├── cluster ├── base │ ├── helm-release.yaml │ ├── flux-system │ │ ├── charts │ │ │ ├── kustomization.yaml │ │ │ ├── git │ │ │ │ ├── kustomization.yaml │ │ │ │ └── rancher-dev-charts.yaml │ │ │ └── helm │ │ │ │ ├── bootc-charts.yaml │ │ │ │ ├── hajimari-charts.yaml │ │ │ │ ├── kasten-charts.yaml │ │ │ │ ├── lwolf-charts.yaml │ │ │ │ ├── mrry-io-charts.yml │ │ │ │ ├── jetstack-charts.yaml │ │ │ │ ├── authentik-charts.yaml │ │ │ │ ├── bitnami-charts.yaml │ │ │ │ ├── cetic-charts.yaml │ │ │ │ ├── coredns-charts.yaml │ │ │ │ ├── rook-ceph-charts.yaml │ │ │ │ ├── traefik-charts.yaml │ │ │ │ ├── grafana-charts.yaml │ │ │ │ ├── k8s-at-home-charts.yaml │ │ │ │ ├── deliveryhero-charts.yaml │ │ │ │ ├── stakater-charts.yaml │ │ │ │ ├── falco-security-charts.yaml │ │ │ │ ├── prometheus-community-charts.yaml │ │ │ │ ├── kubernetes-sigs-descheduler-charts.yaml │ │ │ │ ├── node-feature-discovery-charts.yaml │ │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ └── gotk-sync.yaml │ ├── crds.yaml │ ├── apps.yaml │ ├── core.yaml │ └── cluster-settings.yaml ├── core │ ├── namespaces │ │ ├── ibc.yaml │ │ ├── media.yaml │ │ ├── utils.yaml │ │ ├── netops.yaml │ │ ├── db-system.yaml │ │ ├── kasten-io.yaml │ │ ├── monitoring.yaml │ │ ├── networking.yaml │ │ ├── rook-ceph.yaml │ │ ├── security.yaml │ │ ├── cert-manager.yaml │ │ ├── falco-system.yaml │ │ ├── flux-system.yaml │ │ ├── kube-system.yaml │ │ ├── calico-system.yaml │ │ └── kustomization.yaml │ ├── kube-system │ │ ├── kustomization.yaml │ │ └── kube-vip │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ ├── rook-ceph │ │ ├── dashboard │ │ │ ├── kustomization.yaml │ │ │ └── ingress.yaml │ │ ├── rook-direct-mount │ │ │ └── kustomization.yaml │ │ ├── snapshot-controller │ │ │ ├── kustomization.yaml │ │ │ └── statefulset.yaml │ │ ├── service-monitors │ │ │ ├── kustomization.yaml │ │ │ ├── csi-metrics.yaml │ │ │ └── rook-ceph-mgr.yaml │ │ ├── storage │ │ │ ├── kustomization.yaml │ │ │ ├── ceph-block-pool.yaml │ │ │ ├── ceph-file-system.yaml │ │ │ ├── storage-class.yaml │ │ │ ├── volume-snapshot-class.yaml │ │ │ └── ceph-cluster.yaml │ │ ├── kustomization.yaml │ │ ├── rbac.yaml │ │ ├── helm-release.yaml │ │ └── toolbox.yml │ ├── kustomization.yaml │ ├── cert-manager │ │ ├── kustomization.yaml │ │ ├── letsencrypt-production.yaml │ │ ├── letsencrypt-staging.yaml │ │ └── helm-release.yaml │ └── system-upgrade │ │ └── kustomization.yaml ├── apps │ ├── ibc │ │ ├── kustomization.yaml │ │ └── osmosis │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ ├── data-pvc.yaml │ │ │ └── helm-release.yaml │ ├── falco-system │ │ ├── kustomization.yaml │ │ └── falco │ │ │ └── kustomization.yaml │ ├── netops │ │ ├── kustomization.yaml │ │ └── netbox │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ ├── .kasten-io │ │ ├── kustomization.yaml │ │ ├── cloud-sync │ │ │ ├── kustomization.yaml │ │ │ ├── secret.enc.yaml │ │ │ └── cron-job.yaml │ │ └── k10 │ │ │ ├── profiles │ │ │ ├── kustomization.yaml │ │ │ └── backblaze.yaml │ │ │ ├── policies │ │ │ ├── kustomization.yaml │ │ │ ├── k10-disaster-recovery-policy.yaml │ │ │ └── media.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── service-monitor.yaml │ │ │ ├── prometheus-rule.yaml │ │ │ └── helm-release.yaml │ ├── monitoring │ │ ├── loki │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── grafana │ │ │ ├── kustomization.yaml │ │ │ └── dashboards │ │ │ │ └── kustomization.yaml │ │ ├── kube-prometheus-stack │ │ │ └── kustomization.yaml │ │ ├── kustomization.yaml │ │ └── snmp-exporter │ │ │ └── kustomization.yaml │ ├── utils │ │ ├── shlink │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── statping │ │ │ └── kustomization.yaml │ │ ├── cryptofolio │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── hajimari │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ │ ├── librespeed │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── onedrive │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── kustomization.yaml │ │ ├── dnsutils.yaml │ │ └── dnsutils │ │ │ └── dnsutils.yaml │ ├── kube-system │ │ ├── reloader │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── descheduler │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── intel-gpu-plugin │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── metrics-server │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── kube-cleanup-operator │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── node-problem-detector │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── node-feature-discovery │ │ │ └── kustomization.yaml │ │ └── kustomization.yaml │ ├── media │ │ ├── _pvc │ │ │ ├── kustomization.yaml │ │ │ └── nfs-media-nas.yaml │ │ ├── bazarr │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── calibre │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── plex │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ │ ├── radarr │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ │ ├── readarr │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ │ ├── sonarr │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ │ ├── filebrowser │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── overseerr │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── prowlarr │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── qbittorrent │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ │ ├── tautulli │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── helm-release.yaml │ │ ├── readarr-audio │ │ │ ├── kustomization.yaml │ │ │ └── config-pvc.yaml │ │ └── kustomization.yaml │ ├── networking │ │ ├── traefik │ │ │ ├── tls-store │ │ │ │ ├── kustomization.yaml │ │ │ │ └── default.yaml │ │ │ ├── dashboard │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── .dns-endpoint.yaml │ │ │ │ ├── ingress-routes.yaml │ │ │ │ └── ingress.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── middlewares │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── authentik.yaml │ │ │ │ ├── rfc1918.yaml │ │ │ │ ├── redirect-path.yaml │ │ │ │ └── cloudflare.yaml │ │ │ └── service-monitor.yaml │ │ ├── wildcard-certificate │ │ │ ├── kustomization.yaml │ │ │ └── certificate.yaml │ │ ├── external-dns │ │ │ ├── kustomization.yaml │ │ │ └── helm-release.yaml │ │ ├── kustomization.yaml │ │ └── .unifi │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ ├── mongodb-pvc.yaml │ │ │ └── helm-release.yaml │ ├── calico-system │ │ ├── typha-metrics │ │ │ ├── kustomization.yaml │ │ │ └── pod-monitor.yaml │ │ ├── kube-controllers-metrics │ │ │ ├── kustomization.yaml │ │ │ └── pod-monitor.yaml │ │ ├── felix-metrics │ │ │ ├── kustomization.yaml │ │ │ ├── service.yaml │ │ │ └── pod-monitor.yaml │ │ └── kustomization.yaml │ ├── security │ │ ├── kustomization.yaml │ │ ├── authentik │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── cephfs.yaml │ │ └── vaultwarden │ │ │ ├── kustomization.yaml │ │ │ ├── config-pvc.yaml │ │ │ └── postgres-pvc.yaml │ ├── system-upgrade │ │ ├── kustomization.yaml │ │ └── system-upgrade-controller │ │ │ ├── kustomization.yaml │ │ │ ├── server-plan.yaml │ │ │ └── agent-plan.yaml │ └── kustomization.yaml └── crds │ ├── traefik │ ├── kustomization.yaml │ └── crds.yaml │ ├── external-dns │ ├── kustomization.yaml │ └── crds.yaml │ ├── rook-ceph │ └── kustomization.yaml │ ├── external-snapshotter │ ├── kustomization.yaml │ └── crds.yaml │ ├── kube-prometheus-stack │ ├── kustomization.yaml │ └── crds.yaml │ ├── kustomization.yaml │ └── cert-manager │ └── kustomization.yaml ├── .gitttributes ├── .github ├── lint │ ├── .prettierignore │ ├── .prettierrc.yaml │ ├── .yamllint.yaml │ └── .markdownlint.yaml ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── config.yml │ ├── question.md │ ├── feature-request.md │ └── bug-report.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── invalid-template.yaml │ ├── lint-shell.yaml │ ├── support.yaml │ ├── lint.yaml │ ├── lint-markdown.yaml │ ├── renovate-schedule.yaml │ └── flux-schedule.yaml ├── ansible ├── inventory │ ├── group_vars │ │ ├── all │ │ │ ├── debian.yml │ │ │ ├── kube-vip.yml │ │ │ ├── calico.yml │ │ │ └── k3s.yml │ │ ├── worker-nodes │ │ │ └── k3s.yml │ │ └── master-nodes │ │ │ └── k3s.yml │ ├── host_vars │ │ ├── cl.yml │ │ ├── nas.yml │ │ ├── m1.yml │ │ ├── m2.yml │ │ ├── m3.yml │ │ ├── pve01.yml │ │ ├── pve02.yml │ │ ├── pve03.yml │ │ ├── pve04.yml │ │ ├── pve05.yml │ │ ├── w1.yml │ │ ├── w3.yml │ │ └── w2.yml │ └── hosts.yml ├── roles │ ├── i915 │ │ ├── vars │ │ │ └── main.yml │ │ └── tasks │ │ │ ├── main.yml │ │ │ └── packages.yml │ ├── debian │ │ ├── tasks │ │ │ ├── main.yml │ │ │ └── hosts.yml │ │ └── templates │ │ │ └── etc │ │ │ └── hosts.j2 │ ├── kube-vip │ │ ├── tasks │ │ │ ├── main.yml │ │ │ └── kube-vip.yml │ │ └── templates │ │ │ └── kube-vip-rbac.yaml.j2 │ ├── pve │ │ ├── templates │ │ │ └── etc │ │ │ │ └── postfix │ │ │ │ ├── sasl_passwd.j2 │ │ │ │ ├── smtp_header_checks.j2 │ │ │ │ └── main.cf.j2 │ │ ├── vars │ │ │ └── main.yml │ │ └── tasks │ │ │ ├── main.yml │ │ │ ├── apt-sources.yml │ │ │ ├── modules.yml │ │ │ ├── packages.yml │ │ │ ├── grub.yml │ │ │ └── postfix.yml │ ├── pve7 │ │ ├── vars │ │ │ └── main.yml │ │ └── tasks │ │ │ ├── main.yml │ │ │ ├── apt-sources.yml │ │ │ ├── modules.yml │ │ │ ├── packages.yml │ │ │ └── grub.yml │ ├── k3s │ │ ├── vars │ │ │ └── main.yml │ │ ├── templates │ │ │ ├── calico-bgp-peer.yaml.j2 │ │ │ ├── calico-bgp-config.yaml.j2 │ │ │ ├── registries.yaml.j2 │ │ │ └── calico-install.yaml.j2 │ │ └── tasks │ │ │ ├── registry.yml │ │ │ ├── main.yml │ │ │ ├── packages.yml │ │ │ ├── kubeconfig.yml │ │ │ ├── calico.yml │ │ │ └── secrets.yml │ └── ubuntu │ │ ├── tasks │ │ ├── host.yml │ │ ├── kernel.yml │ │ ├── power-button.yml │ │ ├── filesystem.yml │ │ ├── rsyslog.yml │ │ ├── main.yml │ │ ├── network.yml │ │ ├── user.yml │ │ ├── unattended-upgrades.yml │ │ └── locale.yml │ │ ├── templates │ │ └── rsyslog-50-promtail.conf.j2 │ │ └── vars │ │ └── main.yml ├── requirements.yml ├── playbooks │ ├── k3s │ │ ├── kube-vip-install.yml │ │ ├── upgrade.yml │ │ ├── install.yml │ │ ├── deprecated │ │ │ ├── kube-vip-bgp.yaml │ │ │ ├── master-init.yaml │ │ │ ├── node-init.yaml │ │ │ └── join-nodes.yaml │ │ ├── nuke.yml │ │ └── labels.yaml │ ├── pve │ │ ├── init.yml │ │ ├── upgrade.yml │ │ ├── nuke.yml │ │ └── deprecated │ │ │ └── disk-passthru.yml │ ├── pve7 │ │ ├── init.yml │ │ └── upgrade.yml │ ├── i915 │ │ └── init.yml │ ├── ubuntu │ │ ├── init.yml │ │ └── upgrade.yml │ └── debian │ │ └── init.yml └── ansible.cfg ├── terraform ├── secrets.tf ├── authentik │ ├── secrets.tf │ ├── data.tf │ ├── provider.tf │ ├── main.tf │ ├── flows.tf │ ├── applications.tf │ ├── proxies.tf │ ├── locals.tf │ └── .secrets.yaml ├── provider.tf ├── main.tf ├── masters.tf ├── workers.tf └── .secrets.yaml ├── .sops.yaml ├── .taskfiles ├── flux.yml ├── pre-commit.yml ├── lint.yml └── format.yml ├── .gitignore ├── Taskfile.yaml ├── .pre-commit-config.yaml └── docs └── rook-ceph.md /cluster/base/helm-release.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /.gitttributes: -------------------------------------------------------------------------------- 1 | *.sops.* diff=sopsdiffer 2 | -------------------------------------------------------------------------------- /.github/lint/.prettierignore: -------------------------------------------------------------------------------- 1 | *.sops.* 2 | gotk-components.yaml 3 | -------------------------------------------------------------------------------- /ansible/inventory/group_vars/all/debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | timezone: "America/New_York" 4 | -------------------------------------------------------------------------------- /terraform/secrets.tf: -------------------------------------------------------------------------------- 1 | data "sops_file" "secrets" { 2 | source_file = ".secrets.yaml" 3 | } 4 | -------------------------------------------------------------------------------- /ansible/roles/i915/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | packages: 4 | apt: 5 | - linux-modules-extra-aws 6 | -------------------------------------------------------------------------------- /ansible/roles/i915/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: packages.yml 4 | tags: 5 | - packages 6 | -------------------------------------------------------------------------------- /terraform/authentik/secrets.tf: -------------------------------------------------------------------------------- 1 | data "sops_file" "secrets" { 2 | source_file = ".secrets.yaml" 3 | } 4 | -------------------------------------------------------------------------------- /ansible/roles/debian/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: hosts.yml 4 | tags: 5 | - hostfile 6 | 7 | -------------------------------------------------------------------------------- /ansible/roles/kube-vip/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: kube-vip.yml 4 | tags: 5 | - kube-vip 6 | 7 | -------------------------------------------------------------------------------- /ansible/roles/pve/templates/etc/postfix/sasl_passwd.j2: -------------------------------------------------------------------------------- 1 | smtp.sendgrid.net apikey:${SECRET_SENDGRID_APIKEY} 2 | -------------------------------------------------------------------------------- /ansible/roles/pve7/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | packages: 4 | apt: 5 | - ifupdown2 6 | - libsasl2-modules 7 | -------------------------------------------------------------------------------- /cluster/core/namespaces/ibc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ibc 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/media.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: media 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/utils.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: utils 6 | -------------------------------------------------------------------------------- /.github/lint/.prettierrc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | trailingComma: "es5" 3 | tabWidth: 2 4 | semi: false 5 | singleQuote: false 6 | -------------------------------------------------------------------------------- /ansible/roles/pve/templates/etc/postfix/smtp_header_checks.j2: -------------------------------------------------------------------------------- 1 | /^From:.*/ REPLACE From: no-reply 2 | -------------------------------------------------------------------------------- /cluster/core/namespaces/netops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: netops 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/db-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: db-system 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/kasten-io.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kasten-io 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/monitoring.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: monitoring 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/networking.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: networking 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rook-ceph 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/security.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: security 6 | -------------------------------------------------------------------------------- /ansible/roles/k3s/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | packages: 4 | apt: 5 | - curl 6 | - git 7 | - nfs-common 8 | - sudo 9 | -------------------------------------------------------------------------------- /cluster/core/namespaces/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cert-manager 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/falco-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: falco-system 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/flux-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: flux-system 6 | -------------------------------------------------------------------------------- /cluster/core/namespaces/kube-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kube-system 6 | -------------------------------------------------------------------------------- /ansible/roles/pve/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | packages: 4 | apt: 5 | - ifupdown2 6 | - libsasl2-modules 7 | - postfix-pcre 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/calico-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: calico-system 6 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners 2 | * @onedr0p 3 | -------------------------------------------------------------------------------- /cluster/apps/ibc/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - osmosis 5 | -------------------------------------------------------------------------------- /cluster/apps/falco-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - falco 5 | -------------------------------------------------------------------------------- /cluster/apps/netops/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - netbox 5 | -------------------------------------------------------------------------------- /cluster/crds/traefik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - crds.yaml 5 | -------------------------------------------------------------------------------- /ansible/requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | roles: 3 | - src: xanmanning.k3s 4 | version: v3.1.2 5 | collections: 6 | - name: community.general 7 | -------------------------------------------------------------------------------- /cluster/core/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - kube-vip 5 | -------------------------------------------------------------------------------- /cluster/crds/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - crds.yaml 5 | -------------------------------------------------------------------------------- /cluster/crds/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - crds.yaml 5 | -------------------------------------------------------------------------------- /terraform/authentik/data.tf: -------------------------------------------------------------------------------- 1 | data "authentik_flow" "default-authorization-flow" { 2 | slug = "default-provider-authorization-explicit-consent" 3 | } -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - k10 5 | # - cloud-sync 6 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/loki/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/utils/shlink/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/utils/statping/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - git 5 | - helm 6 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ingress.yaml 5 | -------------------------------------------------------------------------------- /cluster/crds/external-snapshotter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - crds.yaml 5 | -------------------------------------------------------------------------------- /cluster/crds/kube-prometheus-stack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - crds.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/falco-system/falco/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/media/_pvc/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - nfs-media-nas.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/descheduler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/tls-store/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - default.yaml 5 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - deployment.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/typha-metrics/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - pod-monitor.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/intel-gpu-plugin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/networking/wildcard-certificate/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - certificate.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/security/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - authentik 6 | # - vaultwarden 7 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - system-upgrade-controller 6 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/node-problem-detector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/media/bazarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/calibre/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/plex/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/radarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/readarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/sonarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/grafana/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - dashboards 6 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/cloud-sync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secret.enc.yaml 5 | - cron-job.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/kube-controllers-metrics/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - pod-monitor.yaml 5 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/node-feature-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | 6 | -------------------------------------------------------------------------------- /cluster/apps/media/filebrowser/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/overseerr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - config-pvc.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/prowlarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/qbittorrent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/tautulli/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/netops/netbox/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - config-pvc.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/security/authentik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - config-pvc.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/utils/cryptofolio/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/utils/hajimari/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - config-pvc.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/utils/librespeed/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/utils/onedrive/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - config-pvc.yaml 6 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/git/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - rancher-dev-charts.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/kube-system/kube-vip/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - rbac.yaml 5 | - daemonset.yaml 6 | 7 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/profiles/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - backblaze.yaml 5 | - secret.enc.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/felix-metrics/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - pod-monitor.yaml 5 | - service.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/media/readarr-audio/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/networking/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - secret.enc.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/snapshot-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - rbac.yaml 5 | - statefulset.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/networking/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - external-dns 5 | - traefik 6 | - wildcard-certificate 7 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | #- ingress.yaml 5 | - ingress-routes.yaml 6 | -------------------------------------------------------------------------------- /cluster/base/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - gotk-components.yaml 5 | - gotk-sync.yaml 6 | - charts 7 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/service-monitors/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - csi-metrics.yaml 5 | - rook-ceph-mgr.yaml 6 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - encrypted_regex: '^(data|stringData)$' 4 | pgp: >- 5 | 1797E88B0B0CE9D2514A1C841F4200D33179FA67, 6 | 5375D143C4FEC43EBED1D1294823D5B58339B759 7 | -------------------------------------------------------------------------------- /terraform/authentik/provider.tf: -------------------------------------------------------------------------------- 1 | provider "authentik" { 2 | url = "https://auth.mrry.io" 3 | token = data.sops_file.secrets.data["authentik.token"] 4 | } 5 | 6 | provider "sops" { 7 | } 8 | -------------------------------------------------------------------------------- /ansible/roles/debian/templates/etc/hosts.j2: -------------------------------------------------------------------------------- 1 | {% for item in ansible_play_batch %} 2 | {{ hostvars[item].ansible_host }} {{ item }}.{{ hostvars[item].ansible_fqdn }} {{ item }} 3 | {% endfor %} 4 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/policies/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - k10-disaster-recovery-policy.yaml 5 | - media.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - felix-metrics 5 | - kube-controllers-metrics 6 | - typha-metrics 7 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - grafana 5 | - kube-prometheus-stack 6 | - loki 7 | - snmp-exporter 8 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: Discuss on Discord 4 | url: https://discord.com/invite/sTMX7Vh 5 | about: Join our Discord community 6 | -------------------------------------------------------------------------------- /cluster/apps/ibc/osmosis/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - config-pvc.yaml 6 | - data-pvc.yaml 7 | - helm-release.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/networking/.unifi/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - helm-release.yaml 6 | - mongodb-pvc.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - tls-store 6 | - dashboard 7 | - middlewares 8 | -------------------------------------------------------------------------------- /cluster/apps/security/vaultwarden/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - config-pvc.yaml 5 | - postgres-pvc.yaml 6 | - helm-release.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/system-upgrade-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - server-plan.yaml 6 | - agent-plan.yaml 7 | -------------------------------------------------------------------------------- /cluster/core/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - cert-manager 5 | - kube-system 6 | - namespaces 7 | - rook-ceph 8 | - system-upgrade 9 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/snmp-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - prometheus-rule.yaml 5 | - config-map.yaml 6 | - snmp-exporter.yaml 7 | -------------------------------------------------------------------------------- /.taskfiles/flux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | sync: 6 | desc: Sync flux-system with the Git Repository 7 | cmds: 8 | - flux reconcile source git flux-system 9 | silent: true 10 | -------------------------------------------------------------------------------- /ansible/roles/debian/tasks/hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: update /etc/hosts file 4 | blockinfile: 5 | dest: /etc/hosts 6 | content: "{{ lookup('template', 'templates/etc/hosts.j2') }}" 7 | state: present 8 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/cloud-sync/secret.enc.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: rclone-config-secret 6 | namespace: kasten-io 7 | stringData: 8 | rclone.conf: 9 | -------------------------------------------------------------------------------- /ansible/roles/k3s/templates/calico-bgp-peer.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: crd.projectcalico.org/v1 3 | kind: BGPPeer 4 | metadata: 5 | name: global 6 | spec: 7 | peerIP: {{ calico.bgp.peer }} 8 | asNumber: {{ calico.bgp.as }} 9 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/host.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: host | hostname | update inventory hostname 4 | ansible.builtin.hostname: 5 | name: "{{ inventory_hostname }}" 6 | when: 7 | - ansible_hostname != inventory_hostname 8 | -------------------------------------------------------------------------------- /cluster/apps/utils/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | # - cryptofolio 5 | - hajimari 6 | # - librespeed 7 | # - onedrive 8 | # - shlink 9 | # - statping 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/.terraform/* 2 | *.tfstate 3 | *.tfstate.* 4 | *.terraform.* 5 | .tfvars 6 | override.tf 7 | override.tf.json 8 | *_override.tf 9 | *_override.tf.json 10 | .terraformrc 11 | terraform.rc 12 | 13 | xanmanning.k3s* 14 | -------------------------------------------------------------------------------- /ansible/inventory/group_vars/all/kube-vip.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | kube_vip: 4 | manifests_dir: /var/lib/rancher/k3s/server/manifests 5 | router_interface: eth0 6 | bgp_as: 64512 7 | bgp_peer_as: 64512 8 | bgp_peer_address: 172.24.0.254 9 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/cl.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of VM 4 | ansible_host: "172.25.0.1" 5 | 6 | # Subdomain of VM 7 | ansible_subdomain: "k3s.mrry.io" 8 | 9 | # Ansible user to ssh into VM with 10 | ansible_user: "dvmrry" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/nas.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of VM 4 | ansible_host: "172.18.0.15" 5 | 6 | # Subdomain of VM 7 | ansible_subdomain: "mgmt.mrry.io" 8 | 9 | # Ansible user to ssh into VM with 10 | ansible_user: "root" 11 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - letsencrypt-production.yaml 7 | - letsencrypt-staging.yaml 8 | - secret.enc.yaml 9 | -------------------------------------------------------------------------------- /cluster/crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - cert-manager 5 | - external-dns 6 | - external-snapshotter 7 | - rook-ceph 8 | - traefik 9 | - kube-prometheus-stack 10 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/m1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.24.0.10" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "k3s.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "dvmrry" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/m2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.24.0.11" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "k3s.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "dvmrry" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/m3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.24.0.12" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "k3s.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "dvmrry" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/pve01.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.18.0.1" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "mgmt.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "root" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/pve02.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.18.0.2" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "mgmt.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "root" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/pve03.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.18.0.3" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "mgmt.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "root" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/pve04.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.18.0.4" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "mgmt.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "root" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/pve05.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.18.0.5" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "mgmt.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "root" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/w1.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.24.0.20" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "k3s.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "dvmrry" 11 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/w3.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.24.0.22" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "k3s.mrry.io" 8 | 9 | # Ansible user to ssh into servers with 10 | ansible_user: "dvmrry" 11 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/middlewares/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - authentik.yaml 5 | - cloudflare.yaml 6 | - rfc1918.yaml 7 | - redirect-path.yaml 8 | - secret.enc.yaml 9 | -------------------------------------------------------------------------------- /ansible/inventory/host_vars/w2.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # IP address of node 4 | ansible_host: "172.24.0.21" 5 | 6 | # Subdomain of node 7 | ansible_subdomain: "k3s.mrry.io" 8 | 9 | 10 | # Ansible user to ssh into servers with 11 | ansible_user: "dvmrry" 12 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/storage/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ceph-block-pool.yaml 5 | - ceph-cluster.yaml 6 | - ceph-file-system.yaml 7 | - storage-class.yaml 8 | - volume-snapshot-class.yaml 9 | -------------------------------------------------------------------------------- /.taskfiles/pre-commit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | init: 6 | desc: Initialize pre-commit hooks 7 | cmds: 8 | - pre-commit install-hooks 9 | run: 10 | desc: Run pre-commit 11 | cmds: 12 | - pre-commit run --all-files 13 | -------------------------------------------------------------------------------- /cluster/core/system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | namespace: system-upgrade 4 | resources: 5 | - https://github.com/rancher/system-upgrade-controller/releases/download/v0.8.1/system-upgrade-controller.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/tls-store/default.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: TLSStore 4 | metadata: 5 | name: default 6 | namespace: networking 7 | spec: 8 | defaultCertificate: 9 | secretName: "${SECRET_DOMAIN/./-}-tls" 10 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - rbac.yaml 5 | - helm-release.yaml 6 | - storage 7 | - rook-direct-mount 8 | - service-monitors 9 | - snapshot-controller 10 | - dashboard 11 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - helm-release.yaml 5 | - prometheus-rule.yaml 6 | - service-monitor.yaml 7 | - policies 8 | # # TODO Enable on cluster re-install 9 | - profiles 10 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/kube-vip-install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - master-nodes 5 | become: true 6 | gather_facts: true 7 | any_errors_fatal: true 8 | pre_tasks: 9 | - name: Pausing for 3 seconds... 10 | pause: 11 | seconds: 3 12 | roles: 13 | - kube-vip 14 | -------------------------------------------------------------------------------- /ansible/playbooks/pve/init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - pve-nodes 5 | become: true 6 | gather_facts: true 7 | any_errors_fatal: true 8 | pre_tasks: 9 | - name: Pausing for 3 seconds... 10 | ansible.builtin.pause: 11 | seconds: 3 12 | roles: 13 | - pve 14 | -------------------------------------------------------------------------------- /ansible/playbooks/pve7/init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - pve-nodes 5 | become: true 6 | gather_facts: true 7 | any_errors_fatal: true 8 | pre_tasks: 9 | - name: Pausing for 3 seconds... 10 | ansible.builtin.pause: 11 | seconds: 3 12 | roles: 13 | - pve 14 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/bootc-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: bootc-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.boo.tc 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /ansible/playbooks/i915/init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - worker-nodes 5 | become: true 6 | gather_facts: true 7 | any_errors_fatal: true 8 | pre_tasks: 9 | - name: Pausing for 3 seconds... 10 | ansible.builtin.pause: 11 | seconds: 3 12 | roles: 13 | - i915 14 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - descheduler 5 | - intel-gpu-plugin 6 | - kube-cleanup-operator 7 | - metrics-server 8 | - node-feature-discovery 9 | - node-problem-detector 10 | - reloader 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/hajimari-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: hajimari-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://hajimari.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/kasten-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: kasten-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.kasten.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/lwolf-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: lwolf-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.lwolf.org 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/mrry-io-charts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: mrry-io-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.mrry.io 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/storage/ceph-block-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ceph.rook.io/v1 3 | kind: CephBlockPool 4 | metadata: 5 | name: replicapool 6 | namespace: rook-ceph 7 | spec: 8 | failureDomain: host 9 | replicated: 10 | size: 3 11 | requireSafeReplicaSize: true 12 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/jetstack-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.jetstack.io/ 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/authentik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: authentik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.goauthentik.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/bitnami-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: bitnami-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://charts.bitnami.com/bitnami 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/cetic-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: cetic-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://cetic.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/coredns-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: coredns-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://coredns.github.io/helm 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/rook-ceph-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: rook-ceph-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.rook.io/release 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/traefik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: traefik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://helm.traefik.io/traefik 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/crds/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # renovate: registryUrl=https://charts.jetstack.io chart=cert-manager 6 | - https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.crds.yaml 7 | -------------------------------------------------------------------------------- /terraform/provider.tf: -------------------------------------------------------------------------------- 1 | provider "proxmox" { 2 | pm_tls_insecure = true 3 | pm_api_url = "https://172.18.0.3:8006/api2/json" 4 | pm_user = "root@pam" 5 | pm_password = data.sops_file.secrets.data["proxmox.pm_password"] 6 | pm_parallel = 20 7 | } 8 | 9 | provider "sops" { 10 | } 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/grafana-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://grafana.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/k8s-at-home-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-at-home-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://k8s-at-home.com/charts/ 10 | timeout: 2m 11 | -------------------------------------------------------------------------------- /ansible/roles/k3s/templates/calico-bgp-config.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: crd.projectcalico.org/v1 3 | kind: BGPConfiguration 4 | metadata: 5 | name: default 6 | spec: 7 | serviceExternalIPs: 8 | - cidr: {{ calico.bgp.externalIPs }} 9 | serviceClusterIPs: 10 | - cidr: {{ calico.bgp.clusterIPs }} 11 | -------------------------------------------------------------------------------- /cluster/apps/media/plex/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: plex-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 16Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/grafana/dashboards/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | commonLabels: 4 | grafana_dashboard: "1" 5 | resources: 6 | - https://raw.githubusercontent.com/prometheus-operator/kube-prometheus/v0.8.0/manifests/grafana-dashboardDefinitions.yaml 7 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/deliveryhero-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: deliveryhero-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.deliveryhero.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/stakater-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://stakater.github.io/stakater-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /terraform/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.13.0" 3 | 4 | required_providers { 5 | proxmox = { 6 | source = "Telmate/proxmox" 7 | version = "2.9.10" 8 | } 9 | 10 | sops = { 11 | source = "carlpett/sops" 12 | version = "0.7.1" 13 | } 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /cluster/apps/ibc/osmosis/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: osmosis-config 6 | namespace: ibc 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 100Mi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/ibc/osmosis/data-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: osmosis-data 6 | namespace: ibc 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5000Mi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/bazarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: bazarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/calibre/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: calibre-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/radarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 8Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/readarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: readarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/sonarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sonarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 8Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/netops/netbox/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: netbox-pvc 6 | namespace: netops 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/middlewares/authentik.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: authentik 6 | namespace: networking 7 | spec: 8 | chain: 9 | middlewares: 10 | - name: security-ak-outpost-authentik-embedded-outpost@kubernetescrd 11 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/upgrade.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - master-nodes 5 | - worker-nodes 6 | become: true 7 | gather_facts: true 8 | any_errors_fatal: true 9 | pre_tasks: 10 | - name: Pausing for 3 seconds... 11 | ansible.builtin.pause: 12 | seconds: 3 13 | roles: 14 | - xanmanning.k3s 15 | -------------------------------------------------------------------------------- /ansible/playbooks/ubuntu/init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - master-nodes 5 | - worker-nodes 6 | become: true 7 | gather_facts: true 8 | any_errors_fatal: true 9 | pre_tasks: 10 | - name: Pausing for 3 seconds... 11 | ansible.builtin.pause: 12 | seconds: 3 13 | roles: 14 | - ubuntu 15 | 16 | -------------------------------------------------------------------------------- /cluster/apps/media/overseerr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: overseerr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/prowlarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: prowlarr-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/tautulli/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tautulli-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/utils/hajimari/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: hajimari-config 6 | namespace: utils 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/utils/onedrive/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: onedrive-config 6 | namespace: utils 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/base/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 3 | kind: Kustomization 4 | metadata: 5 | name: crds 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./cluster/crds 10 | prune: false 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/falco-security-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: falco-security-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://falcosecurity.github.io/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/apps/media/filebrowser/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: filebrowser-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/media/qbittorrent/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: qbittorrent-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/networking/.unifi/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: unifi-config 6 | namespace: networking 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/networking/.unifi/mongodb-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: unifi-mongodb 6 | namespace: networking 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/security/authentik/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: authentik-config 6 | namespace: security 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 4Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/utils/cryptofolio/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: cryptofolio-config 6 | namespace: utils 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/utils/librespeed/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: librespeed-config 6 | namespace: utils 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /terraform/authentik/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.13.0" 3 | required_providers { 4 | authentik = { 5 | source = "goauthentik/authentik" 6 | version = ">=2022.2.1" 7 | } 8 | sops = { 9 | source = "carlpett/sops" 10 | version = ">=0.6.3" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2: -------------------------------------------------------------------------------- 1 | module(load="omprog") 2 | module(load="mmutf8fix") 3 | action(type="mmutf8fix" replacementChar="?") 4 | action(type="omfwd" protocol="tcp" target="{{ rsyslog.ip }}" port="{{ rsyslog.port }}" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted" KeepAlive="on") 5 | -------------------------------------------------------------------------------- /cluster/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - _pvc 6 | - bazarr 7 | - calibre 8 | - filebrowser 9 | - overseerr 10 | - plex 11 | - prowlarr 12 | - qbittorrent 13 | - radarr 14 | - readarr 15 | - readarr-audio 16 | - sonarr 17 | - tautulli 18 | -------------------------------------------------------------------------------- /cluster/apps/media/readarr-audio/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: readarr-audio-config 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /cluster/apps/security/vaultwarden/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: vaultwarden-config 6 | namespace: security 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: rook-ceph-block 14 | -------------------------------------------------------------------------------- /ansible/playbooks/debian/init.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - pve-nodes 5 | - master-nodes 6 | - worker-nodes 7 | become: true 8 | gather_facts: true 9 | any_errors_fatal: true 10 | pre_tasks: 11 | - name: Pausing for 3 seconds... 12 | ansible.builtin.pause: 13 | seconds: 3 14 | roles: 15 | - debian 16 | -------------------------------------------------------------------------------- /cluster/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - calico-system 5 | #- db-system 6 | - falco-system 7 | #- kasten-io 8 | - ibc 9 | - kube-system 10 | - media 11 | - monitoring 12 | - netops 13 | - networking 14 | - security 15 | - system-upgrade 16 | - utils 17 | -------------------------------------------------------------------------------- /cluster/apps/security/vaultwarden/postgres-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: vaultwarden-postgresql 6 | namespace: security 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 8Gi 13 | storageClassName: rook-cephfs 14 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/dashboard/.dns-endpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: externaldns.k8s.io/v1alpha1 3 | kind: DNSEndpoint 4 | metadata: 5 | name: dashboard 6 | namespace: networking 7 | spec: 8 | endpoints: 9 | - dnsName: "traefik.${SECRET_DOMAIN}" 10 | recordType: A 11 | targets: 12 | - "${SVC_TRAEFIK_ADDR}" 13 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/prometheus-community-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-community-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://prometheus-community.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - master-nodes 5 | - worker-nodes 6 | become: true 7 | gather_facts: true 8 | any_errors_fatal: true 9 | pre_tasks: 10 | - name: Pausing for 3 seconds... 11 | pause: 12 | seconds: 3 13 | roles: 14 | - debian 15 | - xanmanning.k3s 16 | - k3s 17 | - kube-vip 18 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/felix-metrics/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | namespace: calico-system 6 | name: felix-metrics 7 | labels: 8 | k8s-app: calico-node 9 | spec: 10 | selector: 11 | k8s-app: calico-node 12 | ports: 13 | - name: http-metrics 14 | port: 9091 15 | targetPort: 9091 16 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/kubernetes-sigs-descheduler-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-sigs-descheduler-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://kubernetes-sigs.github.io/descheduler 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/node-feature-discovery-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: HelmRepository 4 | metadata: 5 | name: node-feature-discovery-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/apps/utils/dnsutils.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: dnsutils 5 | namespace: security 6 | spec: 7 | containers: 8 | - name: dnsutils 9 | image: gcr.io/kubernetes-e2e-test-images/dnsutils:1.3 10 | command: 11 | - sleep 12 | - "3600" 13 | imagePullPolicy: IfNotPresent 14 | restartPolicy: Always 15 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: '3' 3 | 4 | vars: 5 | PROJECT_DIR: 6 | sh: "git rev-parse --show-toplevel" 7 | CLUSTER_DIR: "{{.PROJECT_DIR}}/cluster" 8 | ANSIBLE_DIR: "{{.PROJECT_DIR}}/ansible" 9 | 10 | env: 11 | KUBECONFIG:"$XDG_HOME_DIR/.kube/config" 12 | 13 | includes: 14 | ansible: .taskfiles/ansible.yml 15 | flux: .taskfiles/flux.yml 16 | 17 | -------------------------------------------------------------------------------- /cluster/apps/utils/dnsutils/dnsutils.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: dnsutils 5 | namespace: security 6 | spec: 7 | containers: 8 | - name: dnsutils 9 | image: gcr.io/kubernetes-e2e-test-images/dnsutils:1.3 10 | command: 11 | - sleep 12 | - "3600" 13 | imagePullPolicy: IfNotPresent 14 | restartPolicy: Always 15 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: 'rook-ceph-system-psp-user' 6 | labels: 7 | operator: rook 8 | storage-backend: ceph 9 | rules: 10 | - apiGroups: 11 | - policy 12 | resources: 13 | - podsecuritypolicies 14 | resourceNames: 15 | - 00-rook-ceph-operator 16 | verbs: 17 | - use 18 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/felix-metrics/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: felix-metrics 6 | namespace: calico-system 7 | labels: 8 | k8s-app: calico-node 9 | spec: 10 | selector: 11 | matchLabels: 12 | k8s-app: calico-node 13 | podMetricsEndpoints: 14 | - port: http-metrics 15 | path: /metrics 16 | interval: 15s 17 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/typha-metrics/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: typha-metrics 6 | namespace: calico-system 7 | labels: 8 | k8s-app: calico-typha 9 | spec: 10 | selector: 11 | matchLabels: 12 | k8s-app: calico-typha 13 | podMetricsEndpoints: 14 | - port: http-metrics 15 | path: /metrics 16 | interval: 15s 17 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/storage/ceph-file-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ceph.rook.io/v1 3 | kind: CephFilesystem 4 | metadata: 5 | name: cephfs 6 | namespace: rook-ceph 7 | spec: 8 | metadataPool: 9 | replicated: 10 | size: 3 11 | dataPools: 12 | - replicated: 13 | size: 3 14 | preserveFilesystemOnDelete: false 15 | metadataServer: 16 | activeCount: 1 17 | activeStandby: true 18 | 19 | -------------------------------------------------------------------------------- /.github/lint/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | ignore: | 2 | *.sops.* 3 | gotk-components.yaml 4 | extends: default 5 | rules: 6 | truthy: 7 | allowed-values: ["true", "false", "on"] 8 | comments: 9 | min-spaces-from-content: 1 10 | line-length: disable 11 | braces: 12 | min-spaces-inside: 0 13 | max-spaces-inside: 1 14 | brackets: 15 | min-spaces-inside: 0 16 | max-spaces-inside: 0 17 | indentation: enable 18 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/git/rancher-dev-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: GitRepository 4 | metadata: 5 | name: rancher-dev-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://github.com/rancher/charts 10 | ref: 11 | branch: dev-v2.6 12 | ignore: | 13 | # exclude all 14 | /* 15 | # include charts directory 16 | !/charts/ 17 | -------------------------------------------------------------------------------- /cluster/apps/security/authentik/cephfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ceph.rook.io/v1 3 | kind: CephFilesystem 4 | metadata: 5 | name: rwm-fs 6 | namespace: rook-ceph 7 | spec: 8 | metadataPool: 9 | replicated: 10 | size: 3 11 | dataPools: 12 | - name: replicated 13 | replicated: 14 | size: 3 15 | preserveFilesystemOnDelete: true 16 | metadataServer: 17 | activeCount: 1 18 | activeStandby: true 19 | -------------------------------------------------------------------------------- /cluster/apps/networking/wildcard-certificate/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: "${SECRET_DOMAIN/./-}" 6 | namespace: networking 7 | spec: 8 | secretName: "${SECRET_DOMAIN/./-}-tls" 9 | issuerRef: 10 | name: letsencrypt-production 11 | kind: ClusterIssuer 12 | commonName: "${SECRET_DOMAIN}" 13 | dnsNames: 14 | - "${SECRET_DOMAIN}" 15 | - "*.${SECRET_DOMAIN}" 16 | -------------------------------------------------------------------------------- /cluster/core/namespaces/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - calico-system.yaml 6 | - cert-manager.yaml 7 | - db-system.yaml 8 | - falco-system.yaml 9 | - flux-system.yaml 10 | - ibc.yaml 11 | - kasten-io.yaml 12 | - kube-system.yaml 13 | - rook-ceph.yaml 14 | - monitoring.yaml 15 | - media.yaml 16 | - netops.yaml 17 | - networking.yaml 18 | - security.yaml 19 | - utils.yaml 20 | -------------------------------------------------------------------------------- /ansible/roles/pve7/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: apt-sources.yml 4 | tags: 5 | - apt-sources 6 | 7 | - include: grub.yml 8 | loop: 9 | - "intel_iommu=on" 10 | - "iommu=pt" 11 | tags: 12 | - grub 13 | 14 | - include: modules.yml 15 | loop: 16 | - "vfio" 17 | - "vfio_iommu_type1" 18 | - "vfio_pci" 19 | - "vfio_virqfd" 20 | tags: 21 | - modules 22 | 23 | - include: packages.yml 24 | tags: 25 | - packages 26 | 27 | -------------------------------------------------------------------------------- /cluster/apps/calico-system/kube-controllers-metrics/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: kube-controllers-metrics 6 | namespace: calico-system 7 | labels: 8 | k8s-app: calico-kube-controllers 9 | spec: 10 | selector: 11 | matchLabels: 12 | k8s-app: calico-kube-controllers 13 | podMetricsEndpoints: 14 | - port: http-metrics 15 | path: /metrics 16 | interval: 15s 17 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/service-monitors/csi-metrics.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: csi-metrics 6 | namespace: rook-ceph 7 | labels: 8 | team: rook 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - rook-ceph 13 | selector: 14 | matchLabels: 15 | app: csi-metrics 16 | endpoints: 17 | - port: csi-http-metrics 18 | path: /metrics 19 | interval: 5s 20 | -------------------------------------------------------------------------------- /ansible/inventory/hosts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | all: 4 | children: 5 | pve-nodes: 6 | hosts: 7 | pve01: 8 | pve02: 9 | pve03: 10 | pve04: 11 | pve05: 12 | master-nodes: 13 | hosts: 14 | m1: 15 | m2: 16 | m3: 17 | worker-nodes: 18 | hosts: 19 | w1: 20 | w2: 21 | w3: 22 | storage: 23 | hosts: 24 | nas: 25 | vip: 26 | hosts: 27 | cl: 28 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/kernel.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: kernel | modules | enable at runtime 4 | community.general.modprobe: 5 | name: "{{ item }}" 6 | state: present 7 | loop: 8 | - br_netfilter 9 | - overlay 10 | - rbd 11 | 12 | - name: kernel | modules | enable on boot 13 | ansible.builtin.copy: 14 | mode: 0644 15 | content: "{{ item }}" 16 | dest: "/etc/modules-load.d/{{ item }}.conf" 17 | loop: 18 | - br_netfilter 19 | - overlay 20 | - rbd 21 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: traefik 6 | namespace: networking 7 | labels: 8 | app.kubernetes.io/name: traefik 9 | spec: 10 | endpoints: 11 | - path: /metrics 12 | targetPort: metrics 13 | jobLabel: traefik 14 | namespaceSelector: 15 | matchNames: 16 | - networking 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/name: traefik 20 | -------------------------------------------------------------------------------- /ansible/playbooks/pve/upgrade.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - pve-nodes 5 | become: true 6 | gather_facts: true 7 | any_errors_fatal: true 8 | pre_tasks: 9 | - name: Pausing for 3 seconds... 10 | pause: 11 | seconds: 3 12 | tasks: 13 | - name: upgrade 14 | apt: 15 | upgrade: full 16 | update_cache: true 17 | cache_valid_time: 3600 18 | autoclean: true 19 | autoremove: true 20 | register: apt_upgrade 21 | retries: 5 22 | until: apt_upgrade is success 23 | -------------------------------------------------------------------------------- /ansible/playbooks/pve7/upgrade.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - pve-nodes 5 | become: true 6 | gather_facts: true 7 | any_errors_fatal: true 8 | pre_tasks: 9 | - name: Pausing for 3 seconds... 10 | pause: 11 | seconds: 3 12 | tasks: 13 | - name: upgrade 14 | apt: 15 | upgrade: full 16 | update_cache: true 17 | cache_valid_time: 3600 18 | autoclean: true 19 | autoremove: true 20 | register: apt_upgrade 21 | retries: 5 22 | until: apt_upgrade is success 23 | -------------------------------------------------------------------------------- /ansible/inventory/group_vars/worker-nodes/k3s.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # https://rancher.com/docs/k3s/latest/en/installation/install-options/agent-config/ 4 | # https://github.com/PyratLabs/ansible-role-k3s#agent-worker-configuration 5 | 6 | # Don't define the host as control plane nodes 7 | k3s_control_node: false 8 | 9 | # k3s settings for all worker nodes 10 | k3s_agent: 11 | node-ip: "{{ ansible_host }}" 12 | kubelet-arg: 13 | - "feature-gates=GracefulNodeShutdown=true" 14 | - "feature-gates=MixedProtocolLBService=true" 15 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/deprecated/kube-vip-bgp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # k3s-m1 3 | - name: Install kube-vip in BGP mode 4 | hosts: k3s-m1 5 | remote_user: root 6 | tasks: 7 | - name: Pull RBAC to manifests 8 | shell: curl -s https://kube-vip.io/manifests/rbac.yaml > /var/lib/rancher/k3s/server/manifests/kube-vip-rbac.yaml 9 | 10 | - name: Pull kube-vip manifest 11 | shell: https://raw.githubusercontent.com/dvmrry/k3s-gitops/main/cluster/kube-vip/kube-vip-bgp.yaml > /var/lib/rancher/k3s/server/manifests/kube-vip-bgp.yaml 12 | -------------------------------------------------------------------------------- /ansible/roles/pve/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: apt-sources.yml 4 | tags: 5 | - apt-sources 6 | 7 | - include: grub.yml 8 | loop: 9 | - "intel_iommu=on" 10 | - "iommu=pt" 11 | tags: 12 | - grub 13 | 14 | - include: modules.yml 15 | loop: 16 | - "vfio" 17 | - "vfio_iommu_type1" 18 | - "vfio_pci" 19 | - "vfio_virqfd" 20 | tags: 21 | - modules 22 | 23 | - include: postfix.yml 24 | tags: 25 | - postfix 26 | 27 | - include: packages.yml 28 | tags: 29 | - packages 30 | 31 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/middlewares/rfc1918.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: rfc1918-ips 6 | namespace: networking 7 | spec: 8 | ipWhiteList: 9 | sourceRange: 10 | - 10.0.0.0/8 11 | - 172.16.0.0/12 12 | - 192.168.0.0/16 13 | --- 14 | apiVersion: traefik.containo.us/v1alpha1 15 | kind: Middleware 16 | metadata: 17 | name: rfc1918 18 | namespace: networking 19 | spec: 20 | chain: 21 | middlewares: 22 | - name: rfc1918-ips 23 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/service-monitors/rook-ceph-mgr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: rook-ceph-mgr 6 | namespace: rook-ceph 7 | labels: 8 | team: rook 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - rook-ceph 13 | selector: 14 | matchLabels: 15 | app: rook-ceph-mgr 16 | rook_cluster: rook-ceph 17 | ceph_daemon_id: a 18 | endpoints: 19 | - port: http-metrics 20 | path: /metrics 21 | interval: 5s 22 | -------------------------------------------------------------------------------- /ansible/roles/pve/tasks/apt-sources.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: remove pve-enterprise 4 | ansible.builtin.lineinfile: 5 | dest: /etc/apt/sources.list.d/pve-enterprise.list 6 | regex: '^deb https://enterprise.proxmox.com/debian/pve buster pve-enterprise' 7 | state: absent 8 | 9 | - name: add pve-no-subscription 10 | ansible.builtin.lineinfile: 11 | dest: /etc/apt/sources.list.d/pve-enterprise.list 12 | line: deb http://download.proxmox.com/debian buster pve-no-subscription 13 | state: present 14 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: Ask a question to the maintainer 4 | title: '' 5 | labels: kind/question 6 | assignees: '' 7 | 8 | --- 9 | 10 | # Details 11 | 12 | **Ask your question:** 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /ansible/roles/pve7/tasks/apt-sources.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: remove pve-enterprise 4 | ansible.builtin.lineinfile: 5 | dest: /etc/apt/sources.list.d/pve-enterprise.list 6 | regex: '^deb https://enterprise.proxmox.com/debian/pve bullseye pve-enterprise' 7 | state: absent 8 | 9 | - name: add pve-no-subscription 10 | ansible.builtin.lineinfile: 11 | dest: /etc/apt/sources.list.d/pve-enterprise.list 12 | line: deb http://download.proxmox.com/debian bullseye pve-no-subscription 13 | state: present 14 | -------------------------------------------------------------------------------- /ansible/inventory/group_vars/all/calico.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # Encapsulation type 4 | calico: 5 | enabled: true 6 | operator_manifest: "https://docs.projectcalico.org/manifests/tigera-operator.yaml" 7 | bgp: 8 | enabled: true 9 | peer: 172.24.0.254 10 | as: 64512 11 | # externalIPs is the network you want services to consume 12 | # (this network should not exist or be defined anywhere in your network) 13 | externalIPs: 172.25.0.0/24 14 | clusterIPs: 172.27.0.0/16 15 | node: 16 | cidrs: 17 | - 172.24.0.0/24 18 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/power-button.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: power-button | disable single power button press shutdown 4 | ansible.builtin.lineinfile: 5 | path: /etc/systemd/logind.conf 6 | regexp: "{{ item.setting }}" 7 | line: "{{ item.setting }}={{ item.value }}" 8 | loop: 9 | - { setting: HandlePowerKey, value: ignore } 10 | 11 | - name: power-button | restart logind systemd service 12 | ansible.builtin.systemd: 13 | name: systemd-logind.service 14 | daemon_reload: true 15 | enabled: true 16 | state: restarted 17 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/dashboard/ingress-routes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: dashboard 6 | namespace: networking 7 | spec: 8 | entryPoints: 9 | - websecure 10 | routes: 11 | - match: Host(`traefik.${SECRET_DOMAIN}`) 12 | kind: Rule 13 | priority: 10 14 | services: 15 | - name: api@internal 16 | kind: TraefikService 17 | middlewares: 18 | - name: networking-authentik@kubernetescrd 19 | tls: 20 | secretName: "${SECRET_DOMAIN/./-}-tls" 21 | -------------------------------------------------------------------------------- /terraform/authentik/flows.tf: -------------------------------------------------------------------------------- 1 | resource "authentik_flow" "flow" { 2 | for_each = local.flow 3 | background = try(each.value.background, "") 4 | compatibility_mode = try(each.value.compatibility_mode, true) 5 | designation = try(each.value.designation, "authentication") 6 | name = try(each.value.name, "${each.key}") 7 | policy_engine_mode = try(each.value.policy_engine_mode, "all") 8 | slug = try(each.value.slug, "${each.key}") 9 | title = try(each.value.title, "${each.key}") 10 | } -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: k10 6 | namespace: kasten-io 7 | spec: 8 | namespaceSelector: 9 | matchNames: 10 | - kasten-io 11 | selector: 12 | matchLabels: 13 | app: prometheus 14 | endpoints: 15 | - port: http 16 | scheme: http 17 | path: /k10/prometheus/federate 18 | honorLabels: true 19 | interval: 15s 20 | params: 21 | 'match[]': 22 | - '{__name__=~"jobs.*"}' 23 | - '{__name__=~"catalog.*"}' 24 | -------------------------------------------------------------------------------- /ansible/roles/kube-vip/tasks/kube-vip.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: kube_vip | deploy manifest 4 | ansible.builtin.template: 5 | src: "kube-vip-ds.yaml.j2" 6 | dest: "{{ kube_vip.manifests_dir }}/kube-vip.yaml" 7 | mode: 0644 8 | when: 9 | - k3s_control_node is defined 10 | - k3s_control_node 11 | 12 | - name: kube_vip | deploy manifest 13 | ansible.builtin.template: 14 | src: "kube-vip-rbac.yaml.j2" 15 | dest: "{{ kube_vip.manifests_dir }}/kube-vip-rbac.yaml" 16 | mode: 0644 17 | when: 18 | - k3s_control_node is defined 19 | - k3s_control_node 20 | -------------------------------------------------------------------------------- /ansible/roles/pve/tasks/modules.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check for existence of modules 4 | stat: 5 | path: /etc/modules 6 | register: modules_result 7 | 8 | - name: Check if module is missing 9 | become: true 10 | shell: "grep '{{ item }}' /etc/modules" 11 | register: lineinfile_check 12 | failed_when: "lineinfile_check.rc == 2" 13 | changed_when: "lineinfile_check.rc == 1" 14 | ignore_errors: yes 15 | 16 | - name: Add module 17 | become: true 18 | lineinfile: 19 | path: /etc/modules 20 | line: "{{ item }}" 21 | when: lineinfile_check.changed 22 | -------------------------------------------------------------------------------- /ansible/roles/pve7/tasks/modules.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check for existence of modules 4 | stat: 5 | path: /etc/modules 6 | register: modules_result 7 | 8 | - name: Check if module is missing 9 | become: true 10 | shell: "grep '{{ item }}' /etc/modules" 11 | register: lineinfile_check 12 | failed_when: "lineinfile_check.rc == 2" 13 | changed_when: "lineinfile_check.rc == 1" 14 | ignore_errors: yes 15 | 16 | - name: Add module 17 | become: true 18 | lineinfile: 19 | path: /etc/modules 20 | line: "{{ item }}" 21 | when: lineinfile_check.changed 22 | -------------------------------------------------------------------------------- /ansible/playbooks/ubuntu/upgrade.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - master-nodes 5 | - worker-nodes 6 | become: true 7 | gather_facts: true 8 | any_errors_fatal: true 9 | pre_tasks: 10 | - name: Pausing for 3 seconds... 11 | ansible.builtin.pause: 12 | seconds: 3 13 | tasks: 14 | - name: upgrade 15 | ansible.builtin.apt: 16 | upgrade: full 17 | update_cache: true 18 | cache_valid_time: 3600 19 | autoclean: true 20 | autoremove: true 21 | register: apt_upgrade 22 | retries: 5 23 | until: apt_upgrade is success 24 | 25 | -------------------------------------------------------------------------------- /ansible/roles/k3s/tasks/registry.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: registry | create /etc/rancher/k3s 4 | ansible.builtin.file: 5 | path: "/etc/rancher/k3s" 6 | state: directory 7 | mode: 0644 8 | 9 | - name: registry | configure mirrors and custom registries 10 | ansible.builtin.template: 11 | src: "registries.yaml.j2" 12 | dest: "/etc/rancher/k3s/registries.yaml" 13 | mode: 0644 14 | 15 | - name: registry | restart k3s systemd service 16 | ansible.builtin.systemd: 17 | name: k3s.service 18 | daemon_reload: true 19 | enabled: true 20 | state: restarted 21 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/letsencrypt-production.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-production 6 | spec: 7 | acme: 8 | server: https://acme-v02.api.letsencrypt.org/directory 9 | email: "${SECRET_CLOUDFLARE_EMAIL}" 10 | privateKeySecretRef: 11 | name: letsencrypt-production 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "${SECRET_CLOUDFLARE_EMAIL}" 16 | apiTokenSecretRef: 17 | name: cloudflare-token-secret 18 | key: cloudflare-token 19 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/letsencrypt-staging.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | spec: 7 | acme: 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | email: "${SECRET_CLOUDFLARE_EMAIL}" 10 | privateKeySecretRef: 11 | name: letsencrypt-staging 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: "${SECRET_CLOUDFLARE_EMAIL}" 16 | apiTokenSecretRef: 17 | name: cloudflare-token-secret 18 | key: cloudflare-token 19 | -------------------------------------------------------------------------------- /.github/lint/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default: true 3 | 4 | # MD013/line-length - Line length 5 | MD013: 6 | # Number of characters 7 | line_length: 240 8 | # Number of characters for headings 9 | heading_line_length: 80 10 | # Number of characters for code blocks 11 | code_block_line_length: 80 12 | # Include code blocks 13 | code_blocks: true 14 | # Include tables 15 | tables: true 16 | # Include headings 17 | headings: true 18 | # Include headings 19 | headers: true 20 | # Strict length checking 21 | strict: false 22 | # Stern length checking 23 | stern: false 24 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: kind/enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | # Details 11 | 12 | **Describe the solution you'd like:** 13 | 14 | 15 | 16 | **Anything else you would like to add:** 17 | 18 | 19 | 20 | **Additional Information:** 21 | 22 | 23 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/filesystem.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: filesystem | sysctl | update max_user_watches 4 | ansible.posix.sysctl: 5 | name: fs.inotify.max_user_watches 6 | value: "65536" 7 | state: present 8 | sysctl_file: /etc/sysctl.d/98-kubernetes-fs.conf 9 | 10 | - name: filesystem | swap | disable at runtime 11 | ansible.builtin.command: swapoff -a 12 | when: ansible_swaptotal_mb > 0 13 | 14 | - name: filesystem | swap| disable on boot 15 | ansible.posix.mount: 16 | name: "{{ item }}" 17 | fstype: swap 18 | state: absent 19 | loop: 20 | - swap 21 | - none 22 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | repos: 3 | - repo: https://github.com/pre-commit/pre-commit-hooks 4 | rev: v4.0.1 5 | hooks: 6 | - id: check-added-large-files 7 | - id: check-merge-conflict 8 | - id: detect-private-key 9 | - id: trailing-whitespace 10 | - repo: https://github.com/adrienverge/yamllint 11 | rev: v1.26.3 12 | hooks: 13 | - id: yamllint 14 | args: 15 | - -c 16 | - .github/yamllint.config.yaml 17 | - repo: git://github.com/Lucas-C/pre-commit-hooks 18 | rev: v1.1.10 19 | hooks: 20 | - id: forbid-crlf 21 | - id: remove-crlf 22 | - id: forbid-tabs 23 | - id: remove-tabs 24 | -------------------------------------------------------------------------------- /cluster/base/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 3 | kind: Kustomization 4 | metadata: 5 | name: apps 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | dependsOn: 10 | - name: core 11 | path: ./cluster/apps 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | decryption: 17 | provider: sops 18 | secretRef: 19 | name: sops-gpg 20 | postBuild: 21 | substitute: {} 22 | substituteFrom: 23 | - kind: ConfigMap 24 | name: cluster-settings 25 | - kind: Secret 26 | name: cluster-secrets 27 | 28 | -------------------------------------------------------------------------------- /cluster/base/core.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 3 | kind: Kustomization 4 | metadata: 5 | name: core 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | dependsOn: 10 | - name: crds 11 | path: ./cluster/core 12 | prune: false 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | decryption: 17 | provider: sops 18 | secretRef: 19 | name: sops-gpg 20 | postBuild: 21 | substitute: {} 22 | substituteFrom: 23 | - kind: ConfigMap 24 | name: cluster-settings 25 | - kind: Secret 26 | name: cluster-secrets 27 | 28 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | **Description of the change** 2 | 3 | 4 | 5 | **Benefits** 6 | 7 | 8 | 9 | **Possible drawbacks** 10 | 11 | 12 | 13 | **Applicable issues** 14 | 15 | 16 | - fixes # 17 | 18 | **Additional information** 19 | 20 | 21 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/rsyslog.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: rsyslog 4 | block: 5 | - name: rsyslog | copy promtail configuration 6 | ansible.builtin.template: 7 | src: "rsyslog-50-promtail.conf.j2" 8 | dest: "/etc/rsyslog.d/50-promtail.conf" 9 | mode: 0644 10 | - name: rsyslog | start systemd service 11 | ansible.builtin.systemd: 12 | name: rsyslog 13 | enabled: true 14 | state: started 15 | - name: rsyslog | restart systemd service 16 | ansible.builtin.systemd: 17 | name: rsyslog.service 18 | daemon_reload: true 19 | enabled: true 20 | state: restarted 21 | -------------------------------------------------------------------------------- /.github/workflows/invalid-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Invalid Template 3 | 4 | on: 5 | issues: 6 | types: 7 | - labeled 8 | - unlabeled 9 | - reopened 10 | 11 | jobs: 12 | support: 13 | runs-on: ubuntu-20.04 14 | steps: 15 | - uses: dessant/support-requests@v2 16 | with: 17 | github-token: ${{ github.token }} 18 | support-label: "template-incomplete" 19 | issue-comment: > 20 | :wave: @{issue-author}, please follow the template provided. 21 | close-issue: true 22 | lock-issue: true 23 | issue-lock-reason: "resolved" 24 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: kind/bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | # Details 11 | 12 | **What steps did you take and what happened:** 13 | 14 | 15 | 16 | **What did you expect to happen:** 17 | 18 | **Anything else you would like to add:** 19 | 20 | 21 | 22 | **Additional Information:** 23 | 24 | 25 | -------------------------------------------------------------------------------- /docs/rook-ceph.md: -------------------------------------------------------------------------------- 1 | # rook-ceph notes 2 | 3 | # Change as needed for physical disk mounting or OSD to rebuild 4 | export DISK="/dev/nvme0n1" 5 | export OSD_NUM="2" 6 | export OSD_NODE="w2" 7 | 8 | # zap the drive of all mbr/gpt headers 9 | sgdisk --zap-all $DISK 10 | 11 | # clean the ssd 12 | blkdiscard $DISK 13 | 14 | # delete the preparation pod 15 | k delete -n rook-ceph rook-ceph-osd-prepare-$OSD_NODE 16 | 17 | # delete the operator pod 18 | k delete -n rook-ceph rook-ceph-operator-546464887c-msb7p 19 | 20 | # delete the osd pod 21 | k delete -n rook-ceph rook-ceph-osd-2-7f7bfbf9fc-pr6kl 22 | -------------------------------------------------------------------------------- /ansible/roles/k3s/templates/registries.yaml.j2: -------------------------------------------------------------------------------- 1 | 2 | #jinja2:lstrip_blocks: True 3 | --- 4 | {% if mirror_registry is defined %} 5 | mirrors: 6 | "docker.io": 7 | endpoint: 8 | - "{{ mirror_registry.address }}" 9 | "*": 10 | endpoint: 11 | - "{{ mirror_registry.address }}" 12 | {% endif %} 13 | {% if private_registries is defined and private_registries|length > 0 %} 14 | configs: 15 | {% for private_registry in private_registries %} 16 | "{{ private_registry.address }}": 17 | auth: 18 | username: "{{ private_registry.username }}" 19 | password: "{{ private_registry.password }}" 20 | {% endfor %} 21 | {% endif %} 22 | -------------------------------------------------------------------------------- /.taskfiles/lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | all: 6 | - task: markdown 7 | - task: yaml 8 | - task: format 9 | 10 | markdown: 11 | desc: Lint Markdown 12 | cmds: 13 | - markdownlint -c '.github/lint/.markdownlint.yaml' *.md **/*.md 14 | ignore_errors: true 15 | 16 | yaml: 17 | desc: Lint YAML 18 | cmds: 19 | - yamllint -c '.github/lint/.yamllint.yaml' . 20 | ignore_errors: true 21 | 22 | format: 23 | desc: Lint general formatting 24 | cmds: 25 | - prettier --ignore-path '.github/lint/.prettierignore' --config '.github/lint/.prettierrc.yaml' --check . 26 | ignore_errors: true 27 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/policies/k10-disaster-recovery-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Policy 3 | apiVersion: config.kio.kasten.io/v1alpha1 4 | metadata: 5 | name: k10-disaster-recovery-policy 6 | namespace: kasten-io 7 | spec: 8 | frequency: "@hourly" 9 | retention: 10 | hourly: 4 11 | daily: 1 12 | weekly: 1 13 | monthly: 1 14 | yearly: 1 15 | selector: 16 | matchExpressions: 17 | - key: k10.kasten.io/appNamespace 18 | operator: In 19 | values: 20 | - kasten-io 21 | actions: 22 | - action: backup 23 | backupParameters: 24 | filters: {} 25 | profile: 26 | name: backblaze 27 | namespace: kasten-io 28 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/profiles/backblaze.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Profile 3 | apiVersion: config.kio.kasten.io/v1alpha1 4 | metadata: 5 | name: backblaze 6 | namespace: kasten-io 7 | spec: 8 | locationSpec: 9 | type: ObjectStore 10 | objectStore: 11 | endpoint: "https://s3.us-west-000.backblazeb2.com" 12 | name: k8s-ceph 13 | objectStoreType: S3 14 | path: k10/56d1eff5-8470-489b-8209-1a6c5656f047/migration 15 | pathType: Directory 16 | credential: 17 | secretType: AwsAccessKey 18 | secret: 19 | apiVersion: v1 20 | kind: secret 21 | name: k10secret-backblaze 22 | namespace: kasten-io 23 | type: Location 24 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/prometheus-rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | labels: 6 | prometheus: k8s 7 | role: alert-rules 8 | name: kasten-io 9 | namespace: kasten-io 10 | spec: 11 | groups: 12 | - name: kasten.rules 13 | rules: 14 | - alert: JobsFailing 15 | annotations: 16 | description: Jobs failure 17 | summary: |- 18 | "{{ $labels.app }} jobs amount of errors for the last 10 mins {{ $value }} for {{ $labels.policy }} policy" 19 | expr: increase(catalog_actions_count{status="failed"}[10m]) > 0 20 | for: 1m 21 | labels: 22 | severity: critical 23 | -------------------------------------------------------------------------------- /terraform/authentik/applications.tf: -------------------------------------------------------------------------------- 1 | resource "authentik_application" "app" { 2 | for_each = local.app 3 | name = try(each.value.name, "${each.key}") 4 | slug = try(each.value.slug, "${each.key}") 5 | meta_description = try(each.value.meta_description, "${each.key}") 6 | meta_icon = try(each.value.meta_icon, "") 7 | meta_launch_url = try(each.value.meta_launch_url, "https://${each.key}.${local.domain}") 8 | meta_publisher = try(each.value.meta_publisher, "${each.key}.${local.domain}") 9 | policy_engine_mode = try(each.value.policy_engine_mode, "any") 10 | protocol_provider = try(each.value.protocol_provider, 0) 11 | } -------------------------------------------------------------------------------- /cluster/apps/kube-system/metrics-server/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.bitnami.com/bitnami 12 | chart: metrics-server 13 | version: 5.11.9 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bitnami-charts 17 | namespace: flux-system 18 | values: 19 | apiService: 20 | create: true 21 | extraArgs: 22 | kubelet-insecure-tls: true 23 | kubelet-preferred-address-types: InternalIP,ExternalIP,Hostname 24 | -------------------------------------------------------------------------------- /cluster/base/flux-system/charts/helm/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - authentik-charts.yaml 5 | - bitnami-charts.yaml 6 | - bootc-charts.yaml 7 | - cetic-charts.yaml 8 | - coredns-charts.yaml 9 | - deliveryhero-charts.yaml 10 | - falco-security-charts.yaml 11 | - grafana-charts.yaml 12 | - hajimari-charts.yaml 13 | - jetstack-charts.yaml 14 | - k8s-at-home-charts.yaml 15 | - kasten-charts.yaml 16 | - kubernetes-sigs-descheduler-charts.yaml 17 | - lwolf-charts.yaml 18 | - prometheus-community-charts.yaml 19 | - rook-ceph-charts.yaml 20 | - stakater-charts.yaml 21 | - traefik-charts.yaml 22 | - node-feature-discovery-charts.yaml 23 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/reloader/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://stakater.github.io/stakater-charts 12 | chart: reloader 13 | version: v0.0.110 14 | sourceRef: 15 | kind: HelmRepository 16 | name: stakater-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | nameOverride: reloader 21 | fullnameOverride: reloader 22 | reloader: 23 | podMonitor: 24 | enabled: true 25 | namespace: kube-system 26 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/dashboard/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: dashboard 6 | namespace: networking 7 | annotations: 8 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 9 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 10 | spec: 11 | tls: 12 | - secretName: "${SECRET_DOMAIN/./-}-tls" 13 | rules: 14 | - host: traefik.${SECRET_DOMAIN} 15 | http: 16 | paths: 17 | - path: / 18 | pathType: Prefix 19 | backend: 20 | service: 21 | name: traefik 22 | port: 23 | number: 9000 24 | -------------------------------------------------------------------------------- /cluster/apps/media/_pvc/nfs-media-nas.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: nfs-media-nas-pv 6 | spec: 7 | storageClassName: media-nas 8 | capacity: 9 | storage: 1Mi 10 | accessModes: 11 | - ReadWriteMany 12 | persistentVolumeReclaimPolicy: Retain 13 | nfs: 14 | server: 172.18.0.15 15 | path: /media 16 | mountOptions: 17 | - tcp 18 | - intr 19 | - hard 20 | - noatime 21 | - nodiratime 22 | --- 23 | apiVersion: v1 24 | kind: PersistentVolumeClaim 25 | metadata: 26 | name: nfs-media-nas-pvc 27 | namespace: media 28 | spec: 29 | accessModes: 30 | - ReadWriteMany 31 | storageClassName: media-nas 32 | resources: 33 | requests: 34 | storage: 1Mi 35 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/system-upgrade-controller/server-plan.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: k3s-server 6 | namespace: system-upgrade 7 | spec: 8 | serviceAccountName: system-upgrade 9 | concurrency: 1 10 | channel: https://update.k3s.io/v1-release/channels/v1.21 11 | cordon: true 12 | nodeSelector: 13 | matchExpressions: 14 | - key: node-role.kubernetes.io/master 15 | operator: In 16 | values: 17 | - "true" 18 | - key: k3s-upgrade 19 | operator: In 20 | values: 21 | - "true" 22 | tolerations: 23 | - key: "node-role.kubernetes.io/master" 24 | operator: "Exists" 25 | upgrade: 26 | image: rancher/k3s-upgrade 27 | 28 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/snapshot-controller/statefulset.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: StatefulSet 3 | apiVersion: apps/v1 4 | metadata: 5 | name: snapshot-controller 6 | namespace: rook-ceph 7 | spec: 8 | serviceName: "snapshot-controller" 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: snapshot-controller 13 | template: 14 | metadata: 15 | labels: 16 | app: snapshot-controller 17 | spec: 18 | serviceAccount: snapshot-controller 19 | containers: 20 | - name: snapshot-controller 21 | image: k8s.gcr.io/sig-storage/snapshot-controller:v5.0.1 22 | args: 23 | - "--v=5" 24 | - "--leader-election=false" 25 | imagePullPolicy: IfNotPresent 26 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/node-problem-detector/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: node-problem-detector 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.deliveryhero.io/ 12 | chart: node-problem-detector 13 | version: 2.2.1 14 | sourceRef: 15 | kind: HelmRepository 16 | name: deliveryhero-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: k8s.gcr.io/node-problem-detector/node-problem-detector 22 | tag: v0.8.10 23 | metrics: 24 | serviceMonitor: 25 | enabled: true 26 | -------------------------------------------------------------------------------- /ansible/roles/k3s/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: packages.yml 4 | tags: 5 | - packages 6 | 7 | - include: registry.yml 8 | when: mirror_registry is defined 9 | or (private_registries is defined 10 | and private_registries|length > 0) 11 | tags: 12 | - registry 13 | 14 | - include: calico.yml 15 | when: 16 | - k3s_control_node is defined 17 | - k3s_control_node 18 | - calico.enabled is defined 19 | - calico.enabled 20 | tags: 21 | - calico 22 | 23 | - include: secrets.yml 24 | when: 25 | - k3s_control_node is defined 26 | - k3s_control_node 27 | - k3s_etcd_datastore is defined 28 | - k3s_etcd_datastore 29 | tags: 30 | - secrets 31 | 32 | - include: kubeconfig.yml 33 | tags: 34 | - kubeconfig 35 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - include: host.yml 4 | tags: 5 | - host 6 | 7 | - include: locale.yml 8 | tags: 9 | - locale 10 | 11 | - include: packages.yml 12 | tags: 13 | - packages 14 | 15 | - include: power-button.yml 16 | tags: 17 | - power-button 18 | 19 | - include: kernel.yml 20 | tags: 21 | - kernel 22 | 23 | - include: network.yml 24 | tags: 25 | - network 26 | 27 | - include: filesystem.yml 28 | tags: 29 | - filesystem 30 | 31 | - include: unattended-upgrades.yml 32 | tags: 33 | - unattended-upgrades 34 | 35 | - include: user.yml 36 | tags: 37 | - user 38 | 39 | - include: rsyslog.yml 40 | when: 41 | - rsyslog.enabled is defined 42 | - rsyslog.enabled 43 | tags: 44 | - rsyslog 45 | -------------------------------------------------------------------------------- /cluster/base/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: GitRepository 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | spec: 8 | interval: 1m0s 9 | ref: 10 | branch: main 11 | # url: ssh://git@github.com:dvmrry/k3s-gitops 12 | url: https://github.com/dvmrry/k3s-gitops 13 | --- 14 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 15 | kind: Kustomization 16 | metadata: 17 | name: flux-system 18 | namespace: flux-system 19 | spec: 20 | interval: 10m0s 21 | path: ./cluster/base 22 | prune: true 23 | sourceRef: 24 | kind: GitRepository 25 | name: flux-system 26 | validation: client 27 | decryption: 28 | provider: sops 29 | secretRef: 30 | name: sops-gpg 31 | -------------------------------------------------------------------------------- /ansible/roles/k3s/templates/calico-install.yaml.j2: -------------------------------------------------------------------------------- 1 | #jinja2:lstrip_blocks: True 2 | --- 3 | apiVersion: operator.tigera.io/v1 4 | kind: Installation 5 | metadata: 6 | name: default 7 | spec: 8 | calicoNetwork: 9 | # Note: The ipPools section cannot be modified post-install. 10 | ipPools: 11 | - blockSize: 26 12 | cidr: "{{ k3s_server["cluster-cidr"] }}" 13 | {% if calico.bgp.enabled is defined and calico.bgp.enabled %} 14 | encapsulation: None 15 | {% else %} 16 | encapsulation: VXLANCrossSubnet 17 | {% endif %} 18 | natOutgoing: Enabled 19 | nodeSelector: all() 20 | nodeAddressAutodetectionV4: 21 | cidrs: 22 | {% for cidr in calico.node.cidrs %} 23 | - {{ cidr }} 24 | {% endfor %} 25 | -------------------------------------------------------------------------------- /cluster/apps/system-upgrade/system-upgrade-controller/agent-plan.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: k3s-agent 6 | namespace: system-upgrade 7 | labels: 8 | k3s-upgrade: agent 9 | spec: 10 | serviceAccountName: system-upgrade 11 | concurrency: 1 12 | channel: https://update.k3s.io/v1-release/channels/v1.21 13 | nodeSelector: 14 | matchExpressions: 15 | - key: node-role.kubernetes.io/master 16 | operator: NotIn 17 | values: 18 | - "true" 19 | - key: k3s-upgrade 20 | operator: In 21 | values: 22 | - "true" 23 | prepare: 24 | image: rancher/k3s-upgrade 25 | args: 26 | - "prepare" 27 | - "k3s-server" 28 | upgrade: 29 | image: rancher/k3s-upgrade 30 | 31 | -------------------------------------------------------------------------------- /ansible/roles/k3s/tasks/packages.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Upgrade all system packages 4 | ansible.builtin.apt: 5 | upgrade: full 6 | update_cache: true 7 | cache_valid_time: 3600 8 | autoclean: true 9 | autoremove: true 10 | register: apt_upgrade 11 | retries: 5 12 | until: apt_upgrade is success 13 | 14 | - name: Install common packages 15 | ansible.builtin.apt: 16 | name: "{{ packages.apt }}" 17 | install_recommends: false 18 | update_cache: true 19 | cache_valid_time: 3600 20 | autoclean: true 21 | autoremove: true 22 | register: apt_install_common 23 | retries: 5 24 | until: apt_install_common is success 25 | when: 26 | - packages.apt is defined 27 | - packages.apt is iterable 28 | - packages.apt | length > 0 29 | 30 | -------------------------------------------------------------------------------- /ansible/roles/pve/tasks/packages.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Upgrade all system packages 4 | ansible.builtin.apt: 5 | upgrade: full 6 | update_cache: true 7 | cache_valid_time: 3600 8 | autoclean: true 9 | autoremove: true 10 | register: apt_upgrade 11 | retries: 5 12 | until: apt_upgrade is success 13 | 14 | - name: Install common packages 15 | ansible.builtin.apt: 16 | name: "{{ packages.apt }}" 17 | install_recommends: false 18 | update_cache: true 19 | cache_valid_time: 3600 20 | autoclean: true 21 | autoremove: true 22 | register: apt_install_common 23 | retries: 5 24 | until: apt_install_common is success 25 | when: 26 | - packages.apt is defined 27 | - packages.apt is iterable 28 | - packages.apt | length > 0 29 | 30 | -------------------------------------------------------------------------------- /ansible/roles/pve7/tasks/packages.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Upgrade all system packages 4 | ansible.builtin.apt: 5 | upgrade: full 6 | update_cache: true 7 | cache_valid_time: 3600 8 | autoclean: true 9 | autoremove: true 10 | register: apt_upgrade 11 | retries: 5 12 | until: apt_upgrade is success 13 | 14 | - name: Install common packages 15 | ansible.builtin.apt: 16 | name: "{{ packages.apt }}" 17 | install_recommends: false 18 | update_cache: true 19 | cache_valid_time: 3600 20 | autoclean: true 21 | autoremove: true 22 | register: apt_install_common 23 | retries: 5 24 | until: apt_install_common is success 25 | when: 26 | - packages.apt is defined 27 | - packages.apt is iterable 28 | - packages.apt | length > 0 29 | 30 | -------------------------------------------------------------------------------- /.github/workflows/lint-shell.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Lint Shell scripts on Pull Requests 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | paths: 7 | - "**.sh" 8 | 9 | jobs: 10 | shellcheck: 11 | runs-on: ubuntu-20.04 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v3 15 | - name: Get changes 16 | uses: dorny/paths-filter@v2 17 | id: filter 18 | with: 19 | list-files: shell 20 | filters: | 21 | shell: 22 | - added|modified: "**.sh" 23 | - name: Lint files 24 | if: ${{ steps.filter.outputs.shell == 'true' }} 25 | uses: reviewdog/action-shellcheck@v1 26 | with: 27 | shellcheck_flags: "${{ steps.filter.outputs.shell_files }}" 28 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/middlewares/redirect-path.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: redirect-regex 6 | namespace: networking 7 | spec: 8 | redirectRegex: 9 | regex: "^(https?://[^/]+/[a-z0-9_]+)$" 10 | replacement: "${1}/" 11 | permanent: true 12 | --- 13 | apiVersion: traefik.containo.us/v1alpha1 14 | kind: Middleware 15 | metadata: 16 | name: strip-prefix-regex 17 | namespace: networking 18 | spec: 19 | stripPrefixRegex: 20 | regex: 21 | - "/[a-z0-9_]+" 22 | --- 23 | apiVersion: traefik.containo.us/v1alpha1 24 | kind: Middleware 25 | metadata: 26 | name: redirect-path 27 | namespace: networking 28 | spec: 29 | chain: 30 | middlewares: 31 | - name: redirect-regex 32 | - name: strip-prefix-regex 33 | -------------------------------------------------------------------------------- /ansible/roles/k3s/tasks/kubeconfig.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: kubeconfig | copy config file to /tmp 4 | run_once: true 5 | ansible.builtin.fetch: 6 | src: "/etc/rancher/k3s/k3s.yaml" 7 | dest: "/tmp/kubeconfig" 8 | flat: true 9 | when: 10 | - k3s_control_node is defined 11 | - k3s_control_node 12 | 13 | - name: kubeconfig | update kubeconfig with the right FQDN 14 | delegate_to: localhost 15 | become: false 16 | run_once: true 17 | ansible.builtin.replace: 18 | path: "/tmp/kubeconfig" 19 | regexp: 'https://127.0.0.1:6443' 20 | replace: 'https://{{ k3s_registration_fqdn }}:6443' 21 | 22 | - name: kubeconfig | copy /tmp file to ~/.kube 23 | delegate_to: localhost 24 | become: false 25 | ansible.builtin.copy: 26 | src: /tmp/kubeconfig 27 | dest: /Users/dvmrry/.kube/config 28 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/network.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: network | check for bridge-nf-call-iptables 4 | ansible.builtin.stat: 5 | path: /proc/sys/net/bridge/bridge-nf-call-iptables 6 | register: bridge_nf_call_iptables_result 7 | 8 | - name: network | sysctl | set config 9 | ansible.builtin.blockinfile: 10 | path: /etc/sysctl.d/99-kubernetes-cri.conf 11 | mode: 0644 12 | create: true 13 | block: | 14 | net.ipv4.ip_forward = 1 15 | net.bridge.bridge-nf-call-iptables = 1 16 | when: 17 | - bridge_nf_call_iptables_result.stat.exists 18 | register: sysctl_network 19 | 20 | - name: network | sysctl | reload 21 | ansible.builtin.shell: sysctl -p /etc/sysctl.d/99-kubernetes-cri.conf 22 | when: 23 | - sysctl_network.changed 24 | - bridge_nf_call_iptables_result.stat.exists 25 | 26 | -------------------------------------------------------------------------------- /ansible/roles/i915/tasks/packages.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Upgrade all system packages 4 | ansible.builtin.apt: 5 | upgrade: full 6 | update_cache: true 7 | cache_valid_time: 3600 8 | autoclean: true 9 | autoremove: true 10 | register: apt_upgrade 11 | retries: 5 12 | until: apt_upgrade is success 13 | 14 | - name: Install common packages 15 | ansible.builtin.apt: 16 | name: "{{ packages.apt }}" 17 | install_recommends: false 18 | update_cache: true 19 | cache_valid_time: 3600 20 | autoclean: true 21 | autoremove: true 22 | register: apt_install_common 23 | retries: 5 24 | until: apt_install_common is success 25 | when: 26 | - packages.apt is defined 27 | - packages.apt is iterable 28 | - packages.apt | length > 0 29 | 30 | - name: Reboot 31 | ansible.builtin.reboot: 32 | -------------------------------------------------------------------------------- /ansible/roles/pve/tasks/grub.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check for existence of grub 4 | ansible.builtin.stat: 5 | path: /etc/default/grub 6 | register: grub_result 7 | 8 | - name: Check if Grub Arg is missing 9 | become: true 10 | ansible.builtin.shell: 11 | cmd: "grep '{{ item }}' /etc/default/grub" 12 | register: lineinfile_check 13 | failed_when: "lineinfile_check.rc == 2" 14 | changed_when: "lineinfile_check.rc == 1" 15 | ignore_errors: yes 16 | 17 | - name: Add Grub Arg 18 | become: true 19 | ansible.builtin.lineinfile: 20 | backrefs: yes 21 | path: /etc/default/grub 22 | regexp: "^(GRUB_CMDLINE_LINUX_DEFAULT=\".*)\"$" 23 | line: "\\1 {{ item }} \"" 24 | when: lineinfile_check.changed 25 | 26 | - name: Update grub 27 | become: true 28 | ansible.builtin.shell: 29 | cmd: update-grub 30 | 31 | -------------------------------------------------------------------------------- /ansible/roles/pve7/tasks/grub.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check for existence of grub 4 | ansible.builtin.stat: 5 | path: /etc/default/grub 6 | register: grub_result 7 | 8 | - name: Check if Grub Arg is missing 9 | become: true 10 | ansible.builtin.shell: 11 | cmd: "grep '{{ item }}' /etc/default/grub" 12 | register: lineinfile_check 13 | failed_when: "lineinfile_check.rc == 2" 14 | changed_when: "lineinfile_check.rc == 1" 15 | ignore_errors: yes 16 | 17 | - name: Add Grub Arg 18 | become: true 19 | ansible.builtin.lineinfile: 20 | backrefs: yes 21 | path: /etc/default/grub 22 | regexp: "^(GRUB_CMDLINE_LINUX_DEFAULT=\".*)\"$" 23 | line: "\\1 {{ item }} \"" 24 | when: lineinfile_check.changed 25 | 26 | - name: Update grub 27 | become: true 28 | ansible.builtin.shell: 29 | cmd: update-grub 30 | 31 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: kube-cleanup-operator 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.lwolf.org 12 | chart: kube-cleanup-operator 13 | version: 1.0.4 14 | sourceRef: 15 | kind: HelmRepository 16 | name: lwolf-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | rbac: 21 | create: true 22 | global: true 23 | args: 24 | - --delete-failed-after=60m 25 | - --delete-successful-after=0 26 | - --delete-pending-pods-after=0 27 | - --delete-evicted-pods-after=0 28 | - --delete-orphaned-pods-after=0 29 | - --legacy-mode=false 30 | -------------------------------------------------------------------------------- /.taskfiles/format.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | all: 6 | - task: markdown 7 | - task: yaml 8 | markdown: 9 | desc: Format Markdown 10 | cmds: 11 | - >- 12 | prettier 13 | --ignore-path '.github/lint/.prettierignore' 14 | --config '.github/lint/.prettierrc.yaml' 15 | --list-different 16 | --ignore-unknown 17 | --parser=markdown 18 | --write '*.md' '**/*.md' 19 | ignore_error: true 20 | yaml: 21 | desc: Format YAML 22 | cmds: 23 | - >- 24 | prettier 25 | --ignore-path '.github/lint/.prettierignore' 26 | --config 27 | '.github/lint/.prettierrc.yaml' 28 | --list-different 29 | --ignore-unknown 30 | --parser=yaml 31 | --write '*.y*ml' 32 | '**/*.y*ml' 33 | ignore_error: true 34 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | namespace: cert-manager 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.jetstack.io/ 12 | chart: cert-manager 13 | version: v1.7.1 14 | sourceRef: 15 | kind: HelmRepository 16 | name: jetstack-charts 17 | namespace: flux-system 18 | values: 19 | installCRDs: false 20 | webhook: 21 | enabled: true 22 | extraArgs: 23 | - --dns01-recursive-nameservers=1.1.1.1:53 24 | - --dns01-recursive-nameservers-only 25 | cainjector: 26 | replicaCount: 1 27 | podDnsPolicy: "None" 28 | podDnsConfig: 29 | nameservers: 30 | - "1.1.1.1" 31 | - "8.8.8.8" 32 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/deprecated/master-init.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # localhost 3 | - name: Initalize remaining nodes 4 | hosts: localhost 5 | vars: 6 | sshUser: root 7 | clusterFqdn: cl.k3s.mrry.io 8 | clusterIp: 172.25.0.1 9 | clusterCidr: 172.26.0.0/16 10 | clusterDns: 172.26.0.10 11 | serviceCidr: 172.27.0.0/16 12 | clusterDomain: k3s.mrry.io 13 | 14 | tasks: 15 | - name: install k3s on m1 16 | shell: k3sup install --host m1 --user {{ sshUser }} --k3s-channel latest --cluster --tls-san {{ clusterFqdn }} --k3s-extra-args="--disable servicelb --disable traefik --node-taint node-role.kubernetes.io/master=true:NoSchedule --cluster-cidr {{ clusterCidr }} --service-cidr {{ serviceCidr }} --cluster-dns {{ clusterDns }} --cluster-domain {{ clusterDomain }}" 17 | 18 | - name: move kubeconfig 19 | shell: mv kubeconfig ~/.kube/config 20 | -------------------------------------------------------------------------------- /cluster/apps/utils/onedrive/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: onedrive 6 | namespace: utils 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: onedrive 13 | version: 2.2.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | env: 21 | TZ: "America/New_York" 22 | ONEDRIVE_DOWNLOADONLY: 1 23 | ONEDRIVE_AUTHRESPONSE: "${SECRET_ONEDRIVE_AUTHRESPONSE}" 24 | persistence: 25 | config: 26 | enabled: true 27 | existingClaim: onedrive-config 28 | resources: 29 | requests: 30 | cpu: 100m 31 | memory: 128M 32 | -------------------------------------------------------------------------------- /.github/workflows/support.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Support requests" 3 | 4 | on: 5 | issues: 6 | types: 7 | - labeled 8 | - unlabeled 9 | - reopened 10 | 11 | jobs: 12 | support: 13 | runs-on: ubuntu-20.04 14 | steps: 15 | - uses: dessant/support-requests@v2 16 | with: 17 | github-token: ${{ secrets.GITHUB_TOKEN }} 18 | support-label: "support" 19 | issue-comment: > 20 | :wave: @{issue-author}, we use the issue tracker exclusively 21 | for bug reports and feature requests. However, this issue appears 22 | to be a support request. Please use our support channels 23 | to get help with. 24 | - [Discord](https://discord.gg/sTMX7Vh) 25 | close-issue: true 26 | lock-issue: false 27 | issue-lock-reason: "off-topic" 28 | -------------------------------------------------------------------------------- /cluster/base/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-settings 6 | namespace: flux-system 7 | data: 8 | GATEWAY_ADDR: "172.24.0.254" 9 | BGP_CLUSTER_AS: "64512" 10 | BGP_PEER_ADDR: "172.18.0.254" 11 | BGP_PEER_AS: "65100" 12 | BGP_ROUTER_IFACE: "eth0" 13 | KUBE_VIP_ADDR: "172.25.0.1" 14 | NETWORK_K3S_CLUSTER_CIDR: "172.26.0.0/16" 15 | NETWORK_K3S_SERVICE_CIDR: "172.27.0.0/16" 16 | SVC_TRAEFIK_ADDR: "172.25.0.5" 17 | SVC_COREDNS_ADDR: "172.25.0.10" 18 | SVC_BLOCKY_ADDR: "172.25.0.15" 19 | SVC_PLEX_ADDR: "172.25.0.20" 20 | SVC_TAUTULLI_ADDR: "172.25.0.21" 21 | SVC_QBITTORRENT_ADDR: "172.25.0.30" 22 | SVC_RADARR_ADDR: "172.25.0.32" 23 | SVC_SONARR_ADDR: "172.25.0.33" 24 | SVC_REQUESTER_ADDR: "172.25.0.34" 25 | SVC_UNIFI_ADDR: "172.25.0.40" 26 | SVC_ZABBIX_ADDR: "172.25.0.50" 27 | -------------------------------------------------------------------------------- /.github/workflows/lint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Lint YAML files on Pull Requests 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | paths: 7 | - "**.yaml" 8 | - "**.yml" 9 | 10 | jobs: 11 | yamllint: 12 | runs-on: ubuntu-20.04 13 | steps: 14 | - name: Checkout 15 | uses: actions/checkout@v3 16 | - name: Get changes 17 | uses: dorny/paths-filter@v2 18 | id: filter 19 | with: 20 | list-files: shell 21 | filters: | 22 | yaml: 23 | - added|modified: "**.yaml" 24 | - added|modified: "**.yml" 25 | - name: Lint files 26 | if: ${{ steps.filter.outputs.yaml == 'true' }} 27 | uses: reviewdog/action-yamllint@v1 28 | with: 29 | yamllint_flags: "-c .github/lint/.yamllint.yaml ${{ steps.filter.outputs.yaml_files }}" 30 | -------------------------------------------------------------------------------- /cluster/crds/external-dns/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: GitRepository 4 | metadata: 5 | name: external-dns-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/kubernetes-sigs/external-dns.git 10 | ref: 11 | tag: v0.8.0 12 | ignore: | 13 | # exclude all 14 | /* 15 | # include deploy crds dir 16 | !/docs/contributing/crd-source/crd-manifest.yaml 17 | --- 18 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 19 | kind: Kustomization 20 | metadata: 21 | name: external-dns-crds 22 | namespace: flux-system 23 | spec: 24 | interval: 15m 25 | prune: false 26 | sourceRef: 27 | kind: GitRepository 28 | name: external-dns-source 29 | healthChecks: 30 | - apiVersion: apiextensions.k8s.io/v1beta1 31 | kind: CustomResourceDefinition 32 | name: dnsendpoints.externaldns.k8s.io 33 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/dashboard/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: rook-ceph-mgr-dashboard 6 | namespace: rook-ceph 7 | annotations: 8 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 9 | external-dns/is-public: "true" 10 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 11 | labels: 12 | app.kubernetes.io/instance: rook-ceph-mgr-dashboard 13 | app.kubernetes.io/name: rook-ceph-mgr-dashboard 14 | spec: 15 | ingressClassName: "traefik" 16 | rules: 17 | - host: "rook.${SECRET_DOMAIN}" 18 | http: 19 | paths: 20 | - path: / 21 | pathType: Prefix 22 | backend: 23 | service: 24 | name: rook-ceph-mgr-dashboard 25 | port: 26 | name: http-dashboard 27 | tls: 28 | - hosts: 29 | - "rook.${SECRET_DOMAIN}" 30 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: rook-ceph 6 | namespace: rook-ceph 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.rook.io/release 12 | chart: rook-ceph 13 | version: v1.9.3 14 | sourceRef: 15 | kind: HelmRepository 16 | name: rook-ceph-charts 17 | namespace: flux-system 18 | values: 19 | monitoring: 20 | enabled: true 21 | crds: 22 | enabled: true 23 | csi: 24 | kubeletDirPath: /var/lib/kubelet 25 | pluginTolerations: 26 | - key: "node-role.kubernetes.io/master" 27 | operator: "Exists" 28 | resources: 29 | requests: 30 | cpu: 100m 31 | memory: 128Mi 32 | limits: 33 | cpu: 1000m 34 | memory: 256Mi 35 | -------------------------------------------------------------------------------- /.github/workflows/lint-markdown.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Lint Markdown files on Pull Requests 3 | 4 | on: # yamllint disable-line rule:truthy 5 | pull_request: 6 | paths: 7 | - "**.md" 8 | 9 | jobs: 10 | markdownlint: 11 | runs-on: ubuntu-20.04 12 | steps: 13 | - name: Checkout 14 | uses: actions/checkout@v3 15 | - name: Get changes 16 | uses: dorny/paths-filter@v2 17 | id: filter 18 | with: 19 | list-files: shell 20 | filters: | 21 | markdown: 22 | - added|modified: "**.md" 23 | - name: Lint files 24 | if: ${{ steps.filter.outputs.markdown == 'true' }} 25 | uses: reviewdog/action-shellcheck@v1 26 | with: 27 | github_token: ${{ secrets.GITHUB_TOKEN }} 28 | markdownlint_flags: "-c '.github/lint/.markdownlint.yaml' ${{ steps.filter.outputs.markdown_files }}" 29 | -------------------------------------------------------------------------------- /cluster/apps/monitoring/loki/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: loki 6 | namespace: monitoring 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://grafana.github.io/helm-charts 12 | chart: loki-stack 13 | version: 2.6.4 14 | sourceRef: 15 | kind: HelmRepository 16 | name: grafana-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | loki: 21 | config: 22 | table_manager: 23 | retention_deletes_enabled: true 24 | retention_period: 240h 25 | persistence: 26 | enabled: true 27 | storageClassName: "rook-ceph-block" 28 | size: 32Gi 29 | serviceMonitor: 30 | enabled: true 31 | promtail: 32 | serviceMonitor: 33 | enabled: true 34 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/storage/storage-class.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: storage.k8s.io/v1 3 | kind: StorageClass 4 | metadata: 5 | name: rook-ceph-block 6 | annotations: 7 | storageclass.kubernetes.io/is-default-class: "true" 8 | provisioner: rook-ceph.rbd.csi.ceph.com 9 | parameters: 10 | clusterID: rook-ceph 11 | pool: replicapool 12 | imageFormat: "2" 13 | imageFeatures: layering 14 | csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner 15 | csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph 16 | csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node 17 | csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph 18 | csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner 19 | csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph 20 | csi.storage.k8s.io/fstype: ext4 21 | reclaimPolicy: Delete 22 | allowVolumeExpansion: true 23 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/user.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: user | add to sudoers 4 | ansible.builtin.copy: 5 | content: "{{ ansible_user }} ALL=(ALL:ALL) NOPASSWD:ALL" 6 | dest: "/etc/sudoers.d/{{ ansible_user }}_nopasswd" 7 | mode: "0440" 8 | 9 | - name: user | add additional SSH public keys 10 | ansible.posix.authorized_key: 11 | user: "{{ ansible_user }}" 12 | key: "{{ item }}" 13 | loop: "{{ ssh_authorized_keys }}" 14 | when: 15 | - ssh_authorized_keys is defined 16 | - ssh_authorized_keys is iterable 17 | - ssh_authorized_keys | length > 0 18 | 19 | - name: user | check if hushlogin exists 20 | ansible.builtin.stat: 21 | path: "/home/{{ ansible_user }}/.hushlogin" 22 | register: hushlogin_result 23 | 24 | - name: user | silence the login prompt 25 | ansible.builtin.file: 26 | dest: "/home/{{ ansible_user }}/.hushlogin" 27 | state: touch 28 | owner: "{{ ansible_user }}" 29 | mode: "0775" 30 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/storage/volume-snapshot-class.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: snapshot.storage.k8s.io/v1 3 | kind: VolumeSnapshotClass 4 | metadata: 5 | name: csi-rbdplugin-snapclass 6 | annotations: 7 | k10.kasten.io/is-snapshot-class: "true" 8 | driver: rook-ceph.rbd.csi.ceph.com 9 | parameters: 10 | clusterID: rook-ceph 11 | csi.storage.k8s.io/snapshotter-secret-name: rook-csi-rbd-provisioner 12 | csi.storage.k8s.io/snapshotter-secret-namespace: rook-ceph 13 | deletionPolicy: Delete 14 | --- 15 | apiVersion: snapshot.storage.k8s.io/v1 16 | kind: VolumeSnapshotClass 17 | metadata: 18 | name: csi-cephfsplugin-snapclass 19 | annotations: 20 | k10.kasten.io/is-snapshot-class: "true" 21 | driver: rook-ceph.cephfs.csi.ceph.com 22 | parameters: 23 | clusterID: rook-ceph 24 | csi.storage.k8s.io/snapshotter-secret-name: rook-csi-cephfs-provisioner 25 | csi.storage.k8s.io/snapshotter-secret-namespace: rook-ceph 26 | deletionPolicy: Delete 27 | -------------------------------------------------------------------------------- /cluster/core/kube-system/kube-vip/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: kube-vip 6 | namespace: kube-system 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRole 10 | metadata: 11 | annotations: 12 | rbac.authorization.kubernetes.io/autoupdate: "true" 13 | name: system:kube-vip-role 14 | rules: 15 | - apiGroups: [""] 16 | resources: ["services", "services/status", "nodes"] 17 | verbs: ["list", "get", "watch", "update"] 18 | - apiGroups: ["coordination.k8s.io"] 19 | resources: ["leases"] 20 | verbs: ["list", "get", "watch", "update", "create"] 21 | --- 22 | kind: ClusterRoleBinding 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | metadata: 25 | name: system:kube-vip-binding 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: ClusterRole 29 | name: system:kube-vip-role 30 | subjects: 31 | - kind: ServiceAccount 32 | name: kube-vip 33 | namespace: kube-system 34 | 35 | -------------------------------------------------------------------------------- /ansible/playbooks/pve/nuke.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Stop all k3s VMs 4 | hosts: 5 | - pve03 6 | - pve04 7 | - pve05 8 | user: root 9 | ignore_errors: yes 10 | tasks: 11 | - name: stop all vms 12 | shell: pvesh create /nodes/localhost/stopall 13 | 14 | - name: Destroy all nodes on k3s-h2 15 | hosts: pve04 16 | user: root 17 | ignore_errors: yes 18 | tasks: 19 | - name: destroy m1 20 | shell: qm destroy 300 21 | - name: destroy w1 22 | shell: qm destroy 303 23 | 24 | - name: Destroy all nodes on k3s-h2 25 | hosts: pve04 26 | user: root 27 | ignore_errors: yes 28 | tasks: 29 | - name: destroy m2 30 | shell: qm destroy 301 31 | - name: destroy w2 32 | shell: qm destroy 304 33 | 34 | - name: Destroy all nodes on pve05 35 | hosts: pve05 36 | user: root 37 | ignore_errors: yes 38 | tasks: 39 | - name: destroy m3 40 | shell: qm destroy 302 41 | - name: destroy w3 42 | shell: qm destroy 305 43 | 44 | -------------------------------------------------------------------------------- /ansible/roles/kube-vip/templates/kube-vip-rbac.yaml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: kube-vip 6 | namespace: kube-system 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRole 10 | metadata: 11 | annotations: 12 | rbac.authorization.kubernetes.io/autoupdate: "true" 13 | name: system:kube-vip-role 14 | rules: 15 | - apiGroups: [""] 16 | resources: ["services", "services/status", "nodes"] 17 | verbs: ["list","get","watch", "update"] 18 | - apiGroups: ["coordination.k8s.io"] 19 | resources: ["leases"] 20 | verbs: ["list", "get", "watch", "update", "create"] 21 | --- 22 | kind: ClusterRoleBinding 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | metadata: 25 | name: system:kube-vip-binding 26 | roleRef: 27 | apiGroup: rbac.authorization.k8s.io 28 | kind: ClusterRole 29 | name: system:kube-vip-role 30 | subjects: 31 | - kind: ServiceAccount 32 | name: kube-vip 33 | namespace: kube-system 34 | -------------------------------------------------------------------------------- /cluster/apps/networking/traefik/middlewares/cloudflare.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.containo.us/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: cloudflare-ips 6 | namespace: networking 7 | spec: 8 | ipWhiteList: 9 | sourceRange: 10 | - 103.21.244.0/22 11 | - 103.22.200.0/22 12 | - 103.31.4.0/22 13 | - 104.16.0.0/13 14 | - 104.24.0.0/14 15 | - 108.162.192.0/18 16 | - 131.0.72.0/22 17 | - 141.101.64.0/18 18 | - 162.158.0.0/15 19 | - 172.64.0.0/13 20 | - 173.245.48.0/20 21 | - 188.114.96.0/20 22 | - 190.93.240.0/20 23 | - 197.234.240.0/22 24 | - 198.41.128.0/17 25 | - 2400:cb00::/32 26 | - 2606:4700::/32 27 | - 2803:f800::/32 28 | - 2405:b500::/32 29 | - 2405:8100::/32 30 | - 2a06:98c0::/29 31 | - 2c0f:f248::/32 32 | --- 33 | apiVersion: traefik.containo.us/v1alpha1 34 | kind: Middleware 35 | metadata: 36 | name: cloudflare 37 | namespace: networking 38 | spec: 39 | chain: 40 | middlewares: 41 | - name: cloudflare-ips 42 | 43 | -------------------------------------------------------------------------------- /ansible/inventory/group_vars/all/k3s.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # 4 | # Below vars are for the xanmanning.k3s role 5 | # ...see https://github.com/PyratLabs/ansible-role-k3s#globalcluster-variables 6 | # 7 | 8 | # Use a specific version of k3s 9 | k3s_release_version: "stable" 10 | 11 | # Install using hard links rather than symbolic links. 12 | # ...if you are using the system-upgrade-controller you will need to use hard links rather than symbolic links as the controller will not be able to follow symbolic links. 13 | k3s_install_hard_links: true 14 | 15 | # Escalate user privileges for all tasks. 16 | k3s_become_for_all: true 17 | 18 | # Use experiemental features 19 | k3s_use_experimental: false 20 | 21 | # Enable debugging 22 | k3s_debug: false 23 | 24 | # Enabled embedded etcd 25 | k3s_etcd_datastore: true 26 | 27 | # Control Plane registration address [kube-vip] 28 | k3s_registration_fqdn: cl.k3s.mrry.io 29 | k3s_registration_ip: 172.25.0.1 30 | 31 | # k3s network options 32 | k3s_cluster_cidr: 172.26.0.0/16 33 | k3s_service_cidr: 172.27.0.0/16 34 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/deprecated/node-init.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # All nodes 3 | - name: Update all nodes 4 | hosts: kube 5 | remote_user: root 6 | tasks: 7 | 8 | - name: update system 9 | apt: 10 | update_cache: yes 11 | upgrade: dist 12 | 13 | - name: install curl 14 | apt: 15 | name: curl 16 | state: present 17 | 18 | - name: install git 19 | apt: 20 | name: git 21 | state: present 22 | 23 | - name: install sudo 24 | apt: 25 | name: sudo 26 | state: present 27 | 28 | - name: Add IP address of all hosts to all hosts 29 | lineinfile: 30 | dest: /etc/hosts 31 | regexp: '.*{{ item }}$' 32 | line: "{{ hostvars[item].ansible_ipv4 }} {{item}}" 33 | state: present 34 | when: hostvars[item].ansible_ipv4 is defined 35 | with_items: "{{ groups.all }}" 36 | 37 | # Workers 38 | - name: Update all nodes 39 | hosts: workers 40 | remote_user: root 41 | tasks: 42 | - name: install nfs 43 | apt: 44 | name: nfs-common 45 | 46 | 47 | -------------------------------------------------------------------------------- /ansible/roles/pve/templates/etc/postfix/main.cf.j2: -------------------------------------------------------------------------------- 1 | # See /usr/share/postfix/main.cf.dist for a commented, more complete version 2 | 3 | myhostname = hostname 4 | smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) 5 | biff = no 6 | # appending .domain is the MUA's job. 7 | append_dot_mydomain = no 8 | 9 | # Uncomment the next line to generate "delayed mail" warnings 10 | #delay_warning_time = 4h 11 | 12 | alias_maps = hash:/etc/aliases 13 | alias_database = hash:/etc/aliases 14 | mydestination = $myhostname, localhost.$mydomain, localhost 15 | mynetworks = 127.0.0.0/8 16 | inet_interfaces = loopback-only 17 | recipient_delimiter = + 18 | 19 | relayhost = [smtp.sendgrid.net]:587 20 | smtp_header_checks = pcre:/etc/postfix/smtp_header_checks 21 | smtp_sasl_auth_enable = yes 22 | smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd 23 | smtp_sasl_security_options = noanonymous 24 | smtp_tls_security_level = encrypt 25 | smtp_use_tls = yes 26 | 27 | header_size_limit = 4096000 28 | inet_protocols = ipv4 29 | 30 | compatibility_level = 2 31 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/nuke.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - hosts: 4 | - master-nodes 5 | - worker-nodes 6 | become: true 7 | gather_facts: true 8 | any_errors_fatal: true 9 | pre_tasks: 10 | - name: Pausing for 3 seconds... 11 | ansible.builtin.pause: 12 | seconds: 3 13 | tasks: 14 | - name: Kill k3s 15 | ansible.builtin.command: 16 | cmd: /usr/local/bin/k3s-killall.sh 17 | - name: Uninstall k3s 18 | ansible.builtin.command: 19 | cmd: /usr/local/bin/k3s-uninstall.sh 20 | removes: /usr/local/bin/k3s-uninstall.sh 21 | - name: Uninstall k3s agent 22 | ansible.builtin.command: 23 | cmd: /usr/local/bin/k3s-agent-uninstall.sh 24 | removes: /usr/local/bin/k3s-agent-uninstall.sh 25 | - name: Gather list of CNI files to delete 26 | find: 27 | paths: /etc/cni/net.d 28 | patterns: "*" 29 | register: files_to_delete 30 | - name: Delete CNI files 31 | ansible.builtin.file: 32 | path: "{{ item.path }}" 33 | state: absent 34 | loop: "{{ files_to_delete.files }}" 35 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/intel-gpu-plugin/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: intel-gpu-plugin 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: intel-gpu-plugin 13 | version: 4.3.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: intel/intel-gpu-plugin 22 | tag: 0.24.0 23 | pullPolicy: IfNotPresent 24 | args: 25 | - -shared-dev-num 26 | - "1" 27 | affinity: 28 | nodeAffinity: 29 | requiredDuringSchedulingIgnoredDuringExecution: 30 | nodeSelectorTerms: 31 | - matchExpressions: 32 | - key: feature.node.kubernetes.io/custom-intel-gpu 33 | operator: In 34 | values: 35 | - "true" 36 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/policies/media.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Policy 3 | apiVersion: config.kio.kasten.io/v1alpha1 4 | metadata: 5 | name: media 6 | namespace: kasten-io 7 | spec: 8 | frequency: "@daily" 9 | subFrequency: 10 | minutes: 11 | - 0 12 | hours: 13 | - 23 14 | - 11 15 | weekdays: 16 | - 0 17 | days: 18 | - 1 19 | months: 20 | - 1 21 | retention: 22 | daily: 7 23 | weekly: 2 24 | monthly: 2 25 | yearly: 0 26 | selector: 27 | matchExpressions: 28 | - key: k10.kasten.io/appNamespace 29 | operator: In 30 | values: 31 | - media 32 | actions: 33 | - action: backup 34 | backupParameters: 35 | filters: 36 | includeResources: 37 | - resource: persistentvolumeclaims 38 | excludeResources: 39 | - name: nfs-media-nas-pvc 40 | resource: persistentvolumeclaims 41 | - action: export 42 | exportParameters: 43 | frequency: "@daily" 44 | profile: 45 | name: backblaze 46 | namespace: kasten-io 47 | exportData: 48 | enabled: true 49 | retention: {} 50 | -------------------------------------------------------------------------------- /ansible/inventory/group_vars/master-nodes/k3s.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | # https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/ 4 | # https://github.com/PyratLabs/ansible-role-k3s#server-control-plane-configuration 5 | 6 | # Define the host as control plane nodes 7 | k3s_control_node: true 8 | 9 | # k3s settings for all control-plane nodes 10 | k3s_server: 11 | node-ip: "{{ ansible_host }}" 12 | tls-san: 13 | - "cl.k3s.mrry.io" 14 | - "172.25.0.1" 15 | docker: false 16 | flannel-backend: 'none' # This needs to be in quotes 17 | disable: 18 | - flannel 19 | - traefik 20 | - servicelb 21 | - metrics-server 22 | - local-storage 23 | disable-network-policy: true 24 | disable-cloud-controller: true 25 | write-kubeconfig-mode: "644" 26 | # Network CIDR to use for pod IPs 27 | cluster-cidr: "{{ k3s_cluster_cidr }}" 28 | # Network CIDR to use for service IPs 29 | service-cidr: "{{ k3s_service_cidr }}" 30 | kubelet-arg: 31 | - "feature-gates=GracefulNodeShutdown=true" 32 | - "feature-gates=MixedProtocolLBService=true" 33 | kube-apiserver-arg: 34 | - "feature-gates=MixedProtocolLBService=true" 35 | -------------------------------------------------------------------------------- /terraform/masters.tf: -------------------------------------------------------------------------------- 1 | resource "proxmox_vm_qemu" "kube-master" { 2 | for_each = var.masters 3 | 4 | name = each.key 5 | target_node = each.value.target_node 6 | agent = 1 7 | clone = "${each.value.target_node}-${var.common.clone}" 8 | clone_wait = 0 9 | vmid = each.value.id 10 | memory = each.value.memory 11 | cores = each.value.cores 12 | vga { 13 | type = "qxl" 14 | } 15 | network { 16 | model = "virtio" 17 | macaddr = each.value.macaddr 18 | bridge = "vmbr1" 19 | tag = 24 20 | firewall = true 21 | } 22 | disk { 23 | type = "scsi" 24 | storage = "local-lvm" 25 | size = each.value.disk 26 | format = "raw" 27 | ssd = 1 28 | discard = "on" 29 | } 30 | serial { 31 | id = 0 32 | type = "socket" 33 | } 34 | bootdisk = "scsi0" 35 | scsihw = "virtio-scsi-pci" 36 | os_type = "cloud-init" 37 | ipconfig0 = "ip=${each.value.cidr},gw=${each.value.gw}" 38 | ciuser = "dvmrry" 39 | nameserver = var.common.nameserver 40 | sshkeys = data.sops_file.secrets.data["k8s.ssh_key"] 41 | } 42 | -------------------------------------------------------------------------------- /terraform/workers.tf: -------------------------------------------------------------------------------- 1 | resource "proxmox_vm_qemu" "kube-worker" { 2 | for_each = var.workers 3 | 4 | name = each.key 5 | target_node = each.value.target_node 6 | agent = 1 7 | clone = "${each.value.target_node}-${var.common.clone}" 8 | clone_wait = 0 9 | vmid = each.value.id 10 | memory = each.value.memory 11 | cores = each.value.cores 12 | vga { 13 | type = "qxl" 14 | } 15 | network { 16 | model = "virtio" 17 | macaddr = each.value.macaddr 18 | bridge = "vmbr1" 19 | tag = 24 20 | firewall = true 21 | } 22 | disk { 23 | type = "scsi" 24 | storage = "local-lvm" 25 | size = each.value.disk 26 | format = "raw" 27 | ssd = 1 28 | discard = "on" 29 | } 30 | serial { 31 | id = 0 32 | type = "socket" 33 | } 34 | bootdisk = "scsi0" 35 | scsihw = "virtio-scsi-pci" 36 | os_type = "cloud-init" 37 | ipconfig0 = "ip=${each.value.cidr},gw=${each.value.gw}" 38 | ciuser = "dvmrry" 39 | nameserver = var.common.nameserver 40 | sshkeys = data.sops_file.secrets.data["k8s.ssh_key"] 41 | } 42 | -------------------------------------------------------------------------------- /terraform/authentik/proxies.tf: -------------------------------------------------------------------------------- 1 | resource "authentik_provider_proxy" "proxy" { 2 | for_each = local.proxy 3 | authorization_flow = try(each.value.authorization_flow, data.authentik_flow.default-authorization-flow.id) 4 | external_host = try(each.value.external_host, "https://auth.${local.domain}") 5 | name = try(each.value.name, "${each.key}") 6 | basic_auth_enabled = try(each.value.basic_auth_enabled, "false") 7 | basic_auth_password_attribute = try(each.value.basic_auth_password_attribute, "") 8 | basic_auth_username_attribute = try(each.value.basic_auth_username_attribute, "") 9 | cookie_domain = try(each.value.cookie_domain, local.domain) 10 | internal_host = try(each.value.internal_host, "") 11 | internal_host_ssl_validation = try(each.value.internal_host_ssl_validation, "true") 12 | mode = try(each.value.mode, "proxy") 13 | skip_path_regex = try(each.value.skip_path_regex, "") 14 | token_validity = try(each.value.token_validity, "hours=24") 15 | } -------------------------------------------------------------------------------- /cluster/crds/external-snapshotter/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: GitRepository 4 | metadata: 5 | name: external-snapshotter-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/kubernetes-csi/external-snapshotter.git 10 | ref: 11 | tag: v4.1.0 12 | ignore: | 13 | # exclude all 14 | /* 15 | # include deploy crds dir 16 | !/client/config/crd 17 | --- 18 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 19 | kind: Kustomization 20 | metadata: 21 | name: external-snapshotter-crds 22 | namespace: flux-system 23 | spec: 24 | interval: 15m 25 | prune: false 26 | sourceRef: 27 | kind: GitRepository 28 | name: external-snapshotter-source 29 | healthChecks: 30 | - apiVersion: apiextensions.k8s.io/v1 31 | kind: CustomResourceDefinition 32 | name: volumesnapshotclasses.snapshot.storage.k8s.io 33 | - apiVersion: apiextensions.k8s.io/v1 34 | kind: CustomResourceDefinition 35 | name: volumesnapshotcontents.snapshot.storage.k8s.io 36 | - apiVersion: apiextensions.k8s.io/v1 37 | kind: CustomResourceDefinition 38 | name: volumesnapshots.snapshot.storage.k8s.io 39 | -------------------------------------------------------------------------------- /ansible/roles/k3s/tasks/calico.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: calico | deploy tigera operator to k3s manifest directory 4 | run_once: true 5 | ansible.builtin.get_url: 6 | url: "{{ calico.operator_manifest }}" 7 | dest: "{{ k3s_server_manifests_dir }}/tigera-operator.yaml" 8 | mode: 0644 9 | 10 | - name: calico | deploy configuration to k3s manifest directory 11 | run_once: true 12 | ansible.builtin.template: 13 | src: "calico-install.yaml.j2" 14 | dest: "{{ k3s_server_manifests_dir }}/calico-installation.yaml" 15 | mode: 0644 16 | 17 | - name: calico | deploy BGP-peer to k3s manifest directory 18 | run_once: true 19 | ansible.builtin.template: 20 | src: "calico-bgp-peer.yaml.j2" 21 | dest: "{{ k3s_server_manifests_dir }}/calico-bgppeer.yaml" 22 | mode: 0644 23 | when: 24 | - calico.bgp.enabled is defined 25 | - calico.bgp.enabled 26 | 27 | - name: calico | deploy BGP-configuration to k3s manifest directory 28 | run_once: true 29 | ansible.builtin.template: 30 | src: "calico-bgp-config.yaml.j2" 31 | dest: "{{ k3s_server_manifests_dir }}/calico-bgpconfiguration.yaml" 32 | mode: 0644 33 | when: 34 | - calico.bgp.enabled is defined 35 | - calico.bgp.enabled 36 | -------------------------------------------------------------------------------- /cluster/apps/networking/external-dns/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: external-dns 6 | namespace: networking 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://charts.bitnami.com/bitnami 12 | chart: external-dns 13 | version: 5.6.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bitnami-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | nameOverride: external-dns 21 | # interval: "5m" 22 | logLevel: debug 23 | sources: 24 | - ingress 25 | provider: cloudflare 26 | cloudflare: 27 | secretName: cloudflare-api-key 28 | email: "${SECRET_CLOUDFLARE_EMAIL}" 29 | proxied: true 30 | policy: sync 31 | txtPrefix: "k8s." 32 | domainFilters: 33 | - "${SECRET_DOMAIN}" 34 | crd: 35 | create: false 36 | apiversion: externaldns.k8s.io/v1alpha1 37 | kind: DNSEndpoint 38 | annotationFilter: "external-dns/is-public in (true)" 39 | resources: 40 | requests: 41 | memory: 100Mi 42 | cpu: 25m 43 | limits: 44 | memory: 250Mi 45 | -------------------------------------------------------------------------------- /cluster/apps/kube-system/descheduler/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: descheduler 6 | namespace: kube-system 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://kubernetes-sigs.github.io/descheduler 12 | chart: descheduler 13 | version: 0.23.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: kubernetes-sigs-descheduler-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | kind: Deployment 21 | deschedulerPolicy: 22 | strategies: 23 | RemoveDuplicates: 24 | enabled: false 25 | RemovePodsViolatingNodeAffinity: 26 | enabled: true 27 | params: 28 | nodeAffinityType: 29 | - requiredDuringSchedulingIgnoredDuringExecution 30 | RemovePodsViolatingTopologySpreadConstraint: 31 | enabled: true 32 | params: 33 | includeSoftConstraints: true 34 | RemovePodsViolatingInterPodAntiAffinity: 35 | enabled: true 36 | params: 37 | nodeFit: true 38 | LowNodeUtilization: 39 | enabled: false 40 | -------------------------------------------------------------------------------- /ansible/roles/k3s/tasks/secrets.yml: -------------------------------------------------------------------------------- 1 | - name: secrets | load etcd ca 2 | run_once: true 3 | slurp: 4 | src: "/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt" 5 | register: slurped_etcd_ca_file 6 | 7 | - name: secrets | load etcd cert 8 | run_once: true 9 | slurp: 10 | src: "/var/lib/rancher/k3s/server/tls/etcd/server-client.crt" 11 | register: slurped_etcd_cert_file 12 | 13 | - name: secrets | load etcd cert key 14 | run_once: true 15 | slurp: 16 | src: "/var/lib/rancher/k3s/server/tls/etcd/server-client.key" 17 | register: slurped_etcd_cert_key_file 18 | 19 | - name: secrets | deploy manifests 20 | run_once: true 21 | ansible.builtin.copy: 22 | mode: 0644 23 | content: | 24 | --- 25 | apiVersion: v1 26 | kind: Namespace 27 | metadata: 28 | name: networking 29 | --- 30 | apiVersion: v1 31 | kind: Secret 32 | type: Opaque 33 | metadata: 34 | name: coredns-etcd 35 | namespace: networking 36 | data: 37 | ca.crt: "{{ slurped_etcd_ca_file.content }}" 38 | cert.pem: "{{ slurped_etcd_cert_file.content }}" 39 | key.pem: "{{ slurped_etcd_cert_key_file.content }}" 40 | dest: "{{ k3s_server_manifests_dir }}/coredns-etcd-secret.yaml" 41 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/cloud-sync/cron-job.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1beta1 3 | kind: CronJob 4 | metadata: 5 | namespace: kasten-io 6 | name: cloud-sync 7 | spec: 8 | schedule: "0 */12 * * *" 9 | concurrencyPolicy: Forbid 10 | jobTemplate: 11 | spec: 12 | template: 13 | spec: 14 | restartPolicy: OnFailure 15 | containers: 16 | - name: rclone 17 | image: rclone/rclone:1.58 18 | env: 19 | - name: TZ 20 | value: "America/New_York" 21 | command: 22 | - "rclone" 23 | args: 24 | - "-v" 25 | - "--config" 26 | - "/config/rclone.conf" 27 | - "sync" 28 | - "--ignore-errors" 29 | - "--fast-list" 30 | - "--b2-hard-delete" 31 | - "--transfers" 32 | - "24" 33 | - "--checkers" 34 | - "24" 35 | - "--bwlimit" 36 | - "25M" 37 | - "minio:k10" 38 | - "b2-k10:k10-XU5jS1ot/" 39 | volumeMounts: 40 | - name: rclone-config 41 | mountPath: "/config" 42 | volumes: 43 | - name: rclone-config 44 | secret: 45 | secretName: rclone-config-secret 46 | -------------------------------------------------------------------------------- /.github/workflows/renovate-schedule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Schedule - Renovate Helm Releases 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | schedule: 7 | - cron: "0 */12 * * *" 8 | 9 | jobs: 10 | renovate-helm-releases: 11 | runs-on: ubuntu-20.04 12 | steps: 13 | - uses: actions/checkout@v3 14 | with: 15 | token: ${{ secrets.GITHUB_TOKEN }} 16 | fetch-depth: 1 17 | 18 | - name: Renovate Helm Releases 19 | uses: k8s-at-home/renovate-helm-releases@v1 20 | with: 21 | cluster-path: "./cluster" 22 | 23 | - name: Create pull request for renovatebot helm-release annotations 24 | uses: peter-evans/create-pull-request@v4 25 | with: 26 | token: ${{ secrets.GITHUB_TOKEN }} 27 | branch: renovate-annotations 28 | delete-branch: true 29 | title: "chore(deps): update renovate annotations" 30 | signoff: false 31 | committer: GitHub 32 | author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> 33 | commit-message: "chore(deps): update renovate annotations" 34 | body: | 35 | Update HelmReleases inorder for Renovate to pick up new versions of Helm charts 36 | labels: renovate/annotations 37 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/unattended-upgrades.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: unattended-upgrades | copy 20auto-upgrades config 4 | ansible.builtin.blockinfile: 5 | path: /etc/apt/apt.conf.d/20auto-upgrades 6 | mode: 0644 7 | create: true 8 | block: | 9 | APT::Periodic::Update-Package-Lists "14"; 10 | APT::Periodic::Download-Upgradeable-Packages "14"; 11 | APT::Periodic::AutocleanInterval "7"; 12 | APT::Periodic::Unattended-Upgrade "1"; 13 | - name: unattended-upgrades | copy 50unattended-upgrades config 14 | ansible.builtin.blockinfile: 15 | path: /etc/apt/apt.conf.d/50unattended-upgrades 16 | mode: 0644 17 | create: true 18 | block: | 19 | Unattended-Upgrade::Automatic-Reboot "false"; 20 | Unattended-Upgrade::Remove-Unused-Dependencies "true"; 21 | Unattended-Upgrade::Allowed-Origins { 22 | "${distro_id}:${distro_codename}"; 23 | "${distro_id} ${distro_codename}-security"; 24 | }; 25 | - name: unattended-upgrades | start systemd service 26 | ansible.builtin.systemd: 27 | name: unattended-upgrades 28 | enabled: true 29 | state: started 30 | 31 | - name: unattended-upgrades | restart systemd service 32 | ansible.builtin.service: 33 | name: unattended-upgrades.service 34 | daemon_reload: true 35 | enabled: true 36 | state: restarted 37 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | packages: 4 | apt_install: 5 | - apt-transport-https 6 | - arptables 7 | - ca-certificates 8 | - curl 9 | # - dnsutils 10 | - ebtables 11 | # - ethtool 12 | - gdisk 13 | # - git 14 | # - gnupg-agent 15 | # - gnupg2 16 | # - haveged 17 | - hdparm 18 | - htop 19 | # - iperf3 20 | - iputils-ping 21 | - ipvsadm 22 | # - jq 23 | - lvm2 24 | # - neofetch 25 | - net-tools 26 | # - netcat 27 | - nfs-common 28 | - nano 29 | # - nmap 30 | - ntpdate 31 | - open-iscsi 32 | # - pigz 33 | - psmisc 34 | # - python3 35 | # - python3-openssl 36 | # - python3-pip 37 | # - rclone 38 | # - rsync 39 | # - scsitools 40 | - smartmontools 41 | - socat 42 | - software-properties-common 43 | # - traceroute 44 | # - tree 45 | - unattended-upgrades 46 | - unzip 47 | # - vim 48 | apt_remove: 49 | # - apparmor 50 | - apport 51 | - bcache-tools 52 | - btrfs-progs 53 | - byobu 54 | # - cloud-init - cloud-guest-utils 55 | # - cloud-initramfs-copymods 56 | # - cloud-initramfs-dyn-netconf 57 | - friendly-recovery 58 | - fwupd 59 | - landscape-common 60 | - lxd-agent-loader 61 | - ntfs-3g 62 | - open-vm-tools 63 | - plymouth 64 | - plymouth-theme-ubuntu-text 65 | - popularity-contest 66 | - snapd 67 | - sosreport 68 | - tmux 69 | - ubuntu-advantage-tools 70 | - ufw 71 | -------------------------------------------------------------------------------- /ansible/roles/ubuntu/tasks/locale.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: locale | set timezone 4 | community.general.timezone: 5 | name: "{{ timezone | default('America/Chicago') }}" 6 | 7 | - name: locale | copy timesyncd config 8 | ansible.builtin.copy: 9 | mode: 0644 10 | content: | 11 | [Time] 12 | NTP={{ ntp_servers.primary | default("") | join(" ") }} 13 | FallbackNTP={{ ntp_servers.fallback | join(" ") }} 14 | dest: /etc/systemd/timesyncd.conf 15 | when: 16 | - ntp_servers.primary is defined 17 | - ntp_servers.primary is iterable 18 | - ntp_servers.primary | length > 0 19 | - ntp_servers.fallback is defined 20 | - ntp_servers.fallback is iterable 21 | - ntp_servers.fallback | length > 0 22 | 23 | - name: locale | start systemd service 24 | ansible.builtin.systemd: 25 | name: systemd-timesyncd 26 | enabled: true 27 | state: started 28 | 29 | - name: locale | restart systemd service 30 | ansible.builtin.systemd: 31 | name: systemd-timesyncd 32 | daemon_reload: true 33 | enabled: true 34 | state: restarted 35 | 36 | - name: locale | run timedatectl status 37 | ansible.builtin.command: /usr/bin/timedatectl show 38 | changed_when: false 39 | check_mode: false 40 | register: timedatectl_result 41 | 42 | - name: locale | enable ntp 43 | ansible.builtin.command: /usr/bin/timedatectl set-ntp true 44 | when: 45 | - "'NTP=no' in timedatectl_result.stdout" 46 | -------------------------------------------------------------------------------- /ansible/roles/pve/tasks/postfix.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Check for existence of postfix main.cf 4 | ansible.builtin.stat: 5 | path: /etc/postfix/main.cf 6 | register: main_result 7 | 8 | - name: Copy main.cf template 9 | ansible.builtin.template: 10 | src: templates/etc/postfix/main.cf.j2 11 | dest: /etc/postfix/main.cf 12 | 13 | - name: Check for existence of postfix sasl_passwd 14 | ansible.builtin.stat: 15 | path: /etc/postfix/sasl_passwd 16 | register: sasl_passwd_result 17 | 18 | - name: Copy sasl_passwd template 19 | ansible.builtin.template: 20 | src: templates/etc/postfix/sasl_passwd.j2 21 | dest: /etc/postfix/sasl_passwd 22 | 23 | - name: Check for existence of postfix smtp_header_checks 24 | ansible.builtin.stat: 25 | path: /etc/postfix/smtp_header_checks 26 | register: main_result 27 | 28 | - name: Copy smtp_header_checks template 29 | ansible.builtin.template: 30 | src: templates/etc/postfix/smtp_header_checks.j2 31 | dest: /etc/postfix/smtp_header_checks 32 | 33 | - name: Update sasl_passwd.db 34 | ansible.builtin.shell: 35 | cmd: postmap /etc/postfix/sasl_passwd 36 | 37 | - name: Lock sasl_passwd 38 | ansible.builtin.shell: 39 | cmd: chmod 600 /etc/postfix/sasl_passwd 40 | 41 | - name: Update postmap for smtp_header_checks 42 | ansible.builtin.shell: 43 | cmd: postmap /etc/postfix/smtp_header_checks 44 | 45 | - name: Update postfix 46 | ansible.builtin.shell: 47 | cmd: postfix reload 48 | -------------------------------------------------------------------------------- /ansible/playbooks/pve/deprecated/disk-passthru.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # Configure passthroughs 3 | - name: Passthrough k3s-h1 4 | hosts: k3s-h1 5 | remote_user: root 6 | tasks: 7 | - name: Provision k3s-s1 8 | shell: qm set 120 --scsi1 /dev/disk/by-id/nvme-Inland_NVMe_SSD_256GB_IBMC210325601699 9 | 10 | - name: Passthrough k3s-h2 11 | hosts: k3s-h2 12 | remote_user: root 13 | tasks: 14 | - name: Provision k3s-s2 15 | shell: qm set 220 --scsi1 /dev/disk/by-id/nvme-Inland_NVMe_SSD_256GB_IBMC210325601625 16 | 17 | - name: Passthrough k3s-h3 18 | hosts: k3s-h3 19 | remote_user: root 20 | tasks: 21 | - name: Provision k3s-s3 22 | shell: qm set 320 --scsi1 /dev/disk/by-id/nvme-Inland_NVMe_SSD_256GB_IBMC210325600524 23 | 24 | - name: Update storage nodes 25 | hosts: storage 26 | remote_user: root 27 | tasks: 28 | - name: Purge /dev/sdb 29 | shell: echo -e "d\nw" | fdisk /dev/sdb 30 | args: 31 | executable: /bin/bash 32 | - name: Create new /dev/sdb1 33 | shell: echo -e "n\np\n1\n\n\nw" | fdisk /dev/sdb 34 | args: 35 | executable: /bin/bash 36 | - name: Create new ext4 37 | filesystem: 38 | dev: /dev/sdb1 39 | fstype: ext4 40 | - name: Create longhorn dir 41 | file: 42 | path: /var/lib/longhorn 43 | state: directory 44 | - name: Mount longhorn 45 | mount: 46 | path: /var/lib/longhorn 47 | src: /dev/sdb1 48 | fstype: ext4 49 | opts: defaults 50 | state: mounted 51 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # localhost 3 | - name: Label k3s worker and storage nodes 4 | hosts: localhost 5 | become: false 6 | tasks: 7 | 8 | - name: w1 - kubernetes.io/role 9 | shell: kubectl label nodes w1 kubernetes.io/role=worker --overwrite 10 | - name: w2 - kubernetes.io/role 11 | shell: kubectl label nodes w2 kubernetes.io/role=worker --overwrite 12 | - name: w3 - kubernetes.io/role 13 | shell: kubectl label nodes w3 kubernetes.io/role=worker --overwrite 14 | 15 | - name: w1 - node-type 16 | shell: kubectl label nodes w1 node-type=worker --overwrite 17 | - name: w2 - node-type 18 | shell: kubectl label nodes w2 node-type=worker --overwrite 19 | - name: w3 - node-type 20 | shell: kubectl label nodes w3 node-type=worker --overwrite 21 | 22 | # - name: s1 - kubernetes.io/role 23 | # shell: kubectl label nodes s1 kubernetes.io/role=longhorn --overwrite 24 | # - name: s2 - kubernetes.io/role 25 | # shell: kubectl label nodes s2 kubernetes.io/role=longhorn --overwrite 26 | # - name: s3 - kubernetes.io/role 27 | # shell: kubectl label nodes s3 kubernetes.io/role=longhorn --overwrite 28 | 29 | # - name: s1 - node-type 30 | # shell: kubectl label nodes s1 node-type=longhorn --overwrite 31 | # - name: s2 - node-type 32 | # shell: kubectl label nodes s2 node-type=longhorn --overwrite 33 | # - name: s3 - node-type 34 | # shell: kubectl label nodes s3 node-type=longhorn --overwrite 35 | -------------------------------------------------------------------------------- /cluster/apps/utils/librespeed/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: librespeed 6 | namespace: utils 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: librespeed 13 | version: 5.2.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: linuxserver/librespeed 22 | tag: version-5.2.4 23 | env: 24 | TZ: "America/New_York" 25 | PUID: "1001" 26 | PGID: "1001" 27 | service: 28 | main: 29 | ports: 30 | http: 31 | port: 80 32 | ingress: 33 | main: 34 | enabled: true 35 | ingressClassName: "traefik" 36 | annotations: 37 | external-dns/is-public: "true" 38 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 39 | hajimari.io/enable: "true" 40 | hajimari.io/icon: "speedometer" 41 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 42 | hosts: 43 | - host: "speedtest.${SECRET_DOMAIN}" 44 | paths: 45 | - path: / 46 | pathType: Prefix 47 | tls: 48 | - hosts: 49 | - "speedtest.${SECRET_DOMAIN}" 50 | persistence: 51 | config: 52 | enabled: true 53 | existingClaim: librespeed-config 54 | -------------------------------------------------------------------------------- /cluster/apps/.kasten-io/k10/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: k10 6 | namespace: kasten-io 7 | spec: 8 | releaseName: k10 9 | interval: 5m 10 | chart: 11 | spec: 12 | # renovate: registryUrl=https://charts.kasten.io/ 13 | chart: k10 14 | version: 4.5.15 15 | sourceRef: 16 | kind: HelmRepository 17 | name: kasten-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | eula: 22 | accept: true 23 | company: Devbu 24 | email: "${SECRET_EMAIL}" 25 | global: 26 | persistence: 27 | storageClass: rook-ceph-block 28 | auth: 29 | tokenAuth: 30 | enabled: true 31 | clusterName: k8s 32 | ingress: 33 | create: true 34 | host: "k10.${SECRET_DOMAIN}" 35 | annotations: 36 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 37 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 38 | external-dns/is-public: "true" 39 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 40 | urlPath: k10 41 | hosts: 42 | - "k10.${SECRET_DOMAIN}" 43 | tls: 44 | enabled: true 45 | secretName: "${SECRET_DOMAIN/./-}-tls" 46 | postRenderers: 47 | - kustomize: 48 | patchesJson6902: 49 | - target: 50 | kind: Ingress 51 | name: k10-ingress 52 | patch: 53 | - op: add 54 | path: /spec/ingressClassName 55 | value: traefik 56 | -------------------------------------------------------------------------------- /ansible/playbooks/k3s/deprecated/join-nodes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # localhost 3 | - name: Initalize remaining nodes 4 | hosts: localhost 5 | vars: 6 | sshUser: root 7 | clusterFqdn: cl.k3s.mrry.io 8 | clusterIp: 172.25.0.1 9 | clusterCidr: 172.26.0.0/16 10 | clusterDns: 172.26.0.10 11 | serviceCidr: 172.27.0.0/16 12 | clusterDomain: k3s.mrry.io 13 | 14 | tasks: 15 | - name: join m2 16 | shell: k3sup join --host m2 --user {{ sshUser }} --server-user {{ sshUser }} --server-name {{ clusterIp }} --server --k3s-channel latest --k3s-extra-args="--disable servicelb --disable traefik --node-taint node-role.kubernetes.io/master=true:NoSchedule --cluster-cidr {{ clusterCidr }} --service-cidr {{ serviceCidr }} --cluster-dns {{ clusterDns }} --cluster-domain {{ clusterDomain }}" 17 | 18 | - name: join m3 19 | shell: k3sup join --host m3 --user {{ sshUser }} --server-user {{ sshUser }} --server-name {{ clusterFqdn }} --k3s-channel latest --server --k3s-extra-args="--disable servicelb --disable traefik --node-taint node-role.kubernetes.io/master=true:NoSchedule --cluster-cidr {{ clusterCidr }} --service-cidr {{ serviceCidr }} --cluster-dns {{ clusterDns }} --cluster-domain {{ clusterDomain }}" 20 | 21 | - name: join w1 22 | shell: k3sup join --host w1 --user {{ sshUser }} --server-name {{ clusterFqdn }} --k3s-channel latest 23 | 24 | - name: join w2 25 | shell: k3sup join --host w2 --user {{ sshUser }} --server-name {{ clusterFqdn }} --k3s-channel latest 26 | 27 | - name: join w3 28 | shell: k3sup join --host w3 --user {{ sshUser }} --server-name {{ clusterFqdn }} --k3s-channel latest 29 | 30 | -------------------------------------------------------------------------------- /cluster/apps/media/prowlarr/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: prowlarr 6 | namespace: media 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: prowlarr 13 | version: 4.4.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: ghcr.io/k8s-at-home/prowlarr 22 | tag: v0.4.0.1791 23 | env: 24 | TZ: "America/New_York" 25 | ingress: 26 | main: 27 | enabled: true 28 | ingressClassName: "traefik" 29 | annotations: 30 | external-dns/is-public: "true" 31 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 32 | hajimari.io/enable: "true" 33 | hajimari.io/icon: "layers-search" 34 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 35 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 36 | hosts: 37 | - host: "prowlarr.${SECRET_DOMAIN}" 38 | paths: 39 | - path: / 40 | pathType: Prefix 41 | tls: 42 | - hosts: 43 | - "prowlarr.${SECRET_DOMAIN}" 44 | persistence: 45 | config: 46 | enabled: true 47 | existingClaim: prowlarr-config 48 | resources: 49 | requests: 50 | memory: 100Mi 51 | cpu: 100m 52 | limits: 53 | memory: 500Mi 54 | -------------------------------------------------------------------------------- /cluster/apps/ibc/osmosis/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: osmosis 6 | namespace: ibc 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryURL=https://dvmrry.github.io/charts 12 | # renovate: registryUrl=https://charts.mrry.io 13 | chart: osmosis 14 | version: 1.0.0 15 | sourceRef: 16 | kind: HelmRepository 17 | name: mrry-io-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | image: ghcr.io/ovrclk/cosmos-omnibus:v0.0.26-osmosis-v6.1.0 22 | env: 23 | TZ: "America/New_York" 24 | service: 25 | main: 26 | type: LoadBalancer 27 | externalIPs: 28 | - "${SVC_OSMOSIS_ADDR}" 29 | externalTrafficPolicy: Local 30 | annotations: 31 | traefik.ingress.kubernetes.io/service.serverscheme: https 32 | ingress: 33 | main: 34 | enabled: true 35 | ingressClassName: "traefik" 36 | hosts: 37 | - host: "osmo.${SECRET_DOMAIN}" 38 | paths: 39 | - path: / 40 | pathType: Prefix 41 | tls: 42 | - hosts: 43 | - "osmo.${SECRET_DOMAIN}" 44 | persistence: 45 | config: 46 | enabled: true 47 | existingClaim: osmo-config 48 | mountPath: /config 49 | osmosis: 50 | enabled: true 51 | existingClaim: osmo-data 52 | mountPath: /osmosis 53 | resources: 54 | requests: 55 | cpu: 1000m 56 | memory: 4000Mi 57 | limits: 58 | cpu: 4000m 59 | memory: 8000Mi 60 | -------------------------------------------------------------------------------- /.github/workflows/flux-schedule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Schedule - Update Flux 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | schedule: 7 | - cron: "0 12 * * *" 8 | 9 | jobs: 10 | flux-upgrade: 11 | runs-on: ubuntu-20.04 12 | steps: 13 | - uses: actions/checkout@v3 14 | with: 15 | fetch-depth: 1 16 | 17 | - name: Setup Flux CLI 18 | uses: fluxcd/flux2/action@main 19 | 20 | - name: Upgrade Flux 21 | id: upgrade 22 | run: | 23 | CLI_VERSION="$(flux -v)" 24 | VERSION="v${CLI_VERSION#*flux version }" 25 | flux install --version="${VERSION}" \ 26 | --network-policy=false \ 27 | --export > ./cluster/base/flux-system/gotk-components.yaml 28 | echo "::set-output name=flux_version::$VERSION" 29 | 30 | - name: Create pull request for Flux upgrade 31 | uses: peter-evans/create-pull-request@v4 32 | with: 33 | token: ${{ secrets.GITHUB_TOKEN }} 34 | branch: "flux/upgrade-${{ steps.upgrade.outputs.flux_version }}" 35 | delete-branch: true 36 | title: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}" 37 | signoff: false 38 | committer: GitHub 39 | author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> 40 | commit-message: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}" 41 | body: | 42 | Release notes: https://github.com/fluxcd/flux2/releases/tag/${{ steps.upgrade.outputs.flux_version }} 43 | labels: flux/upgrade 44 | -------------------------------------------------------------------------------- /cluster/apps/media/overseerr/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: overseerr 6 | namespace: media 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: overseerr 13 | version: 5.3.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: ghcr.io/sct/overseerr 22 | tag: 1.28.0 23 | env: 24 | TZ: "America/New_York" 25 | LOG_LEVEL: "info" 26 | service: 27 | main: 28 | ports: 29 | http: 30 | port: 5055 31 | ingress: 32 | main: 33 | enabled: true 34 | ingressClassName: "traefik" 35 | annotations: 36 | external-dns/is-public: "true" 37 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 38 | hajimari.io/enable: "true" 39 | hajimari.io/icon: "movie-search" 40 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 41 | hosts: 42 | - host: "requests.${SECRET_DOMAIN}" 43 | paths: 44 | - path: / 45 | pathType: Prefix 46 | tls: 47 | - hosts: 48 | - "requests.${SECRET_DOMAIN}" 49 | persistence: 50 | config: 51 | enabled: true 52 | existingClaim: overseerr-config 53 | mountPath: /app/config 54 | resources: 55 | requests: 56 | memory: 250Mi 57 | cpu: 500m 58 | limits: 59 | memory: 500Mi 60 | -------------------------------------------------------------------------------- /ansible/ansible.cfg: -------------------------------------------------------------------------------- 1 | [defaults] 2 | 3 | #--- General settings 4 | nocows = True 5 | forks = 8 6 | module_name = command 7 | deprecation_warnings = True 8 | executable = /bin/bash 9 | 10 | #--- Files/Directory settings 11 | log_path = ~/ansible.log 12 | inventory = ./inventory 13 | library = /usr/share/my_modules 14 | remote_tmp = ~/.ansible/tmp 15 | local_tmp = ~/.ansible/tmp 16 | roles_path = ./roles 17 | retry_files_enabled = False 18 | 19 | #--- Fact Caching settings 20 | fact_caching = jsonfile 21 | fact_caching_connection = ~/.ansible/facts_cache 22 | fact_caching_timeout = 7200 23 | 24 | #--- SSH settings 25 | remote_port = 22 26 | timeout = 60 27 | host_key_checking = False 28 | ssh_executable = /usr/bin/ssh 29 | private_key_file = ~/.ssh/id_ed25519 30 | 31 | force_valid_group_names = ignore 32 | 33 | #--- Speed 34 | callback_whitelist = ansible.posix.profile_tasks 35 | internal_poll_interval = 0.001 36 | 37 | [inventory] 38 | unparsed_is_failed = true 39 | 40 | [privilege_escalation] 41 | become = True 42 | become_method = sudo 43 | become_user = root 44 | become_ask_pass = False 45 | 46 | [ssh_connection] 47 | scp_if_ssh = smart 48 | transfer_method = smart 49 | retries = 3 50 | timeout = 10 51 | ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o Compression=yes -o ServerAliveInterval=15s 52 | pipelining = True 53 | control_path = %(directory)s/%%h-%%r 54 | -------------------------------------------------------------------------------- /cluster/apps/media/tautulli/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: tautulli 6 | namespace: media 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: tautulli 13 | version: 11.3.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: ghcr.io/k8s-at-home/tautulli 22 | tag: v2.10.0 23 | env: 24 | TZ: "America/New_York" 25 | service: 26 | main: 27 | ports: 28 | http: 29 | port: 8181 30 | ingress: 31 | main: 32 | enabled: true 33 | ingressClassName: "traefik" 34 | annotations: 35 | external-dns/is-public: "true" 36 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 37 | hajimari.io/enable: "true" 38 | hajimari.io/icon: "chart-box" 39 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 40 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 41 | hosts: 42 | - host: "tautulli.${SECRET_DOMAIN}" 43 | paths: 44 | - path: / 45 | pathType: Prefix 46 | tls: 47 | - hosts: 48 | - "tautulli.${SECRET_DOMAIN}" 49 | persistence: 50 | config: 51 | enabled: true 52 | existingClaim: tautulli-config 53 | resources: 54 | requests: 55 | memory: 250Mi 56 | cpu: 500m 57 | limits: 58 | memory: 1500Mi 59 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/storage/ceph-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: ceph.rook.io/v1 3 | kind: CephCluster 4 | metadata: 5 | name: rook-ceph 6 | namespace: rook-ceph 7 | spec: 8 | cephVersion: 9 | image: ceph/ceph:v16.2.5 10 | allowUnsupported: false 11 | dataDirHostPath: /var/lib/rook 12 | skipUpgradeChecks: false 13 | continueUpgradeAfterChecksEvenIfNotHealthy: false 14 | removeOSDsIfOutAndSafeToRemove: false 15 | mon: 16 | count: 3 17 | allowMultiplePerNode: false 18 | monitoring: 19 | enabled: true 20 | rulesNamespace: rook-ceph 21 | network: 22 | crashCollector: 23 | disable: false 24 | cleanupPolicy: 25 | confirmation: "" 26 | sanitizeDisks: 27 | method: quick 28 | dataSource: zero 29 | iteration: 1 30 | mgr: 31 | modules: 32 | - name: pg_autoscaler 33 | enabled: true 34 | dashboard: 35 | enabled: true 36 | port: 7000 37 | ssl: false 38 | disruptionManagement: 39 | managePodBudgets: false 40 | osdMaintenanceTimeout: 30 41 | manageMachineDisruptionBudgets: false 42 | machineDisruptionBudgetNamespace: openshift-machine-api 43 | resources: 44 | mon: 45 | requests: 46 | cpu: 50m 47 | memory: 800Mi 48 | limits: 49 | memory: 1024Mi 50 | osd: 51 | requests: 52 | cpu: 100m 53 | memory: 2048Mi 54 | limits: 55 | memory: 4096Mi 56 | storage: 57 | useAllNodes: false 58 | useAllDevices: false 59 | config: 60 | osdsPerDevice: "1" 61 | nodes: 62 | - name: "w1" 63 | devices: 64 | - name: "nvme0n1" 65 | - name: "w2" 66 | devices: 67 | - name: "nvme0n1" 68 | - name: "w3" 69 | devices: 70 | - name: "nvme0n1" 71 | -------------------------------------------------------------------------------- /cluster/apps/utils/cryptofolio/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: cryptofolio 6 | namespace: utils 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: cryptofolio 13 | version: 1.2.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: xtrendence/cryptofolio 22 | tag: V.2.2.0 23 | pullPolicy: IfNotPresent 24 | env: 25 | TZ: "America/New_York" 26 | service: 27 | main: 28 | ports: 29 | http: 30 | port: 80 31 | ingress: 32 | main: 33 | enabled: true 34 | ingressClassName: "traefik" 35 | annotations: 36 | external-dns/is-public: "true" 37 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 38 | hajimari.io/enable: "true" 39 | hajimari.io/icon: "chart-box" 40 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 41 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 42 | hosts: 43 | - host: "cryptofolio.${SECRET_DOMAIN}" 44 | paths: 45 | - path: / 46 | pathType: Prefix 47 | tls: 48 | - hosts: 49 | - "cryptofolio.${SECRET_DOMAIN}" 50 | persistence: 51 | config: 52 | enabled: true 53 | existingClaim: cryptofolio-config 54 | resources: 55 | requests: 56 | memory: 250Mi 57 | cpu: 500m 58 | limits: 59 | memory: 500Mi 60 | -------------------------------------------------------------------------------- /cluster/apps/media/calibre/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: calibre 6 | namespace: media 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: calibre 13 | version: 5.2.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: ghcr.io/linuxserver/calibre 22 | tag: version-v5.24.0 23 | env: 24 | TZ: "America/New_York" 25 | PGID: 65539 26 | service: 27 | webserver: 28 | enabled: true 29 | ingress: 30 | main: 31 | enabled: true 32 | ingressClassName: "traefik" 33 | annotations: 34 | external-dns/is-public: "true" 35 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 36 | hajimari.io/enable: "true" 37 | hajimari.io/icon: "book" 38 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 39 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 40 | hosts: 41 | - host: "calibre.${SECRET_DOMAIN}" 42 | paths: 43 | - path: / 44 | pathType: Prefix 45 | tls: 46 | - hosts: 47 | - "calibre.${SECRET_DOMAIN}" 48 | persistence: 49 | config: 50 | enabled: true 51 | existingClaim: calibre-config 52 | media: 53 | enabled: true 54 | existingClaim: nfs-media-nas-pvc 55 | mountPath: /media 56 | resources: 57 | requests: 58 | memory: 250Mi 59 | cpu: 300m 60 | limits: 61 | memory: 1000Mi 62 | -------------------------------------------------------------------------------- /cluster/core/rook-ceph/toolbox.yml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: rook-ceph-tools 5 | namespace: rook-ceph # namespace:cluster 6 | labels: 7 | app: rook-ceph-tools 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: rook-ceph-tools 13 | template: 14 | metadata: 15 | labels: 16 | app: rook-ceph-tools 17 | spec: 18 | dnsPolicy: ClusterFirstWithHostNet 19 | containers: 20 | - name: rook-ceph-tools 21 | image: rook/ceph:master 22 | command: ["/bin/bash"] 23 | args: ["-m", "-c", "/usr/local/bin/toolbox.sh"] 24 | imagePullPolicy: IfNotPresent 25 | tty: true 26 | securityContext: 27 | runAsNonRoot: true 28 | runAsUser: 2016 29 | runAsGroup: 2016 30 | env: 31 | - name: ROOK_CEPH_USERNAME 32 | valueFrom: 33 | secretKeyRef: 34 | name: rook-ceph-mon 35 | key: ceph-username 36 | - name: ROOK_CEPH_SECRET 37 | valueFrom: 38 | secretKeyRef: 39 | name: rook-ceph-mon 40 | key: ceph-secret 41 | volumeMounts: 42 | - mountPath: /etc/ceph 43 | name: ceph-config 44 | - name: mon-endpoint-volume 45 | mountPath: /etc/rook 46 | volumes: 47 | - name: mon-endpoint-volume 48 | configMap: 49 | name: rook-ceph-mon-endpoints 50 | items: 51 | - key: data 52 | path: mon-endpoints 53 | - name: ceph-config 54 | emptyDir: {} 55 | tolerations: 56 | - key: "node.kubernetes.io/unreachable" 57 | operator: "Exists" 58 | effect: "NoExecute" 59 | tolerationSeconds: 5 60 | -------------------------------------------------------------------------------- /cluster/apps/media/bazarr/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: bazarr 6 | namespace: media 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: bazarr 13 | version: 10.5.2 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: ghcr.io/k8s-at-home/bazarr 22 | tag: v1.0.4 23 | env: 24 | TZ: "America/New_York" 25 | service: 26 | main: 27 | ports: 28 | http: 29 | port: 6767 30 | ingress: 31 | main: 32 | enabled: true 33 | ingressClassName: "traefik" 34 | annotations: 35 | external-dns/is-public: "true" 36 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 37 | hajimari.io/enable: "true" 38 | hajimari.io/icon: "subtitles" 39 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 40 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 41 | hosts: 42 | - host: "bazarr.${SECRET_DOMAIN}" 43 | paths: 44 | - path: / 45 | pathType: Prefix 46 | tls: 47 | - hosts: 48 | - "bazarr.${SECRET_DOMAIN}" 49 | persistence: 50 | config: 51 | enabled: true 52 | existingClaim: bazarr-config 53 | media: 54 | enabled: true 55 | existingClaim: nfs-media-nas-pvc 56 | mountPath: /media 57 | podSecurityContext: 58 | supplementalGroups: 59 | - 100 60 | resources: 61 | requests: 62 | memory: 250Mi 63 | cpu: 500m 64 | limits: 65 | memory: 1000Mi 66 | -------------------------------------------------------------------------------- /cluster/crds/kube-prometheus-stack/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: GitRepository 4 | metadata: 5 | name: kube-prometheus-stack-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/prometheus-community/helm-charts.git 10 | ref: 11 | # renovate: registryUrl=https://prometheus-community.github.io/helm-charts 12 | tag: kube-prometheus-stack-16.8.0 13 | ignore: | 14 | # exclude all 15 | /* 16 | # include deploy crds dir 17 | !/charts/kube-prometheus-stack/crds 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 20 | kind: Kustomization 21 | metadata: 22 | name: kube-prometheus-stack-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: kube-prometheus-stack-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1 32 | kind: CustomResourceDefinition 33 | name: alertmanagerconfigs.monitoring.coreos.com 34 | - apiVersion: apiextensions.k8s.io/v1 35 | kind: CustomResourceDefinition 36 | name: alertmanagers.monitoring.coreos.com 37 | - apiVersion: apiextensions.k8s.io/v1 38 | kind: CustomResourceDefinition 39 | name: podmonitors.monitoring.coreos.com 40 | - apiVersion: apiextensions.k8s.io/v1 41 | kind: CustomResourceDefinition 42 | name: probes.monitoring.coreos.com 43 | - apiVersion: apiextensions.k8s.io/v1 44 | kind: CustomResourceDefinition 45 | name: prometheuses.monitoring.coreos.com 46 | - apiVersion: apiextensions.k8s.io/v1 47 | kind: CustomResourceDefinition 48 | name: prometheusrules.monitoring.coreos.com 49 | - apiVersion: apiextensions.k8s.io/v1 50 | kind: CustomResourceDefinition 51 | name: servicemonitors.monitoring.coreos.com 52 | - apiVersion: apiextensions.k8s.io/v1 53 | kind: CustomResourceDefinition 54 | name: thanosrulers.monitoring.coreos.com 55 | -------------------------------------------------------------------------------- /cluster/apps/utils/shlink/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: shlink-server 6 | namespace: utils 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: shlink 13 | version: 4.1.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: shlinkio/shlink 22 | tag: 3.1.0 23 | env: 24 | SHORT_DOMAIN_HOST: "link.${SECRET_DOMAIN}" 25 | SHORT_DOMAIN_SCHEMA: "https" 26 | SHLINK_SERVER_API_KEY: "${SECRET_SHLINK_API_KEY}" 27 | service: 28 | main: 29 | ports: 30 | http: 31 | port: 8080 32 | ingress: 33 | main: 34 | enabled: true 35 | ingressClassName: "traefik" 36 | annotations: 37 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 38 | external-dns/is-public: "true" 39 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 40 | hosts: 41 | - host: "link.${SECRET_DOMAIN}" 42 | paths: 43 | - path: / 44 | pathType: Prefix 45 | tls: 46 | - hosts: 47 | - "link.${SECRET_DOMAIN}" 48 | persistence: 49 | params: 50 | enabled: false 51 | data: 52 | enabled: true 53 | storageClass: rook-ceph-block 54 | accessMode: ReadWriteOnce 55 | size: 1Gi 56 | postgresql: 57 | enabled: true 58 | postgresqlUsername: "shlink" 59 | postgresqlPassword: "${SECRET_SHLINK_POSTGRES_PASSWORD}" 60 | postgresqlDatabase: "shlink" 61 | persistence: 62 | enabled: true 63 | storageClass: rook-ceph-block 64 | accessModes: 65 | - ReadWriteOnce 66 | size: 5Gi 67 | -------------------------------------------------------------------------------- /cluster/crds/traefik/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta1 3 | kind: GitRepository 4 | metadata: 5 | name: traefik-crd-source 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://github.com/traefik/traefik-helm-chart.git 10 | ref: 11 | # renovate: registryUrl=https://helm.traefik.io/traefik chart=traefik 12 | tag: v10.3.2 13 | ignore: | 14 | # exclude all 15 | /* 16 | # path to crds 17 | !/traefik/crds/ 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta1 20 | kind: Kustomization 21 | metadata: 22 | name: traefik-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: traefik-crd-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1beta1 32 | kind: CustomResourceDefinition 33 | name: ingressroutes.traefik.containo.us 34 | - apiVersion: apiextensions.k8s.io/v1beta1 35 | kind: CustomResourceDefinition 36 | name: ingressroutetcps.traefik.containo.us 37 | - apiVersion: apiextensions.k8s.io/v1beta1 38 | kind: CustomResourceDefinition 39 | name: ingressrouteudps.traefik.containo.us 40 | - apiVersion: apiextensions.k8s.io/v1beta1 41 | kind: CustomResourceDefinition 42 | name: ingressrouteudps.traefik.containo.us 43 | - apiVersion: apiextensions.k8s.io/v1beta1 44 | kind: CustomResourceDefinition 45 | name: middlewares.traefik.containo.us 46 | - apiVersion: apiextensions.k8s.io/v1beta1 47 | kind: CustomResourceDefinition 48 | name: serverstransports.traefik.containo.us 49 | - apiVersion: apiextensions.k8s.io/v1beta1 50 | kind: CustomResourceDefinition 51 | name: tlsoptions.traefik.containo.us 52 | - apiVersion: apiextensions.k8s.io/v1beta1 53 | kind: CustomResourceDefinition 54 | name: tlsstores.traefik.containo.us 55 | - apiVersion: apiextensions.k8s.io/v1beta1 56 | kind: CustomResourceDefinition 57 | name: traefikservices.traefik.containo.us 58 | -------------------------------------------------------------------------------- /terraform/.secrets.yaml: -------------------------------------------------------------------------------- 1 | k8s: 2 | ssh_key: ENC[AES256_GCM,data:Ioz903OxdLjx/NOczpvtU0DbTt2PAxp/UKPDQ/xT9QhKeL8mDngsLCaLPUhqp/3WAzCP3OWmY8H6xwbZUChesJGibehKrpHBCEaLgUG/lQDmJal+PYgVCQowedGI,iv:akH14KjepKfigayyCUEo//T/OIG22hwlma6Nunksth4=,tag:JLhtp1uMsXRa9hReeVax5g==,type:str] 3 | proxmox: 4 | pm_password: ENC[AES256_GCM,data:CMLQp0xGjSwXtVVXeqE=,iv:Ka2GJAogvoEfrhC6mESCo0Z/jk9T/0C79SJCHgzUXbI=,tag:KNeGf8s2idwC2U35YsN5ww==,type:str] 5 | sops: 6 | kms: [] 7 | gcp_kms: [] 8 | azure_kv: [] 9 | hc_vault: [] 10 | age: [] 11 | lastmodified: "2021-08-27T08:57:38Z" 12 | mac: ENC[AES256_GCM,data:ifPELz6Sg66nlQMGeFf5nLTfTH+cUGZtqKWjeNCyZIlxw2n2gviUOryEunuLip5h3L1c7cHfr5eiWC6+lBHPdHsDZrgSac2hEhtM+oWH2/ePTU/SCSUbn2AsHJCT5v2i1osJI05j5p8HTAOI29MmtprkFZsi66rUBfFEVCKXI+c=,iv:95MnGNMrvTHonIG1Cr/Isvwf/XbFluPf0TDjkmiIzUo=,tag:qT53oh21sgha/UY0o3Jwdg==,type:str] 13 | pgp: 14 | - created_at: "2021-05-24T20:09:14Z" 15 | enc: | 16 | -----BEGIN PGP MESSAGE----- 17 | 18 | hQGMA8mUYP7vXQBBAQwA4Dp0qTeJxDOUOVMjgCCKHvmXeftKoNkHROtUhs24u+hC 19 | yk9GY3TIqtvmY2QTgtOOfdusEiZdYE0U3//hQnXBWMfNTZNJGfFVBC4+FUWw6MYW 20 | ExG09K4HH76MKRqh1wNTTczlnse2wUc05iuqU3f5DV63wNDrBICJVqe8Fqrr/DNX 21 | Aqaxq0WpL6yAgbsbqqtCNZuyBFj/dvWH0rgP+PgHoQpK6aIeqeaM8MSl10QiRASN 22 | hMldC/BZtHnNEX9uYBKxFZDvQneCvF2qzpzjJr7iyl8txlP6mxAjw4UpCSlmszFL 23 | U2LlCa3/DyPRubrzN62mu9Eh/iDKCEBMaesdpMdpFx4i7tyN1/wMzBSyiz2jTcZQ 24 | enuA5AbZ6P5SuP80addeZ5A5BI+vRkLtgeqf7CM07k4WPoYU08waXS2CN8KASre2 25 | KmuZq/4f/DzjGpBLe00P76DV591cLpz2Xwlgv51/igGJMcXRMqxSxKBjrIyrjdCg 26 | glSMxATlSF3F9WA1L9iY0l4BiTG8k4dcHVrTmDk2YFZA6AlnXugz9kXitPmQoDBp 27 | MGTbePql0OQucFKyz5HKDHR5fYdcSORvfiuW1wDB8bk1IpBXtKBDKNceefaVwriX 28 | aL1E/nlykIarqDYtULuz 29 | =2Wxm 30 | -----END PGP MESSAGE----- 31 | fp: 1797E88B0B0CE9D2514A1C841F4200D33179FA67 32 | unencrypted_suffix: _unencrypted 33 | version: 3.7.1 34 | -------------------------------------------------------------------------------- /terraform/authentik/locals.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | # One-liners 3 | domain = data.sops_file.secrets.data["secret.domain"] 4 | proxy_id = authentik_provider_proxy.proxy["forward-domain"].id 5 | 6 | # Maps 7 | app = { 8 | authentik = { 9 | meta_description = "Authentik management" 10 | meta_launch_url = "https://auth.${local.domain}" 11 | meta_publisher = "auth.${local.domain}" 12 | }, 13 | calibre = {}, 14 | filebrowser = { 15 | meta_launch_url = "https://media.${local.domain}" 16 | meta_publisher = "media.${local.domain}" 17 | }, 18 | grafana = { 19 | meta_description = "Metrics visualization" 20 | }, 21 | mrryio = { 22 | meta_launch_url = "https://${local.domain}" 23 | meta_description = "Default application portal for all mrry.io services" 24 | meta_publisher = "${local.domain}" 25 | name = "${local.domain}" 26 | protocol_provider = "${local.proxy_id}" 27 | slug = "default" 28 | }, 29 | overseerr = { 30 | meta_launch_url = "https://requests.${local.domain}" 31 | meta_publisher = "requests.${local.domain}" 32 | }, 33 | prometheus = { 34 | meta_description = "Metrics database" 35 | }, 36 | prowlarr = {}, 37 | qb = {}, 38 | radarr = {}, 39 | readarr = {}, 40 | readarr-audio = {}, 41 | rook = { 42 | meta_description = "Rook Ceph management" 43 | }, 44 | sonarr = { 45 | meta_description = "PVR" 46 | } 47 | } 48 | flow = { 49 | default-authentication-flow = { 50 | background = "/static/dist/assets/images/flow_background.jpg" 51 | title = "Welcome to authentik!" 52 | name = "Welcome to authentik!" 53 | policy_engine_mode = "all" 54 | } 55 | } 56 | 57 | proxy = { 58 | forward-domain = { 59 | cookie_domain = "${local.domain}" 60 | mode = "forward_domain" 61 | } 62 | } 63 | } -------------------------------------------------------------------------------- /terraform/authentik/.secrets.yaml: -------------------------------------------------------------------------------- 1 | authentik: 2 | token: ENC[AES256_GCM,data:mbeCBX9WyiY4KkDYwIVNWSkydc+kUa/W8MJF3uid/XfKOSWGaEcwtMhblovtjmx/zBKot8J0WvIi7csyaNVpiBPekePAuRWCh1wS1+yZkjj1OtFjbtGqfPOcIebaJ8QTYh/S6tngdENcGmA+roK8wanZ2fuESbE0NLMGdZXfRRk=,iv:xJmwWlvENvHOuNaDF7aExJp7ZacdWPDk/I0lmyJsDyw=,tag:HoAxxyqKeJoLTophnwRd9g==,type:str] 3 | secret: 4 | domain: ENC[AES256_GCM,data:WE2htPPC1A==,iv:SlRXHgSBklc8jax7663Zkk0jcGbfMSWWgzpFDRuVVvo=,tag:4B2yr1zlOESBGGA2VnVcXA==,type:str] 5 | sops: 6 | kms: [] 7 | gcp_kms: [] 8 | azure_kv: [] 9 | hc_vault: [] 10 | age: [] 11 | lastmodified: "2022-03-01T00:20:15Z" 12 | mac: ENC[AES256_GCM,data:qmCRz4Q4Fi7DTIaRI5GiuVN6yY2rUV4tjzu52/gTydv4Y2WLGFZrCiEW1i+gTXy3PZq/tmhAMhoirEd8fxjBFT231jIwSDPcIagToWpO5fHOYnRqkbfT51EgIY1PQBFMcOeIz3PNsuR6cwbr+vmcOO145or6nYHo5MLp8qfSHUA=,iv:f9fWuCzliZ4bl4jH9TbaXMqcnEEqsE1HsE3bn2Pg90w=,tag:s2rEQOW6cO439L0B96oUNQ==,type:str] 13 | pgp: 14 | - created_at: "2021-05-24T20:09:14Z" 15 | enc: | 16 | -----BEGIN PGP MESSAGE----- 17 | 18 | hQGMA8mUYP7vXQBBAQwA4Dp0qTeJxDOUOVMjgCCKHvmXeftKoNkHROtUhs24u+hC 19 | yk9GY3TIqtvmY2QTgtOOfdusEiZdYE0U3//hQnXBWMfNTZNJGfFVBC4+FUWw6MYW 20 | ExG09K4HH76MKRqh1wNTTczlnse2wUc05iuqU3f5DV63wNDrBICJVqe8Fqrr/DNX 21 | Aqaxq0WpL6yAgbsbqqtCNZuyBFj/dvWH0rgP+PgHoQpK6aIeqeaM8MSl10QiRASN 22 | hMldC/BZtHnNEX9uYBKxFZDvQneCvF2qzpzjJr7iyl8txlP6mxAjw4UpCSlmszFL 23 | U2LlCa3/DyPRubrzN62mu9Eh/iDKCEBMaesdpMdpFx4i7tyN1/wMzBSyiz2jTcZQ 24 | enuA5AbZ6P5SuP80addeZ5A5BI+vRkLtgeqf7CM07k4WPoYU08waXS2CN8KASre2 25 | KmuZq/4f/DzjGpBLe00P76DV591cLpz2Xwlgv51/igGJMcXRMqxSxKBjrIyrjdCg 26 | glSMxATlSF3F9WA1L9iY0l4BiTG8k4dcHVrTmDk2YFZA6AlnXugz9kXitPmQoDBp 27 | MGTbePql0OQucFKyz5HKDHR5fYdcSORvfiuW1wDB8bk1IpBXtKBDKNceefaVwriX 28 | aL1E/nlykIarqDYtULuz 29 | =2Wxm 30 | -----END PGP MESSAGE----- 31 | fp: 1797E88B0B0CE9D2514A1C841F4200D33179FA67 32 | unencrypted_suffix: _unencrypted 33 | version: 3.7.1 34 | -------------------------------------------------------------------------------- /cluster/apps/media/filebrowser/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: filebrowswer 6 | namespace: media 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: filebrowser 13 | version: 1.2.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: docker.io/filebrowser/filebrowser 22 | tag: v2.21.1 23 | env: 24 | TZ: "America/New_York" 25 | FB_DATABASE: "/config/filebrowser.db" 26 | FB_ROOT: "/media" 27 | FB_LOG: "stdout" 28 | FB_NOAUTH: "true" 29 | service: 30 | main: 31 | ports: 32 | http: 33 | port: 80 34 | ingress: 35 | main: 36 | enabled: true 37 | ingressClassName: "traefik" 38 | annotations: 39 | external-dns/is-public: "true" 40 | external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" 41 | hajimari.io/enable: "true" 42 | hajimari.io/icon: "folder" 43 | traefik.ingress.kubernetes.io/router.entrypoints: "websecure" 44 | traefik.ingress.kubernetes.io/router.middlewares: "networking-authentik@kubernetescrd" 45 | hosts: 46 | - host: "media.${SECRET_DOMAIN}" 47 | paths: 48 | - path: / 49 | pathType: Prefix 50 | tls: 51 | - hosts: 52 | - "media.${SECRET_DOMAIN}" 53 | persistence: 54 | config: 55 | enabled: true 56 | existingClaim: filebrowser-config 57 | media: 58 | enabled: true 59 | existingClaim: nfs-media-nas-pvc 60 | mountPath: /media 61 | podSecurityContext: 62 | supplementalGroups: 63 | - 100 64 | resources: 65 | requests: 66 | memory: 250Mi 67 | cpu: 500m 68 | limits: 69 | memory: 500Mi 70 | -------------------------------------------------------------------------------- /cluster/apps/networking/.unifi/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: unifi 6 | namespace: networking 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 12 | chart: unifi 13 | version: 4.8.0 14 | sourceRef: 15 | kind: HelmRepository 16 | name: k8s-at-home-charts 17 | namespace: flux-system 18 | interval: 5m 19 | values: 20 | image: 21 | repository: jacobalberty/unifi 22 | tag: v7.1.61 23 | 24 | env: 25 | TZ: "America/New_York" 26 | 27 | service: 28 | main: 29 | type: LoadBalancer 30 | annotations: 31 | # coredns.io/hostname: unifi 32 | traefik.ingress.kubernetes.io/service.serversscheme: https 33 | loadBalancerIP: ${SVC_UNIFI_ADDR} 34 | externalTrafficPolicy: Local 35 | 36 | ingress: 37 | main: 38 | enabled: true 39 | ingressClassName: "traefik" 40 | annotations: 41 | # cert-manager.io/cluster-issuer: letsencrypt-production 42 | # external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN} 43 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 44 | # traefik.ingress.kubernetes.io/router.middlewares: system-ingress-rfc1918-ips@kubernetescrd 45 | 46 | hosts: 47 | - host: unifi.${SECRET_DOMAIN} 48 | paths: 49 | - path: / 50 | 51 | tls: 52 | - hosts: 53 | - unifi.${SECRET_DOMAIN} 54 | 55 | resources: 56 | requests: 57 | cpu: "0.02" 58 | memory: "1024M" 59 | limits: 60 | memory: "1536M" 61 | 62 | persistence: 63 | data: 64 | enabled: true 65 | existingClaim: unifi-config 66 | 67 | mongodb: 68 | enabled: true 69 | architecture: standalone 70 | auth: 71 | enabled: false 72 | persistence: 73 | enabled: true 74 | existingClaim: unifi-mongodb 75 | --------------------------------------------------------------------------------