind 10 | - rshared 11 | - rw 12 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/global/machine-sysctl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | sysctls: 4 | fs.inotify.max_queued_events: "65536" 5 | fs.inotify.max_user_watches: "524288" 6 | fs.inotify.max_user_instances: "8192" 7 | net.core.rmem_max: "2500000" 8 | net.core.wmem_max: "2500000" 9 | -------------------------------------------------------------------------------- /kubernetes/talos/patches/global/machine-time.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | machine: 3 | time: 4 | disabled: false 5 | servers: 6 | - 0.europe.pool.ntp.org 7 | - 1.europe.pool.ntp.org 8 | - 2.europe.pool.ntp.org 9 | --------------------------------------------------------------------------------