├── .devcontainer └── devcontainer.json ├── .github ├── CODEOWNERS ├── labeler.yaml ├── labels.yaml └── workflows │ ├── flux-local.yaml │ ├── flux-local.yaml.orig │ ├── image-pull-extract-pull.yaml │ ├── image-pull.yaml │ ├── label-sync.yaml │ ├── labeler.yaml │ └── renovate.yaml ├── .gitignore ├── .renovate ├── autoMerge.json5 ├── customManagers.json5 ├── groups.json5 ├── infraPackages.json5 ├── labels.json5 └── semanticCommits.json5 ├── .renovaterc.json5 ├── .taskfiles └── talos │ ├── resources │ ├── op.env │ └── talsecret.yaml │ └── taskfile.yaml ├── README.md ├── Taskfile.yaml ├── apps └── home-automation │ ├── homeassistant │ ├── deployment.yaml │ ├── ingress.yaml │ ├── kustomization.yaml │ ├── pvc.yaml │ └── service.yaml │ ├── mosquitto │ ├── deployment.yaml │ ├── externalsecret.yaml │ ├── files │ │ └── mosquitto.conf │ ├── kustomization.yaml │ ├── pvc.yaml │ └── service.yaml │ └── rtl_433 │ ├── autodiscovery │ ├── deployment.yaml │ ├── externalsecret.yaml │ ├── kustomization.yaml │ └── script.yaml │ ├── base │ ├── deployment.yaml │ ├── externalsecret.yaml │ ├── files │ │ └── rtl_433.conf │ └── kustomization.yaml │ └── rtl915 │ └── kustomization.yaml ├── bootstrap.sh ├── kubernetes ├── apps │ ├── actions-runner-controller │ │ ├── app │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── runners │ │ │ └── infra │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── rbac.yaml │ ├── cert-manager │ │ ├── app │ │ │ ├── helm │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ └── values.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── issuers │ │ │ ├── externalsecret.yaml │ │ │ ├── issuers.yaml │ │ │ └── kustomization.yaml │ ├── descheduler │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── devices │ │ ├── generic-device-plugin │ │ │ ├── device-plugin.yaml │ │ │ └── kustomization.yaml │ │ ├── intel-device-plugin │ │ │ ├── gpu │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── operator │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ └── node-feature-discovery │ │ │ ├── controller │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ └── rules │ │ │ ├── intel-gpu.yaml │ │ │ └── kustomization.yaml │ ├── flux │ │ ├── instance │ │ │ ├── helm │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ └── values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── webhook │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── httproute.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── receiver.yaml │ │ └── operator │ │ │ ├── helm │ │ │ ├── kustomizeconfig.yaml │ │ │ └── values.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── golink │ │ ├── deployment.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ ├── home-automation │ │ ├── esphome │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── scrypted │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── zigbee │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── it-tools │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── kubelet-csr-approver │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ ├── kustomizeconfig.yaml │ │ └── values.yaml │ ├── media │ │ ├── emby │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── jellyfin │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── prowlarr │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── radarr │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── recyclarr │ │ │ ├── config │ │ │ │ └── recyclarr.yml │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── sabnzbd │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── sonarr │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── netbox │ │ ├── storage-bucket.yaml │ │ └── values.yaml │ ├── networking │ │ ├── cilium │ │ │ ├── app │ │ │ │ ├── helm │ │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ │ └── values.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ ├── httproute.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── gateway-config │ │ │ │ ├── clusterip-gwclass.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── tailscale-gwclass.yaml │ │ ├── cloudflare-tunnel │ │ │ ├── dnsendpoint.yaml │ │ │ ├── externalsecret.yaml │ │ │ ├── files │ │ │ │ └── config.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── external-dns │ │ │ ├── cloudflare-tunnel │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── cloudflare │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ ├── gateway │ │ │ ├── certificates.yaml │ │ │ ├── gw-external.yaml │ │ │ ├── gw-media-mgmt.yaml │ │ │ ├── gw-tailscale.yaml │ │ │ ├── kustomization.yaml │ │ │ └── redirect.yaml │ │ ├── metallb │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── multus │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── tailscale-operator │ │ │ ├── dashboard │ │ │ └── tailscale.json │ │ │ ├── operator │ │ │ ├── externalsecret.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ └── proxyclass │ │ │ ├── kustomization.yaml │ │ │ └── proxyclass.yaml │ ├── observability │ │ ├── grafana │ │ │ ├── app │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── instance │ │ │ │ ├── dashboard.yaml │ │ │ │ ├── externalsecret.yaml │ │ │ │ ├── grafana.yaml │ │ │ │ ├── httproute.yaml │ │ │ │ └── kustomization.yaml │ │ │ └── operator │ │ │ │ ├── helmrelease.yaml │ │ │ │ └── kustomization.yaml │ │ ├── metrics-server │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── prometheus-operator-crds │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── victoria-logs │ │ │ ├── grafana-datasource.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── victoria-metrics │ │ │ ├── k8s-stack │ │ │ ├── helm │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ └── values.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── httproute.yaml │ │ │ └── kustomization.yaml │ │ │ └── operator-crds │ │ │ ├── helm │ │ │ ├── kustomizeconfig.yaml │ │ │ └── values.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── reloader │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── secrets │ │ ├── external-secrets │ │ │ ├── helm │ │ │ │ ├── kustomizeconfig.yaml │ │ │ │ └── values.yaml │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── onepassword │ │ │ ├── connect │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ └── store │ │ │ ├── clustersecretstore.yaml │ │ │ └── kustomization.yaml │ ├── spegel │ │ ├── helm │ │ │ ├── kustomizeconfig.yaml │ │ │ └── values.yaml │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── storage │ │ └── rook-ceph │ │ │ ├── cluster │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ │ └── operator │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ └── system-upgrade-controller │ │ ├── app │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── rbac.yaml │ │ └── plans │ │ ├── kubernetes.yaml │ │ ├── kustomization.yaml │ │ └── talos.yaml ├── clusters │ ├── atlantis-k8s01 │ │ ├── apps │ │ │ ├── actions-runner-system │ │ │ │ ├── actions-infra-runner.yaml │ │ │ │ ├── actions-runner-controller.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── cert-manager │ │ │ │ ├── cert-manager.yaml │ │ │ │ ├── issuers.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── external-dns │ │ │ │ ├── cloudflare.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── external-secrets │ │ │ │ ├── external-secrets.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ └── onepassword-connect.yaml │ │ │ ├── flux-system │ │ │ │ ├── flux-instance.yaml │ │ │ │ ├── flux-operator.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── gateway │ │ │ │ ├── certificates.yaml │ │ │ │ ├── gateways.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── it-tools │ │ │ │ ├── it-tools.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── kube-system │ │ │ │ ├── cilium-gw-config.yaml │ │ │ │ ├── cilium.yaml │ │ │ │ ├── descheduler.yaml │ │ │ │ ├── generic-device-plugin.yaml │ │ │ │ ├── intel-device-plugin.yaml │ │ │ │ ├── kubelet-csr-approver.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── metrics-server.yaml │ │ │ │ ├── multus.yaml │ │ │ │ ├── node-feature-discovery.yaml │ │ │ │ └── reloader.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── media │ │ │ │ ├── emby.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── prowlarr.yaml │ │ │ │ ├── radarr.yaml │ │ │ │ ├── recyclarr.yaml │ │ │ │ ├── recyclarr │ │ │ │ │ ├── config │ │ │ │ │ │ └── recyclarr.yml │ │ │ │ │ └── kustomization.yaml │ │ │ │ ├── sabnzbd.yaml │ │ │ │ ├── sonarr-anime.yaml │ │ │ │ └── sonarr.yaml │ │ │ ├── observability │ │ │ │ ├── grafana-instance.yaml │ │ │ │ ├── grafana-operator.yaml │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── prometheus-operator-crds.yaml │ │ │ │ ├── victoria-logs.yaml │ │ │ │ ├── vm-k8s-stack.yaml │ │ │ │ └── vm-operator-crds.yaml │ │ │ ├── rook-ceph │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── rook-ceph-cluster.yaml │ │ │ │ └── rook-ceph.yaml │ │ │ ├── spegel │ │ │ │ ├── kustomization.yaml │ │ │ │ └── spegel.yaml │ │ │ ├── system-upgrade │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── system-upgrade-controller-plans.yaml │ │ │ │ └── system-upgrade-controller.yaml │ │ │ └── tailscale │ │ │ │ ├── kustomization.yaml │ │ │ │ ├── routers │ │ │ │ ├── kustomization.yaml │ │ │ │ └── router.yaml │ │ │ │ ├── tailscale-operator.yaml │ │ │ │ ├── tailscale-proxyclass.yaml │ │ │ │ └── tailscale-routers.yaml │ │ ├── flux │ │ │ └── apps.yaml │ │ └── talos │ │ │ └── talconfig.yaml │ └── fairy-k8s01 │ │ ├── apps │ │ ├── actions-runner-system │ │ │ ├── actions-infra-runner.yaml │ │ │ ├── actions-runner-controller.yaml │ │ │ └── kustomization.yaml │ │ ├── cert-manager │ │ │ ├── cert-manager.yaml │ │ │ ├── issuers.yaml │ │ │ └── kustomization.yaml │ │ ├── cloudflare-tunnel │ │ │ ├── cloudflare-tunnel.yaml │ │ │ ├── externalsecret.yaml │ │ │ └── kustomization.yaml │ │ ├── external-dns │ │ │ ├── cloudflare-tunnel.yaml │ │ │ ├── cloudflare.yaml │ │ │ └── kustomization.yaml │ │ ├── external-secrets │ │ │ ├── external-secrets.yaml │ │ │ ├── kustomization.yaml │ │ │ └── onepassword-connect.yaml │ │ ├── flux-system │ │ │ ├── flux-instance.yaml │ │ │ ├── flux-operator.yaml │ │ │ └── kustomization.yaml │ │ ├── gateway │ │ │ ├── gateways.yaml │ │ │ └── kustomization.yaml │ │ ├── golink │ │ │ ├── golink.yaml │ │ │ └── kustomization.yaml │ │ ├── home-automation │ │ │ ├── esphome.yaml │ │ │ ├── homeassistant.yaml │ │ │ ├── homeassistant │ │ │ │ ├── files │ │ │ │ │ └── mqtt.yaml │ │ │ │ └── kustomization.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── mosquitto.yaml │ │ │ ├── rtl-autodiscovery.yaml │ │ │ ├── rtl915.yaml │ │ │ ├── scrypted.yaml │ │ │ └── zigbee.yaml │ │ ├── kube-system │ │ │ ├── cilium-gw-config.yaml │ │ │ ├── cilium.yaml │ │ │ ├── descheduler.yaml │ │ │ ├── generic-device-plugin.yaml │ │ │ ├── intel-device-plugin.yaml │ │ │ ├── kubelet-csr-approver.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── metrics-server.yaml │ │ │ ├── multus.yaml │ │ │ ├── node-feature-discovery.yaml │ │ │ └── reloader.yaml │ │ ├── kustomization.yaml │ │ ├── media │ │ │ ├── emby.yaml │ │ │ ├── jellyfin.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── prowlarr.yaml │ │ │ ├── radarr.yaml │ │ │ ├── recyclarr.yaml │ │ │ ├── sabnzbd.yaml │ │ │ ├── sonarr.yaml │ │ │ └── vault01-store01.yaml │ │ ├── observability │ │ │ ├── grafana-instance.yaml │ │ │ ├── grafana-operator.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── prometheus-operator-crds.yaml │ │ │ ├── victoria-logs.yaml │ │ │ ├── vm-k8s-stack.yaml │ │ │ └── vm-operator-crds.yaml │ │ ├── rook-ceph │ │ │ ├── kustomization.yaml │ │ │ ├── rook-ceph-cluster.yaml │ │ │ └── rook-ceph.yaml │ │ ├── spegel │ │ │ ├── kustomization.yaml │ │ │ └── spegel.yaml │ │ ├── system-upgrade │ │ │ ├── kustomization.yaml │ │ │ ├── system-upgrade-controller-plans.yaml │ │ │ └── system-upgrade-controller.yaml │ │ └── tailscale │ │ │ ├── kustomization.yaml │ │ │ ├── routers │ │ │ ├── kustomization.yaml │ │ │ └── router.yaml │ │ │ ├── tailscale-operator.yaml │ │ │ ├── tailscale-proxyclass.yaml │ │ │ └── tailscale-routers.yaml │ │ ├── flux │ │ └── apps.yaml │ │ └── talos │ │ └── talconfig.yaml └── components │ ├── common │ ├── github-status │ │ ├── alert.yaml │ │ ├── externalsecret.yaml │ │ ├── kustomization.yaml │ │ └── provider.yaml │ ├── infra-info-cluster.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── repos │ │ ├── app-template.yaml │ │ └── kustomization.yaml │ └── flux-post-build-variables │ └── kustomization.yaml ├── monitoring ├── speedtest-den.yaml └── speedtest-tx-att.yaml └── scripts └── install-gateway-api-crds.sh /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- 1 | // For format details, see https://aka.ms/devcontainer.json. For config options, see the 2 | // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu 3 | { 4 | "name": "Ubuntu", 5 | "image": "mcr.microsoft.com/devcontainers/base:jammy", 6 | "features": { 7 | "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": { 8 | "minikube": "none" 9 | }, 10 | "ghcr.io/jsburckhardt/devcontainer-features/flux:1": {}, 11 | "ghcr.io/devcontainers-extra/features/helmfile:1": {} 12 | } 13 | // Features to add to the dev container. More info: https://containers.dev/features. 14 | // "features": {}, 15 | // Use 'forwardPorts' to make a list of ports inside the container available locally. 16 | // "forwardPorts": [], 17 | // Use 'postCreateCommand' to run commands after the container is created. 18 | // "postCreateCommand": "uname -a", 19 | // Configure tool-specific properties. 20 | // "customizations": {}, 21 | // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. 22 | // "remoteUser": "root" 23 | } 24 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Ref: https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners 2 | * @nicolerenee 3 | -------------------------------------------------------------------------------- /.github/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | area/bootstrap: 3 | - changed-files: 4 | - any-glob-to-any-file: "bootstrap/**/*" 5 | area/docs: 6 | - changed-files: 7 | - any-glob-to-any-file: 8 | - "README.md" 9 | area/github: 10 | - changed-files: 11 | - any-glob-to-any-file: ".github/**/*" 12 | area/kubernetes: 13 | - changed-files: 14 | - any-glob-to-any-file: 15 | - "apps/**/*" 16 | - "kubernetes/**/*" 17 | area/renovate: 18 | - changed-files: 19 | - any-glob-to-any-file: 20 | - ".renovate/**/*" 21 | - ".renovaterc.json5" 22 | area/scripts: 23 | - changed-files: 24 | - any-glob-to-any-file: "scripts/**/*" 25 | area/talos: 26 | - changed-files: 27 | - any-glob-to-any-file: "kubernetes/clusters/*/talos/**/*" 28 | area/taskfile: 29 | - changed-files: 30 | - any-glob-to-any-file: 31 | - ".taskfiles/**/*" 32 | - "Taskfile.yaml" 33 | -------------------------------------------------------------------------------- /.github/labels.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Areas 3 | - name: area/bootstrap 4 | color: "0e8a16" 5 | - name: area/docs 6 | color: "0e8a16" 7 | - name: area/github 8 | color: "0e8a16" 9 | - name: area/kubernetes 10 | color: "0e8a16" 11 | - name: area/renovate 12 | color: "0e8a16" 13 | - name: area/scripts 14 | color: "0e8a16" 15 | - name: area/talos 16 | color: "0e8a16" 17 | - name: area/taskfile 18 | color: "0e8a16" 19 | # Renovate Types 20 | - name: renovate/container 21 | color: "027fa0" 22 | - name: renovate/github-action 23 | color: "027fa0" 24 | - name: renovate/grafana-dashboard 25 | color: "027fa0" 26 | - name: renovate/github-release 27 | color: "027fa0" 28 | - name: renovate/helm 29 | color: "027fa0" 30 | - name: renovate/infra/kubernetes 31 | color: "027fa0" 32 | - name: renovate/infra/talos 33 | color: "027fa0" 34 | # Semantic Types 35 | - name: type/digest 36 | color: "ffeC19" 37 | - name: type/patch 38 | color: "ffeC19" 39 | - name: type/minor 40 | color: "ff9800" 41 | - name: type/major 42 | color: "f6412d" 43 | # Uncategorized 44 | - name: community 45 | color: "370fb2" 46 | - name: hold 47 | color: "ee0701" 48 | -------------------------------------------------------------------------------- /.github/workflows/label-sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: Label Sync 4 | 5 | on: 6 | workflow_dispatch: 7 | push: 8 | branches: ["main"] 9 | paths: [".github/labels.yaml"] 10 | schedule: 11 | - cron: "0 0 * * *" # Every day at midnight 12 | 13 | permissions: 14 | issues: write 15 | 16 | jobs: 17 | main: 18 | name: Label Sync - Sync Labels 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Checkout 22 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 23 | with: 24 | sparse-checkout: .github/labels.yaml 25 | 26 | - name: Sync Labels 27 | uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3 28 | with: 29 | config-file: .github/labels.yaml 30 | delete-other-labels: true 31 | -------------------------------------------------------------------------------- /.github/workflows/labeler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: Labeler 4 | 5 | on: 6 | workflow_dispatch: 7 | pull_request_target: 8 | branches: ["main"] 9 | 10 | jobs: 11 | main: 12 | name: Labeler - Labeler 13 | runs-on: ubuntu-latest 14 | if: ${{ github.event.pull_request.head.repo.full_name == github.repository }} 15 | steps: 16 | - name: Generate Token 17 | uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 18 | id: app-token 19 | with: 20 | app-id: "${{ vars.BOT_APP_ID }}" 21 | private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" 22 | 23 | - name: Labeler 24 | uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 25 | with: 26 | repo-token: "${{ steps.app-token.outputs.token }}" 27 | configuration-path: .github/labeler.yaml 28 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .task 3 | 4 | /**/talos/clusterconfig/ 5 | kubeconfig* 6 | talosconfig* 7 | -------------------------------------------------------------------------------- /.renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "Auto-merge trusted container digests", 6 | matchDatasources: ["docker"], 7 | automerge: true, 8 | automergeType: "pr", 9 | matchUpdateTypes: ["digest"], 10 | matchPackageNames: ["/home-operations/"], 11 | ignoreTests: false, 12 | }, 13 | { 14 | description: "Auto-merge OCI Charts", 15 | matchDatasources: ["docker"], 16 | automerge: true, 17 | automergeType: "pr", 18 | matchUpdateTypes: ["minor", "patch"], 19 | matchPackageNames: ["/kube-prometheus-stack/"], 20 | ignoreTests: false, 21 | }, 22 | { 23 | description: "Auto-merge GitHub Actions", 24 | matchManagers: ["github-actions"], 25 | automerge: true, 26 | automergeType: "pr", 27 | matchUpdateTypes: ["minor", "patch", "digest"], 28 | minimumReleaseAge: "3 days", 29 | ignoreTests: false, 30 | }, 31 | { 32 | description: "Auto-merge GitHub Releases", 33 | matchDatasources: ["github-releases"], 34 | automerge: true, 35 | automergeType: "pr", 36 | matchUpdateTypes: ["minor", "patch"], 37 | matchPackageNames: [ 38 | "/external-dns/", 39 | "/gateway-api/", 40 | "/prometheus-operator/", 41 | ], 42 | ignoreTests: false, 43 | }, 44 | ], 45 | } 46 | -------------------------------------------------------------------------------- /.renovate/customManagers.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customManagers: [ 4 | { 5 | customType: "regex", 6 | description: "Process annotated dependencies", 7 | fileMatch: [ 8 | "(^|/).+\\.env$", 9 | "(^|/).+\\.sh$", 10 | "(^|/).+\\.ya?ml(?:\\.j2)?$", 11 | ], 12 | matchStrings: [ 13 | // # renovate: datasource=github-releases depName=k3s-io/k3s 14 | // k3s_release_version: &version v1.29.0+k3s1 15 | // # renovate: datasource=helm depName=cilium repository=https://helm.cilium.io 16 | // version: 1.15.1 17 | // # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 18 | // KUBERNETES_VERSION=v1.31.1 19 | "datasource=(?\\S+) depName=(?\\S+)( repository=(?\\S+))?\\n.+(:\\s|=)(&\\S+\\s)?(?\\S+)", 20 | // # renovate: datasource=docker depName=ghcr.io/prometheus-operator/prometheus-operator 21 | // https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.80.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml 22 | "datasource=(?\\S+) depName=(?\\S+)\\n.+/(?(v|\\d)[^/]+)", 23 | ], 24 | datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}", 25 | }, 26 | ], 27 | } 28 | -------------------------------------------------------------------------------- /.renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | matchUpdateTypes: ["major"], 6 | labels: ["type/major"], 7 | }, 8 | { 9 | matchUpdateTypes: ["minor"], 10 | labels: ["type/minor"], 11 | }, 12 | { 13 | matchUpdateTypes: ["patch"], 14 | labels: ["type/patch"], 15 | }, 16 | { 17 | matchUpdateTypes: ["digest"], 18 | labels: ["type/digest"], 19 | }, 20 | { 21 | matchDatasources: ["docker"], 22 | addLabels: ["renovate/container"], 23 | }, 24 | { 25 | matchDatasources: ["helm"], 26 | addLabels: ["renovate/helm"], 27 | }, 28 | { 29 | matchManagers: ["github-actions"], 30 | addLabels: ["renovate/github-action"], 31 | }, 32 | { 33 | matchDatasources: ["github-releases"], 34 | addLabels: ["renovate/github-release"], 35 | }, 36 | { 37 | matchPackageNames: ["ghcr.io/siderolabs/kubelet"], 38 | addLabels: ["renovate/infra/kubernetes"], 39 | }, 40 | { 41 | matchPackageNames: ["ghcr.io/siderolabs/installer"], 42 | addLabels: ["renovate/infra/talos"], 43 | }, 44 | ], 45 | } 46 | -------------------------------------------------------------------------------- /.renovaterc.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: 'https://docs.renovatebot.com/renovate-schema.json', 3 | reviewers: [ 4 | '@nicolerenee', 5 | ], 6 | extends: [ 7 | 'config:recommended', 8 | 'docker:enableMajor', 9 | 'helpers:pinGitHubActionDigests', 10 | 'github>nicolerenee/infra//.renovate/autoMerge.json5', 11 | 'github>nicolerenee/infra//.renovate/customManagers.json5', 12 | 'github>nicolerenee/infra//.renovate/groups.json5', 13 | 'github>nicolerenee/infra//.renovate/labels.json5', 14 | 'github>nicolerenee/infra//.renovate/semanticCommits.json5', 15 | ':automergeBranch', 16 | ':disableRateLimiting', 17 | ':dependencyDashboard', 18 | ':semanticCommits', 19 | ':timezone(America/Chicago)', 20 | 'github>nicolerenee/infra//.renovate/infraPackages.json5', 21 | ], 22 | rebaseWhen: 'behind-base-branch', 23 | dependencyDashboardTitle: 'Renovate Dashboard 🤖', 24 | flux: { 25 | managerFilePatterns: [ 26 | '/(^|/)apps/.+\\.ya?ml$/', 27 | '/(^|/)kubernetes/.+\\.ya?ml$/', 28 | ], 29 | }, 30 | 'helm-values': { 31 | managerFilePatterns: [ 32 | '/(^|/)apps/.+\\.ya?ml$/', 33 | '/(^|/)kubernetes/.+\\.ya?ml$/', 34 | ], 35 | }, 36 | kubernetes: { 37 | managerFilePatterns: [ 38 | '/(^|/)apps/.+\\.ya?ml$/', 39 | '/(^|/)kubernetes/.+\\.ya?ml$/', 40 | ], 41 | ignorePaths: [ 42 | 'kubernetes/**/flux-system/**', 43 | ], 44 | }, 45 | } 46 | -------------------------------------------------------------------------------- /.taskfiles/talos/resources/op.env: -------------------------------------------------------------------------------- 1 | talos_cluster_id="op://$VAULT/${CLUSTER}-talos/cluster/id" 2 | talos_cluster_secret="op://$VAULT/${CLUSTER}-talos/cluster/secret" 3 | talos_secrets_bootstraptoken="op://$VAULT/${CLUSTER}-talos/secrets/bootstrap_token" 4 | talos_secrets_secretboxencryptionsecret="op://$VAULT/${CLUSTER}-talos/secrets/secretbox_encryption_secret" 5 | talos_trustdinfo_token="op://$VAULT/${CLUSTER}-talos/trustdinfo/token" 6 | talos_certs_etcd_crt="op://$VAULT/${CLUSTER}-talos/certs_etcd/cert" 7 | talos_certs_etcd_key="op://$VAULT/${CLUSTER}-talos/certs_etcd/key" 8 | talos_certs_k8s_crt="op://$VAULT/${CLUSTER}-talos/certs_k8s/cert" 9 | talos_certs_k8s_key="op://$VAULT/${CLUSTER}-talos/certs_k8s/key" 10 | talos_certs_k8saggregator_crt="op://$VAULT/${CLUSTER}-talos/certs_k8saggregator/cert" 11 | talos_certs_k8saggregator_key="op://$VAULT/${CLUSTER}-talos/certs_k8saggregator/key" 12 | talos_certs_k8sserviceaccount_key="op://$VAULT/${CLUSTER}-talos/certs_k8sserviceaccount/key" 13 | talos_certs_os_crt="op://$VAULT/${CLUSTER}-talos/certs_os/cert" 14 | talos_certs_os_key="op://$VAULT/${CLUSTER}-talos/certs_os/key" 15 | -------------------------------------------------------------------------------- /.taskfiles/talos/resources/talsecret.yaml: -------------------------------------------------------------------------------- 1 | cluster: 2 | id: "${talos_cluster_id}" 3 | secret: "${talos_cluster_secret}" 4 | secrets: 5 | bootstraptoken: "${talos_secrets_bootstraptoken}" 6 | secretboxencryptionsecret: "${talos_secrets_secretboxencryptionsecret}" 7 | trustdinfo: 8 | token: "${talos_trustdinfo_token}" 9 | certs: 10 | etcd: 11 | crt: "${talos_certs_etcd_crt}" 12 | key: "${talos_certs_etcd_key}" 13 | k8s: 14 | crt: "${talos_certs_k8s_crt}" 15 | key: "${talos_certs_k8s_key}" 16 | k8saggregator: 17 | crt: "${talos_certs_k8saggregator_crt}" 18 | key: "${talos_certs_k8saggregator_key}" 19 | k8sserviceaccount: 20 | key: "${talos_certs_k8sserviceaccount_key}" 21 | os: 22 | crt: "${talos_certs_os_crt}" 23 | key: "${talos_certs_os_key}" 24 | -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 | version: "3" 4 | 5 | vars: 6 | KUBERNETES_ROOT: "{{.ROOT_DIR}}/kubernetes" 7 | CLUSTER_ROOT: "{{.KUBERNETES_ROOT}}/clusters/{{.CLUSTER}}" 8 | 9 | includes: 10 | talos: .taskfiles/talos/taskfile.yaml 11 | 12 | tasks: 13 | default: 14 | silent: true 15 | cmds: 16 | - task --list 17 | -------------------------------------------------------------------------------- /apps/home-automation/homeassistant/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: homeassistant 5 | spec: 6 | replicas: 1 7 | revisionHistoryLimit: 3 8 | strategy: 9 | type: Recreate 10 | template: 11 | spec: 12 | hostNetwork: true 13 | containers: 14 | - name: homeassistant 15 | image: ghcr.io/home-assistant/home-assistant:2025.5.3 16 | ports: 17 | - name: http 18 | containerPort: 8123 19 | resources: 20 | limits: 21 | memory: "8Gi" 22 | cpu: "4" 23 | requests: 24 | memory: "512Mi" 25 | cpu: "500m" 26 | volumeMounts: 27 | - mountPath: /config 28 | name: homeassistant-config 29 | restartPolicy: Always 30 | volumes: 31 | - name: homeassistant-config 32 | persistentVolumeClaim: 33 | claimName: homeassistant-config 34 | -------------------------------------------------------------------------------- /apps/home-automation/homeassistant/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: homeassistant 6 | spec: 7 | defaultBackend: 8 | service: 9 | name: homeassistant 10 | port: 11 | name: http 12 | ingressClassName: tailscale 13 | tls: 14 | - hosts: 15 | - fairy-ha 16 | -------------------------------------------------------------------------------- /apps/home-automation/homeassistant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | labels: 7 | - includeSelectors: true 8 | pairs: 9 | app.kubernetes.io/name: homeassistant 10 | 11 | resources: 12 | - pvc.yaml 13 | - deployment.yaml 14 | - service.yaml 15 | - ingress.yaml 16 | -------------------------------------------------------------------------------- /apps/home-automation/homeassistant/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: homeassistant-config 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | resources: 10 | requests: 11 | storage: 50Gi 12 | -------------------------------------------------------------------------------- /apps/home-automation/homeassistant/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: homeassistant 6 | spec: 7 | type: ClusterIP 8 | ipFamilyPolicy: PreferDualStack 9 | ports: 10 | - name: http 11 | port: 80 12 | targetPort: http 13 | -------------------------------------------------------------------------------- /apps/home-automation/mosquitto/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: mosquitto-passwords 5 | spec: 6 | refreshInterval: 1h 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword 10 | target: 11 | template: 12 | data: 13 | password.txt: "" 14 | 15 | data: 16 | - secretKey: username 17 | remoteRef: 18 | key: KEY_NAME 19 | property: username 20 | - secretKey: password 21 | remoteRef: 22 | key: KEY_NAME 23 | property: password 24 | -------------------------------------------------------------------------------- /apps/home-automation/mosquitto/files/mosquitto.conf: -------------------------------------------------------------------------------- 1 | persistence true 2 | persistence_location /mosquitto/data/ 3 | 4 | per_listener_settings true 5 | 6 | log_dest stdout 7 | 8 | listener 1883 9 | protocol mqtt 10 | 11 | allow_anonymous true 12 | password_file /mosquitto/password/password.txt 13 | -------------------------------------------------------------------------------- /apps/home-automation/mosquitto/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | labels: 7 | - includeSelectors: true 8 | pairs: 9 | app.kubernetes.io/name: mosquitto 10 | 11 | configMapGenerator: 12 | - name: mosquitto-config 13 | files: 14 | - mosquitto.conf=files/mosquitto.conf 15 | 16 | resources: 17 | - externalsecret.yaml 18 | - pvc.yaml 19 | - deployment.yaml 20 | - service.yaml 21 | -------------------------------------------------------------------------------- /apps/home-automation/mosquitto/pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: mosquitto-data 5 | spec: 6 | accessModes: 7 | - ReadWriteOnce 8 | resources: 9 | requests: 10 | storage: 5Gi 11 | -------------------------------------------------------------------------------- /apps/home-automation/mosquitto/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: mosquitto 5 | spec: 6 | type: ClusterIP 7 | ipFamilyPolicy: PreferDualStack 8 | ports: 9 | - port: 1883 10 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/autodiscovery/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: rtl-mqtt-autodiscovery 5 | spec: 6 | replicas: 1 7 | revisionHistoryLimit: 3 8 | template: 9 | spec: 10 | containers: 11 | - name: rtl-mqtt-autodiscovery 12 | image: python:3 13 | command: 14 | - /bin/bash 15 | - /scripts/run.sh 16 | resources: 17 | limits: 18 | memory: "512Mi" 19 | cpu: "500m" 20 | requests: 21 | memory: "64Mi" 22 | cpu: "100m" 23 | volumeMounts: 24 | - mountPath: /scripts 25 | name: scripts 26 | volumes: 27 | - name: scripts 28 | configMap: 29 | name: rtl-mqtt-autodiscovery-scripts 30 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/autodiscovery/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: rtl-mqtt-autodiscovery-mqtt-creds 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: username 13 | remoteRef: 14 | key: KEY_NAME 15 | property: username 16 | - secretKey: password 17 | remoteRef: 18 | key: KEY_NAME 19 | property: password 20 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/autodiscovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | labels: 7 | - includeSelectors: true 8 | pairs: 9 | app.kubernetes.io/name: rtl-mqtt-autodiscovery 10 | 11 | resources: 12 | - externalsecret.yaml 13 | - script.yaml 14 | - deployment.yaml 15 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/autodiscovery/script.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: rtl-mqtt-autodiscovery-scripts 5 | data: 6 | run.sh: | 7 | #!/bin/bash 8 | 9 | wget https://raw.githubusercontent.com/merbanan/rtl_433/refs/tags/25.02/examples/rtl_433_mqtt_hass.py 10 | pip install \ 11 | --no-cache-dir \ 12 | --prefer-binary \ 13 | paho-mqtt==1.6.1 \ 14 | 15 | python3 -u rtl_433_mqtt_hass.py -H $MQTT_HOST -u $MQTT_USERNAME -P $MQTT_PASSWORD 16 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/base/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: rtl 5 | spec: 6 | replicas: 1 7 | revisionHistoryLimit: 3 8 | strategy: 9 | type: Recreate 10 | template: 11 | metadata: 12 | spec: 13 | containers: 14 | - name: rtl 15 | image: ghcr.io/hertzg/rtl_433_docker:25.02-debian 16 | args: 17 | - -c 18 | - /etc/rtl_433/rtl_433.conf 19 | - -F 20 | # - mqtt://$(MOSQUITTO_SERVICE_HOST):$(MOSQUITTO_SERVICE_PORT),user=$(MQTT_USERNAME),pass=$(MQTT_PASSWORD),retain=1,devices=rtl_433/$(FREQUENCY)/devices[/type][/model][/subtype][/channel][/id],events=rtl_433/$(FREQUENCY)/events,states=rtl_433/$(FREQUENCY)/states 21 | - mqtt://$(MOSQUITTO_SERVICE_HOST):$(MOSQUITTO_SERVICE_PORT),retain=1,devices=rtl_433/$(FREQUENCY)/devices[/type][/model][/subtype][/channel][/id],events=rtl_433/$(FREQUENCY)/events,states=rtl_433/$(FREQUENCY)/states 22 | - -f 23 | - $(FREQUENCY)Mhz 24 | resources: 25 | limits: 26 | memory: "512Mi" 27 | cpu: "500m" 28 | squat.ai/dvb-t: "1" 29 | requests: 30 | memory: "64Mi" 31 | cpu: "100m" 32 | squat.ai/dvb-t: "1" 33 | volumeMounts: 34 | - mountPath: /etc/rtl_433/ 35 | name: config 36 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/base/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: mqtt-creds 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: username 13 | remoteRef: 14 | key: KEY_NAME 15 | property: username 16 | - secretKey: password 17 | remoteRef: 18 | key: KEY_NAME 19 | property: password 20 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1alpha1 3 | kind: Component 4 | 5 | configMapGenerator: 6 | - name: config 7 | files: 8 | - rtl_433.conf=files/rtl_433.conf 9 | 10 | resources: 11 | - deployment.yaml 12 | - externalsecret.yaml 13 | 14 | patches: 15 | - target: 16 | kind: Deployment 17 | patch: | 18 | - op: add 19 | path: /spec/template/spec/volumes 20 | value: 21 | - name: config 22 | configMap: 23 | name: config 24 | - op: add 25 | path: /spec/template/spec/containers/0/env 26 | value: 27 | - name: MQTT_USERNAME 28 | valueFrom: 29 | secretKeyRef: 30 | key: username 31 | name: rtl433-mqtt-creds 32 | - name: MQTT_PASSWORD 33 | valueFrom: 34 | secretKeyRef: 35 | key: password 36 | name: rtl433-mqtt-creds 37 | - name: FREQUENCY 38 | value: 915 39 | -------------------------------------------------------------------------------- /apps/home-automation/rtl_433/rtl915/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | namePrefix: rtl915- 7 | 8 | labels: 9 | - includeSelectors: true 10 | pairs: 11 | app.kubernetes.io/name: rtl915 12 | 13 | components: 14 | - ../base 15 | 16 | patches: 17 | - target: 18 | kind: Deployment 19 | patch: | 20 | - op: add 21 | path: /spec/template/spec/containers/0/env 22 | value: 23 | - name: MQTT_USERNAME 24 | valueFrom: 25 | secretKeyRef: 26 | key: username 27 | name: rtl915-mqtt-creds 28 | - name: MQTT_PASSWORD 29 | valueFrom: 30 | secretKeyRef: 31 | key: password 32 | name: rtl915-mqtt-creds 33 | - name: FREQUENCY 34 | value: "915" 35 | -------------------------------------------------------------------------------- /bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | kubectl apply -f namespaces/flux.yaml 4 | kubectl apply -f namespaces/n10-system.yaml 5 | kubectl apply -f ~/sealed-secrets-key.json 6 | kubectl apply -f n10-system/kubeseal/ 7 | kubectl apply -f flux/flux-cloud.yaml -f flux/flux-git-deploy.json -f flux/sa.yaml -f flux/memcached.yaml 8 | kubectl apply -f flux/deployment.json 9 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-controller/runners/infra/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: infra-runner-github-creds 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | template: 13 | data: 14 | github_app_id: "{{ .github_app_id }}" 15 | github_app_installation_id: "{{ .github_app_installation_id }}" 16 | github_app_private_key: "{{ .github_app_private_key }}" 17 | dataFrom: 18 | - extract: 19 | key: actions-runner-infra 20 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-controller/runners/infra/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | - ./rbac.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/actions-runner-controller/runners/infra/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: infra-runner 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: infra-runner 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: infra-runner 18 | namespace: actions-runner-system 19 | --- 20 | apiVersion: talos.dev/v1alpha1 21 | kind: ServiceAccount 22 | metadata: 23 | name: infra-runner 24 | spec: 25 | roles: ["os:admin"] 26 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/app/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | crds: 3 | enabled: true 4 | keep: true 5 | # force using cloudflare resolvers over https to bypass dns hijacking by router 6 | dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query 7 | dns01RecursiveNameserversOnly: true 8 | prometheus: 9 | enabled: true 10 | servicemonitor: 11 | enabled: true 12 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/app/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: cert-manager 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: v1.17.2 14 | url: oci://quay.io/jetstack/charts/cert-manager 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: cert-manager 21 | spec: 22 | interval: 30m 23 | chartRef: 24 | kind: OCIRepository 25 | name: cert-manager 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | strategy: rollback 33 | retries: 3 34 | values: {} 35 | valuesFrom: 36 | - kind: ConfigMap 37 | name: cert-manager-values 38 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./helmrelease.yaml 5 | configMapGenerator: 6 | - name: cert-manager-values 7 | files: 8 | - values.yaml=./helm/values.yaml 9 | configurations: 10 | - ./helm/kustomizeconfig.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/issuers/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: cloudflare-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: api_token 13 | remoteRef: 14 | key: cloudflare-${CLUSTER_NAME} 15 | property: api_token 16 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/issuers/issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: letsencrypt-production 7 | namespace: cert-manager 8 | spec: 9 | acme: 10 | email: soc@freckle.family 11 | privateKeySecretRef: 12 | name: letsencrypt-production 13 | server: https://acme-v02.api.letsencrypt.org/directory 14 | solvers: 15 | - dns01: 16 | cloudflare: 17 | apiTokenSecretRef: 18 | name: cloudflare-token 19 | key: api_token 20 | -------------------------------------------------------------------------------- /kubernetes/apps/cert-manager/issuers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - issuers.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/descheduler/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/devices/generic-device-plugin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - device-plugin.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/devices/intel-device-plugin/gpu/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/devices/intel-device-plugin/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/devices/node-feature-discovery/controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/devices/node-feature-discovery/rules/intel-gpu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json 3 | apiVersion: nfd.k8s-sigs.io/v1alpha1 4 | kind: NodeFeatureRule 5 | metadata: 6 | name: intel-gpu-device 7 | spec: 8 | rules: 9 | - # Intel UHD Graphics 630 10 | name: intel.gpu 11 | labels: 12 | intel.feature.node.kubernetes.io/gpu: "true" 13 | matchFeatures: 14 | - feature: pci.device 15 | matchExpressions: 16 | class: { op: In, value: ["0300", "0380"] } 17 | vendor: { op: In, value: ["8086"] } 18 | -------------------------------------------------------------------------------- /kubernetes/apps/devices/node-feature-discovery/rules/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./intel-gpu.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/instance/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # set configmap name on the helm release 3 | nameReference: 4 | - kind: ConfigMap 5 | version: v1 6 | fieldSpecs: 7 | - path: spec/valuesFrom/name 8 | kind: HelmRelease 9 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/instance/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: OCIRepository 3 | metadata: 4 | name: flux-instance 5 | spec: 6 | interval: 10m 7 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance 8 | ref: 9 | tag: 0.22.0 10 | verify: 11 | provider: cosign 12 | matchOIDCIdentity: 13 | - issuer: ^https://token.actions.githubusercontent.com$ 14 | subject: ^https://github.com/controlplaneio-fluxcd/charts.*$ 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: flux-instance 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: flux-instance 25 | install: 26 | remediation: 27 | retries: -1 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | values: {} 33 | valuesFrom: 34 | - kind: ConfigMap 35 | name: flux-instance-values 36 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/instance/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./webhook/ 8 | configMapGenerator: 9 | - name: flux-instance-values 10 | files: 11 | - values.yaml=./helm/values.yaml 12 | configurations: 13 | - ./helm/kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/instance/webhook/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: flux-receiver-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: token 13 | remoteRef: 14 | key: flux-receiver-${CLUSTER_NAME} 15 | property: token 16 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/instance/webhook/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: webhook-receiver 6 | spec: 7 | hostnames: ["flux-webhook.${CLUSTER_DOMAIN}"] 8 | parentRefs: 9 | - name: external 10 | namespace: gateway 11 | sectionName: frecklesystems-https 12 | rules: 13 | - backendRefs: 14 | - name: webhook-receiver 15 | namespace: flux-system 16 | port: 80 17 | matches: 18 | - path: 19 | type: PathPrefix 20 | value: /hook/ 21 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/instance/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./httproute.yaml 8 | - ./receiver.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/instance/webhook/receiver.yaml: -------------------------------------------------------------------------------- 1 | # DOCS: https://fluxcd.io/flux/components/notification/receivers/ 2 | --- 3 | apiVersion: notification.toolkit.fluxcd.io/v1 4 | kind: Receiver 5 | metadata: 6 | name: github-receiver 7 | namespace: flux-system 8 | spec: 9 | type: github 10 | events: 11 | - "ping" 12 | - "push" 13 | secretRef: 14 | name: flux-receiver-token 15 | resources: 16 | - apiVersion: source.toolkit.fluxcd.io/v1 17 | kind: GitRepository 18 | name: flux-system 19 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/operator/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # set configmap name on the helm release 3 | nameReference: 4 | - kind: ConfigMap 5 | version: v1 6 | fieldSpecs: 7 | - path: spec/valuesFrom/name 8 | kind: HelmRelease 9 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/operator/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | serviceMonitor: 3 | create: true 4 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/operator/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: OCIRepository 3 | metadata: 4 | name: flux-operator 5 | spec: 6 | interval: 10m 7 | url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator 8 | ref: 9 | tag: 0.22.0 10 | verify: 11 | provider: cosign 12 | matchOIDCIdentity: 13 | - issuer: ^https://token.actions.githubusercontent.com$ 14 | subject: ^https://github.com/controlplaneio-fluxcd/charts.*$ 15 | --- 16 | apiVersion: helm.toolkit.fluxcd.io/v2 17 | kind: HelmRelease 18 | metadata: 19 | name: flux-operator 20 | spec: 21 | interval: 1h 22 | chartRef: 23 | kind: OCIRepository 24 | name: flux-operator 25 | install: 26 | remediation: 27 | retries: -1 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | retries: 3 32 | values: {} 33 | valuesFrom: 34 | - kind: ConfigMap 35 | name: flux-operator-values 36 | -------------------------------------------------------------------------------- /kubernetes/apps/flux/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | configMapGenerator: 8 | - name: flux-operator-values 9 | files: 10 | - values.yaml=./helm/values.yaml 11 | configurations: 12 | - ./helm/kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/golink/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: golink 5 | spec: 6 | template: 7 | spec: 8 | securityContext: 9 | fsGroup: 1000 10 | containers: 11 | - image: ghcr.io/tailscale/golink:main@sha256:b3f8bceb1d46cf98da46347f271d7b153877310e5c1918c181c081c19e3827c0 12 | name: golink 13 | command: 14 | - "/golink" 15 | args: 16 | - "-sqlitedb" 17 | - "/home/nonroot/golink.db" 18 | volumeMounts: 19 | - name: data 20 | mountPath: /home/nonroot 21 | resources: {} 22 | volumes: 23 | - name: data 24 | persistentVolumeClaim: 25 | claimName: golink-data 26 | -------------------------------------------------------------------------------- /kubernetes/apps/golink/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | labels: 7 | - includeSelectors: true 8 | pairs: 9 | app.kubernetes.io/name: golink 10 | 11 | resources: 12 | - pvc.yaml 13 | - deployment.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/apps/golink/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: golink-data 6 | spec: 7 | accessModes: 8 | - ReadWriteOnce 9 | resources: 10 | requests: 11 | storage: 10Gi 12 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/esphome/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | resources: 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/scrypted/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | resources: 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/zigbee/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: zigbee 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | name: zigbee-secret 13 | template: 14 | data: 15 | ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_EXT_PAN_ID }}" 16 | ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_PAN_ID }}" 17 | ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY: "{{ .ZIGBEE2MQTT_CONFIG_ADVANCED_NETWORK_KEY }}" 18 | ZIGBEE2MQTT_CONFIG_MQTT_USER: "{{ .username }}" 19 | ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD: "{{ .password }}" 20 | dataFrom: 21 | - extract: 22 | key: zigbee-${CLUSTER_NAME} 23 | data: 24 | - secretKey: username 25 | remoteRef: 26 | key: mqtt-${CLUSTER_NAME}-zigbee 27 | property: username 28 | - secretKey: password 29 | remoteRef: 30 | key: mqtt-${CLUSTER_NAME}-zigbee 31 | property: password 32 | -------------------------------------------------------------------------------- /kubernetes/apps/home-automation/zigbee/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/it-tools/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | resources: 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kubelet-csr-approver/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd/source-controller/main/docs/spec/v1beta2/ocirepository.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: kubelet-csr-approver 7 | spec: 8 | interval: 1h 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 1.2.7 14 | url: oci://ghcr.io/home-operations/charts-mirror/kubelet-csr-approver 15 | verify: 16 | provider: cosign 17 | matchOIDCIdentity: 18 | - issuer: "^https://token.actions.githubusercontent.com$" 19 | subject: "^https://github.com/home-operations/charts-mirror.*$" 20 | --- 21 | # yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json 22 | apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | metadata: 25 | name: kubelet-csr-approver 26 | spec: 27 | chartRef: 28 | kind: OCIRepository 29 | name: kubelet-csr-approver 30 | interval: 30m 31 | maxHistory: 3 32 | uninstall: 33 | keepHistory: false 34 | valuesFrom: 35 | - kind: ConfigMap 36 | name: kubelet-csr-approver-values 37 | -------------------------------------------------------------------------------- /kubernetes/apps/kubelet-csr-approver/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | resources: 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: kubelet-csr-approver-values 10 | files: 11 | - values.yaml=./values.yaml 12 | configurations: 13 | - kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/apps/kubelet-csr-approver/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/kubelet-csr-approver/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | providerRegex: | 3 | ^(atlantis|fairy)-compute\d{2}$ 4 | 5 | bypassDnsResolution: true 6 | -------------------------------------------------------------------------------- /kubernetes/apps/media/emby/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/jellyfin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: prowlarr 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | template: 13 | data: 14 | PROWLARR__AUTH__APIKEY: "{{ .api_key }}" 15 | dataFrom: 16 | - extract: 17 | key: prowlarr-${CLUSTER_NAME} 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/prowlarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: radarr 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | template: 13 | data: 14 | RADARR__AUTH__APIKEY: "{{ .api_key }}" 15 | dataFrom: 16 | - extract: 17 | key: radarr-${CLUSTER_NAME} 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/radarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: recyclarr 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | template: 13 | data: 14 | RADARR_API_KEY: "{{ .radarr_api_key }}" 15 | SONARR_API_KEY: "{{ .sonarr_api_key }}" 16 | dataFrom: 17 | - extract: 18 | key: radarr-${CLUSTER_NAME} 19 | rewrite: 20 | - regexp: 21 | source: "(.*)" 22 | target: "radarr_$1" 23 | - extract: 24 | key: sonarr-${CLUSTER_NAME} 25 | rewrite: 26 | - regexp: 27 | source: "(.*)" 28 | target: "sonarr_$1" 29 | -------------------------------------------------------------------------------- /kubernetes/apps/media/recyclarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: recyclarr-configmap 10 | files: 11 | - recyclarr.yml=./config/recyclarr.yml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: sabnzbd 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | template: 13 | data: 14 | SABNZBD__API_KEY: "{{ .api_key }}" 15 | SABNZBD__NZB_KEY: "{{ .nzb_key }}" 16 | dataFrom: 17 | - extract: 18 | key: sabnzbd-${CLUSTER_NAME} 19 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sabnzbd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: ${APP:=sonarr} 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | template: 13 | data: 14 | SONARR__AUTH__APIKEY: "{{ .api_key }}" 15 | dataFrom: 16 | - extract: 17 | key: ${APP:=sonarr}-${CLUSTER_NAME} 18 | -------------------------------------------------------------------------------- /kubernetes/apps/media/sonarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/netbox/storage-bucket.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: objectbucket.io/v1alpha1 2 | kind: ObjectBucketClaim 3 | metadata: 4 | name: netbox-bucket 5 | spec: 6 | generateBucketName: netbox 7 | storageClassName: ceph-bucket 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cilium/app/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cilium/app/httproute.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1 2 | kind: HTTPRoute 3 | metadata: 4 | name: hubble 5 | spec: 6 | hostnames: 7 | - hubble.${CLUSTER_DOMAIN} 8 | parentRefs: 9 | - name: tailscale 10 | namespace: gateway 11 | sectionName: https 12 | rules: 13 | - backendRefs: 14 | - kind: Service 15 | name: hubble-ui 16 | port: 80 17 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cilium/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | configMapGenerator: 8 | - name: cilium-values 9 | files: 10 | - values.yaml=./helm/values.yaml 11 | configurations: 12 | - ./helm/kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cilium/gateway-config/clusterip-gwclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cilium.io/v2alpha1 3 | kind: CiliumGatewayClassConfig 4 | metadata: 5 | name: clusterip-gateway-config 6 | namespace: kube-system 7 | spec: 8 | service: 9 | type: ClusterIP 10 | --- 11 | apiVersion: gateway.networking.k8s.io/v1 12 | kind: GatewayClass 13 | metadata: 14 | name: cilium-clusterip 15 | namespace: kube-system 16 | spec: 17 | controllerName: io.cilium/gateway-controller 18 | description: Cilium GatewayClass with only a Cluster IP service 19 | parametersRef: 20 | group: cilium.io 21 | kind: CiliumGatewayClassConfig 22 | name: clusterip-gateway-config 23 | namespace: kube-system 24 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cilium/gateway-config/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./clusterip-gwclass.yaml 7 | - ./tailscale-gwclass.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cilium/gateway-config/tailscale-gwclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cilium.io/v2alpha1 3 | kind: CiliumGatewayClassConfig 4 | metadata: 5 | name: tailscale-gateway-config 6 | namespace: kube-system 7 | spec: 8 | service: 9 | type: LoadBalancer 10 | loadBalancerClass: tailscale 11 | --- 12 | apiVersion: gateway.networking.k8s.io/v1 13 | kind: GatewayClass 14 | metadata: 15 | name: cilium-tailscale 16 | namespace: kube-system 17 | spec: 18 | controllerName: io.cilium/gateway-controller 19 | description: Cilium GatewayClass with a Tailscale service 20 | parametersRef: 21 | group: cilium.io 22 | kind: CiliumGatewayClassConfig 23 | name: tailscale-gateway-config 24 | namespace: kube-system 25 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflare-tunnel/dnsendpoint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/externaldns.k8s.io/dnsendpoint_v1alpha1.json 3 | apiVersion: externaldns.k8s.io/v1alpha1 4 | kind: DNSEndpoint 5 | metadata: 6 | annotations: 7 | external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" 8 | name: cloudflare-tunnel 9 | spec: 10 | endpoints: 11 | - dnsName: external-gw.${CLUSTER_DOMAIN} 12 | recordType: CNAME 13 | targets: ["${CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] 14 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflare-tunnel/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: cloudflare-tunnel-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: TUNNEL_TOKEN 13 | remoteRef: 14 | key: cloudflare-tunnel-${CLUSTER_NAME} 15 | property: token 16 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflare-tunnel/files/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | originRequest: 3 | originServerName: external-gw.${CLUSTER_DOMAIN} 4 | http2Origin: true 5 | 6 | ingress: 7 | - service: https://cilium-gateway-external.gateway.svc.cluster.local 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/cloudflare-tunnel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - dnsendpoint.yaml 7 | - externalsecret.yaml 8 | - helmrelease.yaml 9 | configMapGenerator: 10 | - name: cloudflare-tunnel-configmap 11 | files: 12 | - config.yaml=./files/config.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare-tunnel/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: external-dns-cloudflare-tunnel-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: api_token 13 | remoteRef: 14 | key: cloudflare-${CLUSTER_NAME} 15 | property: api_token 16 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare-tunnel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: external-dns-cloudflare-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: api_token 13 | remoteRef: 14 | key: cloudflare-${CLUSTER_NAME} 15 | property: api_token 16 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/external-dns/cloudflare/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/gateway/certificates.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: frecklesystems-tls 7 | spec: 8 | secretName: frecklesystems-tls 9 | issuerRef: 10 | name: letsencrypt-production 11 | kind: ClusterIssuer 12 | commonName: "freckle.systems" 13 | dnsNames: 14 | - freckle.systems 15 | - "*.freckle.systems" 16 | - "*.${CLUSTER_DOMAIN}" 17 | 18 | --- 19 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json 20 | apiVersion: cert-manager.io/v1 21 | kind: Certificate 22 | metadata: 23 | name: frecklefamily-tls 24 | spec: 25 | secretName: frecklefamily-tls 26 | issuerRef: 27 | name: letsencrypt-production 28 | kind: ClusterIssuer 29 | commonName: "freckle.family" 30 | dnsNames: 31 | - freckle.family 32 | - "*.freckle.family" 33 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/gateway/gw-external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: Gateway 5 | metadata: 6 | annotations: {} 7 | labels: 8 | gateway.freckle.systems/dns: cloudflare 9 | name: external 10 | 11 | spec: 12 | gatewayClassName: cilium 13 | listeners: 14 | - name: frecklesystems-http 15 | protocol: HTTP 16 | port: 80 17 | hostname: "*.freckle.systems" 18 | allowedRoutes: 19 | namespaces: 20 | from: Same 21 | - name: frecklesystems-https 22 | protocol: HTTPS 23 | port: 443 24 | hostname: "*.freckle.systems" 25 | allowedRoutes: 26 | namespaces: 27 | from: All 28 | tls: 29 | certificateRefs: 30 | - kind: Secret 31 | name: frecklesystems-tls 32 | - name: frecklefamily-http 33 | protocol: HTTP 34 | port: 80 35 | hostname: "*.freckle.family" 36 | allowedRoutes: 37 | namespaces: 38 | from: Same 39 | - name: frecklefamily-https 40 | protocol: HTTPS 41 | port: 443 42 | hostname: "*.freckle.family" 43 | allowedRoutes: 44 | namespaces: 45 | from: All 46 | tls: 47 | certificateRefs: 48 | - kind: Secret 49 | name: frecklefamily-tls 50 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/gateway/gw-media-mgmt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: Gateway 5 | metadata: 6 | name: tailscale-media-mgmt 7 | labels: 8 | gateway.freckle.systems/dns: cloudflare 9 | 10 | spec: 11 | gatewayClassName: cilium-tailscale 12 | infrastructure: 13 | annotations: 14 | tailscale.com/hostname: ${CLUSTER_NAME:=cluster}-media-mgmt-gw 15 | tailscale.com/tags: "tag:media-mgmt" 16 | listeners: 17 | - name: http 18 | protocol: HTTP 19 | port: 80 20 | hostname: "*.${CLUSTER_DOMAIN}" 21 | allowedRoutes: 22 | namespaces: 23 | from: Same 24 | - name: https 25 | protocol: HTTPS 26 | port: 443 27 | hostname: "*.${CLUSTER_DOMAIN}" 28 | allowedRoutes: 29 | namespaces: 30 | from: All 31 | tls: 32 | certificateRefs: 33 | - kind: Secret 34 | name: cluster-domain-tls 35 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/gateway/gw-tailscale.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: Gateway 5 | metadata: 6 | name: tailscale 7 | labels: 8 | gateway.freckle.systems/dns: cloudflare 9 | 10 | spec: 11 | gatewayClassName: cilium-tailscale 12 | infrastructure: 13 | annotations: 14 | tailscale.com/hostname: ${CLUSTER_NAME:=cluster}-gw 15 | tailscale.com/tags: "tag:${CLUSTER_NAME:=k8s}" 16 | listeners: 17 | - name: http 18 | protocol: HTTP 19 | port: 80 20 | hostname: "*.${CLUSTER_DOMAIN}" 21 | allowedRoutes: 22 | namespaces: 23 | from: Same 24 | - name: https 25 | protocol: HTTPS 26 | port: 443 27 | hostname: "*.${CLUSTER_DOMAIN}" 28 | allowedRoutes: 29 | namespaces: 30 | from: All 31 | tls: 32 | certificateRefs: 33 | - kind: Secret 34 | name: cluster-domain-tls 35 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./certificates.yaml 7 | - ./gw-external.yaml 8 | - ./gw-media-mgmt.yaml 9 | - ./gw-tailscale.yaml 10 | - ./redirect.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/gateway/redirect.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: httpsredirect 7 | annotations: 8 | external-dns.alpha.kubernetes.io/controller: none 9 | spec: 10 | parentRefs: 11 | - name: tailscale 12 | sectionName: http 13 | - name: tailscale-media-mgmt 14 | sectionName: http 15 | - name: external 16 | sectionName: frecklesystems-http 17 | - name: external 18 | sectionName: frecklefamily-http 19 | rules: 20 | - filters: 21 | - requestRedirect: 22 | scheme: https 23 | statusCode: 301 24 | type: RequestRedirect 25 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/metallb/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: metallb 7 | spec: 8 | interval: 24h 9 | url: https://metallb.github.io/metallb 10 | --- 11 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 12 | apiVersion: helm.toolkit.fluxcd.io/v2 13 | kind: HelmRelease 14 | metadata: 15 | name: metallb 16 | spec: 17 | interval: 10m 18 | chart: 19 | spec: 20 | chart: metallb 21 | version: 0.15.2 22 | sourceRef: 23 | kind: HelmRepository 24 | name: metallb 25 | install: 26 | remediation: 27 | retries: -1 28 | upgrade: 29 | cleanupOnFail: true 30 | remediation: 31 | strategy: rollback 32 | retries: 3 33 | values: 34 | prometheus: 35 | rbacPrometheus: false 36 | serviceMonitor: 37 | enabled: true 38 | prometheusRule: 39 | enabled: true 40 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/metallb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/multus/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | --- 3 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json 4 | apiVersion: source.toolkit.fluxcd.io/v1 5 | kind: HelmRepository 6 | metadata: 7 | name: multus 8 | spec: 9 | interval: 1h 10 | timeout: 3m0s 11 | url: https://angelnu.github.io/helm-charts/ 12 | 13 | --- 14 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 15 | apiVersion: helm.toolkit.fluxcd.io/v2 16 | kind: HelmRelease 17 | metadata: 18 | name: multus 19 | spec: 20 | interval: 5m 21 | chart: 22 | spec: 23 | chart: multus 24 | version: 5.0.7 25 | sourceRef: 26 | name: multus 27 | kind: HelmRepository 28 | values: 29 | image: 30 | repository: ghcr.io/k8snetworkplumbingwg/multus-cni 31 | tag: v4.2.0-thick@sha256:42ccc54689ea3003d3b6c7decadd85b4e296c15d3ad736da48d7e0c768d1f538 32 | cni: 33 | image: 34 | repository: ghcr.io/home-operations/cni-plugins 35 | tag: 1.7.1@sha256:4bd4e77e3fbc21dd63b9826a011cead1333b6975efa4d1d2631ca932bfd27371 36 | paths: 37 | config: /etc/cni/net.d 38 | bin: /opt/cni/bin 39 | resources: 40 | requests: 41 | cpu: 5m 42 | limits: 43 | memory: 512Mi 44 | hostPaths: 45 | netns: /var/run/netns 46 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/multus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/operator/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: operator-oauth 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | template: 13 | data: 14 | client_id: "{{ .client_id }}" 15 | client_secret: "{{ .client_secret }}" 16 | dataFrom: 17 | - extract: 18 | key: tailscale-operator-${CLUSTER_NAME} 19 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - externalsecret.yaml 7 | - helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/proxyclass/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - proxyclass.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/networking/tailscale-operator/proxyclass/proxyclass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tailscale.com/v1alpha1 2 | kind: ProxyClass 3 | metadata: 4 | name: tailscale-tun 5 | spec: 6 | metrics: 7 | enable: true 8 | serviceMonitor: 9 | enable: true 10 | statefulSet: 11 | pod: 12 | nodeSelector: 13 | beta.kubernetes.io/os: "linux" 14 | tailscaleContainer: 15 | resources: 16 | limits: 17 | squat.ai/tun: "1" 18 | securityContext: 19 | allowPrivilegeEscalation: false 20 | capabilities: 21 | drop: 22 | - ALL 23 | add: 24 | - NET_ADMIN 25 | - NET_RAW 26 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: grafana-admin 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | target: 12 | name: grafana-admin-secret 13 | template: 14 | data: 15 | admin-user: "{{ .GRAFANA_ADMIN_USERNAME }}" 16 | admin-password: "{{ .GRAFANA_ADMIN_PASSWORD }}" 17 | dataFrom: 18 | - extract: 19 | key: grafana 20 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | # - ./externalsecret.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/instance/dashboard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: grafana.integreatly.org/v1beta1 2 | kind: GrafanaDashboard 3 | metadata: 4 | name: grafana-operator-dashboard 5 | spec: 6 | instanceSelector: 7 | matchLabels: 8 | dashboards: "grafana" 9 | grafanaCom: 10 | id: 22785 11 | revision: 2 12 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/instance/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: grafana-oauth 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: client-id 13 | remoteRef: 14 | key: grafana-oauth-${CLUSTER_NAME} 15 | property: client-id 16 | - secretKey: client-secret 17 | remoteRef: 18 | key: grafana-oauth-${CLUSTER_NAME} 19 | property: client-secret 20 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/instance/httproute.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1 2 | kind: HTTPRoute 3 | metadata: 4 | name: grafana 5 | spec: 6 | hostnames: 7 | - grafana.${CLUSTER_DOMAIN} 8 | parentRefs: 9 | - name: tailscale 10 | namespace: gateway 11 | sectionName: https 12 | rules: 13 | - backendRefs: 14 | - kind: Service 15 | name: grafana-service 16 | port: 3000 17 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/instance/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - dashboard.yaml 7 | - externalsecret.yaml 8 | - grafana.yaml 9 | - httproute.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/operator/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: grafana-operator 7 | spec: 8 | interval: 30m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: v5.18.0 14 | url: oci://ghcr.io/grafana/helm-charts/grafana-operator 15 | # verify: 16 | # provider: cosign 17 | # matchOIDCIdentity: 18 | # - issuer: "^https://token.actions.githubusercontent.com$" 19 | # subject: "^https://github.com/grafana/grafana-operator/.*$" 20 | --- 21 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 22 | apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | metadata: 25 | name: grafana-operator 26 | spec: 27 | interval: 1h 28 | chartRef: 29 | kind: OCIRepository 30 | name: grafana-operator 31 | driftDetection: 32 | mode: enabled 33 | install: 34 | remediation: 35 | retries: -1 36 | upgrade: 37 | cleanupOnFail: true 38 | remediation: 39 | retries: 3 40 | values: 41 | serviceMonitor: 42 | enabled: true 43 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/grafana/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/metrics-server/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: metrics-server 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 3.12.2 14 | url: oci://ghcr.io/home-operations/charts-mirror/metrics-server 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: metrics-server 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: metrics-server 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | values: 34 | args: 35 | - --kubelet-use-node-status-port 36 | - --metric-resolution=10s 37 | - --kubelet-request-timeout=2s 38 | metrics: 39 | enabled: true 40 | serviceMonitor: 41 | enabled: true 42 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: prometheus-operator-crds 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 20.0.1 14 | url: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: prometheus-operator-crds 21 | spec: 22 | interval: 10m 23 | chartRef: 24 | kind: OCIRepository 25 | name: prometheus-operator-crds 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | strategy: rollback 33 | retries: 3 34 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/prometheus-operator-crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-logs/grafana-datasource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: grafana.integreatly.org/v1beta1 2 | kind: GrafanaDatasource 3 | metadata: 4 | name: vl-datasource 5 | spec: 6 | datasource: 7 | access: proxy 8 | type: victoriametrics-logs-datasource 9 | name: victorialogs 10 | url: http://victoria-logs-server:9428 11 | instanceSelector: 12 | matchLabels: 13 | dashboards: grafana 14 | plugins: 15 | - name: victoriametrics-logs-datasource 16 | version: "0.14.3" 17 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-logs/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | - grafana-datasource.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/k8s-stack/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/k8s-stack/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: vm-k8s-stack 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.50.1 14 | url: oci://ghcr.io/victoriametrics/helm-charts/victoria-metrics-k8s-stack 15 | # verify: 16 | # provider: cosign 17 | # matchOIDCIdentity: 18 | # - issuer: "^https://token.actions.githubusercontent.com$" 19 | # subject: "^https://github.com/victoriametrics/helm-charts.*$" 20 | --- 21 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 22 | apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | metadata: 25 | name: vm-k8s-stack 26 | spec: 27 | interval: 1h 28 | chartRef: 29 | kind: OCIRepository 30 | name: vm-k8s-stack 31 | install: 32 | remediation: 33 | retries: -1 34 | upgrade: 35 | cleanupOnFail: true 36 | remediation: 37 | retries: 3 38 | valuesFrom: 39 | - kind: ConfigMap 40 | name: vm-k8s-stack-values 41 | values: {} 42 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/k8s-stack/httproute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: gateway.networking.k8s.io/v1 3 | kind: HTTPRoute 4 | metadata: 5 | name: vm-alertmanager 6 | spec: 7 | hostnames: 8 | - alertmanager.${CLUSTER_DOMAIN} 9 | parentRefs: 10 | - name: tailscale 11 | namespace: gateway 12 | sectionName: https 13 | rules: 14 | - backendRefs: 15 | - kind: Service 16 | name: vmalertmanager-vm 17 | port: 9093 18 | --- 19 | apiVersion: gateway.networking.k8s.io/v1 20 | kind: HTTPRoute 21 | metadata: 22 | name: vm-single 23 | spec: 24 | hostnames: 25 | - victoriametrics.${CLUSTER_DOMAIN} 26 | parentRefs: 27 | - name: tailscale 28 | namespace: gateway 29 | sectionName: https 30 | rules: 31 | - backendRefs: 32 | - kind: Service 33 | name: vmsingle-vm 34 | port: 8429 35 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/k8s-stack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | - httproute.yaml 8 | configMapGenerator: 9 | - name: vm-k8s-stack-values 10 | files: 11 | - values.yaml=./helm/values.yaml 12 | configurations: 13 | - ./helm/kustomizeconfig.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/operator-crds/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/operator-crds/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fullnameOverride: "vm-operator-crds" 3 | 4 | crds: 5 | enabled: true 6 | # plain == false results in CRDs being rendered as templates which allows them to be upgraded 7 | plain: false 8 | cleanup: 9 | enabled: false 10 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/operator-crds/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: vm-operator-crds 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.2.0 14 | url: oci://ghcr.io/victoriametrics/helm-charts/victoria-metrics-operator-crds 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: vm-operator-crds 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: vm-operator-crds 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | valuesFrom: 34 | - kind: ConfigMap 35 | name: vm-operator-crds-values 36 | values: {} 37 | -------------------------------------------------------------------------------- /kubernetes/apps/observability/victoria-metrics/operator-crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | configMapGenerator: 8 | - name: vm-operator-crds-values 9 | files: 10 | - values.yaml=./helm/values.yaml 11 | configurations: 12 | - ./helm/kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/reloader/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: reloader 7 | spec: 8 | interval: 1h 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 2.1.3 14 | url: oci://ghcr.io/stakater/charts/reloader 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: reloader 21 | spec: 22 | interval: 30m 23 | chartRef: 24 | kind: OCIRepository 25 | name: reloader 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | values: 34 | fullnameOverride: reloader 35 | reloader: 36 | enableHA: true 37 | enableMetricsByNamespace: true 38 | deployment: 39 | replicas: 1 40 | readOnlyRootFileSystem: true 41 | podMonitor: 42 | enabled: true 43 | namespace: "{{ .Release.Namespace }}" 44 | -------------------------------------------------------------------------------- /kubernetes/apps/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/external-secrets/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/external-secrets/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | image: 3 | repository: ghcr.io/external-secrets/external-secrets 4 | 5 | installCRDs: true 6 | leaderElect: true 7 | 8 | serviceMonitor: 9 | enabled: true 10 | interval: 1m 11 | 12 | webhook: 13 | image: 14 | repository: ghcr.io/external-secrets/external-secrets 15 | serviceMonitor: 16 | enabled: true 17 | interval: 1m 18 | 19 | certController: 20 | image: 21 | repository: ghcr.io/external-secrets/external-secrets 22 | serviceMonitor: 23 | enabled: true 24 | interval: 1m 25 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/external-secrets/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: external-secrets 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.17.0 14 | url: oci://ghcr.io/external-secrets/charts/external-secrets 15 | verify: 16 | provider: cosign 17 | matchOIDCIdentity: 18 | - issuer: ^https://token.actions.githubusercontent.com$ 19 | subject: ^https://github.com/external-secrets/external-secrets.*$ 20 | --- 21 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 22 | apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | metadata: 25 | name: external-secrets 26 | spec: 27 | interval: 30m 28 | chartRef: 29 | kind: OCIRepository 30 | name: external-secrets 31 | install: 32 | remediation: 33 | retries: -1 34 | upgrade: 35 | cleanupOnFail: true 36 | remediation: 37 | strategy: rollback 38 | retries: 3 39 | dependsOn: 40 | - name: onepassword-connect 41 | valuesFrom: 42 | - kind: ConfigMap 43 | name: external-secrets-values 44 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | configMapGenerator: 8 | - name: external-secrets-values 9 | files: 10 | - values.yaml=./helm/values.yaml 11 | configurations: 12 | - ./helm/kustomizeconfig.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/onepassword/connect/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: onepassword-connect 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 1.17.0 14 | url: oci://ghcr.io/home-operations/charts-mirror/connect 15 | verify: 16 | provider: cosign 17 | matchOIDCIdentity: 18 | - issuer: ^https://token.actions.githubusercontent.com$ 19 | subject: ^https://github.com/home-operations/charts-mirror.*$ 20 | --- 21 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 22 | apiVersion: helm.toolkit.fluxcd.io/v2 23 | kind: HelmRelease 24 | metadata: 25 | name: onepassword-connect 26 | spec: 27 | interval: 30m 28 | chartRef: 29 | kind: OCIRepository 30 | name: onepassword-connect 31 | install: 32 | remediation: 33 | retries: -1 34 | upgrade: 35 | cleanupOnFail: true 36 | remediation: 37 | strategy: rollback 38 | retries: 3 39 | values: 40 | connect: 41 | api: 42 | serviceMonitor: 43 | enabled: true 44 | serviceType: ClusterIP 45 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/onepassword/connect/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./helmrelease.yaml 5 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/onepassword/store/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/clustersecretstore_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ClusterSecretStore 5 | metadata: 6 | name: onepassword 7 | spec: 8 | provider: 9 | onepassword: 10 | connectHost: http://onepassword-connect.external-secrets.svc.cluster.local:8080 11 | vaults: 12 | Kubernetes: 1 13 | auth: 14 | secretRef: 15 | connectTokenSecretRef: 16 | name: onepassword-token 17 | key: token 18 | namespace: external-secrets 19 | -------------------------------------------------------------------------------- /kubernetes/apps/secrets/onepassword/store/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - clustersecretstore.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/spegel/helm/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | nameReference: 3 | - kind: ConfigMap 4 | version: v1 5 | fieldSpecs: 6 | - path: spec/valuesFrom/name 7 | kind: HelmRelease 8 | -------------------------------------------------------------------------------- /kubernetes/apps/spegel/helm/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | spegel: 3 | appendMirrors: true 4 | containerdSock: /run/containerd/containerd.sock 5 | containerdRegistryConfigPath: /etc/cri/conf.d/hosts 6 | service: 7 | registry: 8 | hostPort: 29999 9 | serviceMonitor: 10 | enabled: true 11 | -------------------------------------------------------------------------------- /kubernetes/apps/spegel/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: spegel 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 0.2.0 14 | url: oci://ghcr.io/spegel-org/helm-charts/spegel 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: spegel 21 | spec: 22 | interval: 1h 23 | chartRef: 24 | kind: OCIRepository 25 | name: spegel 26 | install: 27 | remediation: 28 | retries: -1 29 | upgrade: 30 | cleanupOnFail: true 31 | remediation: 32 | retries: 3 33 | valuesFrom: 34 | - kind: ConfigMap 35 | name: spegel-values 36 | -------------------------------------------------------------------------------- /kubernetes/apps/spegel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | configMapGenerator: 7 | - name: spegel-values 8 | files: 9 | - values.yaml=./helm/values.yaml 10 | configurations: 11 | - ./helm/kustomizeconfig.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/apps/storage/rook-ceph/cluster/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/storage/rook-ceph/operator/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: rook-ceph 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: v1.17.3 14 | url: oci://ghcr.io/rook/rook-ceph 15 | --- 16 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json 17 | apiVersion: helm.toolkit.fluxcd.io/v2 18 | kind: HelmRelease 19 | metadata: 20 | name: rook-ceph-operator 21 | spec: 22 | interval: 30m 23 | timeout: 15m 24 | chartRef: 25 | kind: OCIRepository 26 | name: rook-ceph 27 | install: 28 | remediation: 29 | retries: -1 30 | upgrade: 31 | cleanupOnFail: true 32 | remediation: 33 | strategy: rollback 34 | retries: 3 35 | dependsOn: 36 | - name: prometheus-operator-crds 37 | namespace: observability 38 | values: 39 | csi: 40 | serviceMonitor: 41 | enabled: true 42 | monitoring: 43 | enabled: true 44 | -------------------------------------------------------------------------------- /kubernetes/apps/storage/rook-ceph/operator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - helmrelease.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade-controller/app/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./rbac.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade-controller/app/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: system-upgrade-controller 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - kind: ServiceAccount 12 | name: system-upgrade-controller 13 | namespace: system-upgrade 14 | --- 15 | apiVersion: talos.dev/v1alpha1 16 | kind: ServiceAccount 17 | metadata: 18 | name: system-upgrade-controller 19 | spec: 20 | roles: ["os:admin"] 21 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade-controller/plans/kubernetes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: kubernetes 6 | spec: 7 | version: ${KUBERNETES_VERSION} 8 | concurrency: 1 9 | exclusive: true 10 | serviceAccountName: system-upgrade-controller 11 | secrets: 12 | - name: system-upgrade-controller 13 | path: /var/run/secrets/talos.dev 14 | ignoreUpdates: true 15 | nodeSelector: 16 | matchExpressions: 17 | - key: node-role.kubernetes.io/control-plane 18 | operator: Exists 19 | upgrade: 20 | image: ghcr.io/siderolabs/talosctl:${TALOS_VERSION} 21 | args: 22 | - --nodes=$(NODE_IP) 23 | - upgrade-k8s 24 | - --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) 25 | envs: 26 | - name: NODE_IP 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: status.hostIP 30 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade-controller/plans/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./kubernetes.yaml 6 | - ./talos.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/apps/system-upgrade-controller/plans/talos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: upgrade.cattle.io/v1 3 | kind: Plan 4 | metadata: 5 | name: talos 6 | spec: 7 | version: ${TALOS_VERSION} 8 | concurrency: 1 9 | exclusive: true 10 | serviceAccountName: system-upgrade-controller 11 | secrets: 12 | - name: system-upgrade-controller 13 | path: /var/run/secrets/talos.dev 14 | ignoreUpdates: true 15 | nodeSelector: 16 | matchExpressions: 17 | - key: feature.node.kubernetes.io/system-os_release.ID 18 | operator: In 19 | values: ["talos"] 20 | upgrade: 21 | image: ghcr.io/jfroy/tnu:0.4.3 22 | args: 23 | - --node=$(NODE_IP) 24 | - --tag=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION) 25 | - --powercycle 26 | envs: 27 | - name: NODE_IP 28 | valueFrom: 29 | fieldRef: 30 | fieldPath: status.hostIP 31 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/actions-runner-system/actions-infra-runner.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app actions-infra-runner 7 | namespace: &namespace actions-runner-system 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: actions-runner-controller 16 | namespace: *namespace 17 | interval: 1h 18 | # TODO: this should be made generic so we can create different runners via patches 19 | path: ./kubernetes/apps/actions-runner-controller/runners/infra 20 | prune: true 21 | retryInterval: 2m 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | targetNamespace: *namespace 27 | timeout: 5m 28 | wait: false 29 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/actions-runner-system/actions-runner-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app actions-runner-controller 7 | namespace: &namespace actions-runner-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | healthChecks: 13 | - apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | name: *app 16 | namespace: *namespace 17 | interval: 1h 18 | path: ./kubernetes/apps/actions-runner-controller/app 19 | prune: true 20 | retryInterval: 2m 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: *namespace 26 | timeout: 5m 27 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./actions-runner-controller.yaml 11 | - ./actions-infra-runner.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cert-manager 7 | namespace: &namespace cert-manager 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: prometheus-operator-crds 14 | namespace: observability 15 | targetNamespace: *namespace 16 | path: ./kubernetes/apps/cert-manager/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | interval: 1h 23 | retryInterval: 2m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/cert-manager/issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cert-issuers 7 | namespace: &namespace cert-manager 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | targetNamespace: *namespace 15 | path: ./kubernetes/apps/cert-manager/issuers 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | interval: 1h 22 | retryInterval: 2m 23 | timeout: 5m 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./cert-manager.yaml 11 | - ./issuers.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/external-dns/cloudflare.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-dns-cloudflare 7 | namespace: &namespace external-dns 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: external-secrets 16 | namespace: external-secrets 17 | - name: prometheus-operator-crds 18 | namespace: observability 19 | targetNamespace: *namespace 20 | path: ./kubernetes/apps/networking/external-dns/cloudflare 21 | prune: true 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | interval: 30m 27 | timeout: 5m 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-dns 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./cloudflare.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/external-secrets/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-secrets 7 | namespace: &namespace external-secrets 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: onepassword-connect 14 | targetNamespace: *namespace 15 | path: ./kubernetes/apps/secrets/external-secrets 16 | prune: true 17 | wait: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | interval: 1h 23 | timeout: 5m 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-secrets 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./external-secrets.yaml 11 | - ./onepassword-connect.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/external-secrets/onepassword-connect.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app onepassword-connect 7 | namespace: &namespace external-secrets 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | targetNamespace: *namespace 13 | path: ./kubernetes/apps/secrets/onepassword/connect 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | interval: 1h 20 | timeout: 5m 21 | 22 | --- 23 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: &app onepassword-store 28 | namespace: &namespace external-secrets 29 | spec: 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | dependsOn: 34 | - name: external-secrets 35 | targetNamespace: *namespace 36 | path: ./kubernetes/apps/secrets/onepassword/store 37 | prune: true 38 | sourceRef: 39 | kind: GitRepository 40 | name: flux-system 41 | namespace: flux-system 42 | interval: 1h 43 | timeout: 5m 44 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/flux-system/flux-instance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-instance 7 | namespace: &namespace flux-system 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: flux-operator 16 | targetNamespace: *namespace 17 | path: ./kubernetes/apps/flux/instance 18 | prune: false 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | interval: 1h 24 | retryInterval: 2m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/flux-system/flux-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-operator 7 | namespace: &namespace flux-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | targetNamespace: *namespace 13 | path: ./kubernetes/apps/flux/operator 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | interval: 1h 20 | retryInterval: 2m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./flux-instance.yaml 11 | - ./flux-operator.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/gateway/certificates.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | name: frecklevision-tls 7 | spec: 8 | secretName: frecklevision-tls 9 | issuerRef: 10 | name: letsencrypt-production 11 | kind: ClusterIssuer 12 | commonName: "freckle.vision" 13 | dnsNames: 14 | - freckle.vision 15 | - "*.freckle.vision" 16 | 17 | --- 18 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json 19 | apiVersion: cert-manager.io/v1 20 | kind: Certificate 21 | metadata: 22 | name: freckleid-tls 23 | spec: 24 | secretName: freckleid-tls 25 | issuerRef: 26 | name: letsencrypt-production 27 | kind: ClusterIssuer 28 | commonName: "freckle.id" 29 | dnsNames: 30 | - freckle.id 31 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: gateway 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./certificates.yaml 11 | - ./gateways.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/it-tools/it-tools.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app it-tools 7 | namespace: &namespace it-tools 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/it-tools 20 | interval: 2m 21 | retryInterval: 1m 22 | timeout: 5m 23 | prune: true 24 | wait: true 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/it-tools/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: it-tools 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./it-tools.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/cilium-gw-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cilium-gateway-config 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | targetNamespace: *namespace 13 | path: ./kubernetes/apps/networking/cilium/gateway-config 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | interval: 1h 20 | retryInterval: 2m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cilium 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: prometheus-operator-crds 14 | namespace: observability 15 | targetNamespace: *namespace 16 | path: ./kubernetes/apps/networking/cilium/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | interval: 1h 23 | retryInterval: 2m 24 | timeout: 5m 25 | patches: 26 | - target: 27 | kind: HelmRelease 28 | patch: |- 29 | - op: add 30 | path: /spec/values 31 | value: 32 | bgpControlPlane: 33 | enabled: true 34 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app descheduler 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/descheduler 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/generic-device-plugin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app generic-device-plugin 7 | namespace: &namespace kube-system 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | path: ./kubernetes/apps/devices/generic-device-plugin 18 | interval: 30s 19 | retryInterval: 1m 20 | timeout: 5m 21 | prune: true 22 | wait: true 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/kubelet-csr-approver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app kubelet-csr-approver 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/kubelet-csr-approver 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./cilium.yaml 11 | - ./cilium-gw-config.yaml 12 | - ./descheduler.yaml 13 | - ./generic-device-plugin.yaml 14 | - ./intel-device-plugin.yaml 15 | - ./kubelet-csr-approver.yaml 16 | - ./metrics-server.yaml 17 | - ./multus.yaml 18 | - ./node-feature-discovery.yaml 19 | - ./reloader.yaml 20 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app metrics-server 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/observability/metrics-server 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/multus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app multus 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/networking/multus 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kube-system/reloader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app reloader 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/reloader 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./actions-runner-system 5 | - ./cert-manager 6 | - ./external-dns 7 | - ./external-secrets 8 | - ./flux-system 9 | - ./gateway 10 | - ./it-tools 11 | - ./kube-system 12 | - ./media 13 | - ./observability 14 | - ./rook-ceph 15 | - ./spegel 16 | - ./system-upgrade 17 | - ./tailscale 18 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: media 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./emby.yaml 11 | - ./prowlarr.yaml 12 | - ./radarr.yaml 13 | - ./recyclarr.yaml 14 | - ./sabnzbd.yaml 15 | - ./sonarr.yaml 16 | - ./sonarr-anime.yaml 17 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/media/prowlarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app prowlarr 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/media/prowlarr 20 | dependsOn: 21 | - name: onepassword-store 22 | namespace: external-secrets 23 | - name: tailscale-proxyclass 24 | namespace: tailscale 25 | - name: rook-ceph-cluster 26 | namespace: rook-ceph 27 | interval: 2m 28 | retryInterval: 1m 29 | timeout: 5m 30 | prune: true 31 | wait: true 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/media/recyclarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app recyclarr 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/clusters/atlantis-k8s01/apps/media/recyclarr 20 | dependsOn: 21 | - name: onepassword-store 22 | namespace: external-secrets 23 | interval: 2m 24 | retryInterval: 1m 25 | timeout: 5m 26 | prune: true 27 | wait: true 28 | patches: 29 | - target: 30 | kind: ExternalSecret 31 | patch: |- 32 | - op: add 33 | path: /spec/target/template/data/SONARR_ANIME_API_KEY 34 | value: "{{ .sonarr_anime_api_key }}" 35 | 36 | - op: add 37 | path: /spec/dataFrom/0 38 | value: 39 | extract: 40 | key: sonarr-anime-${CLUSTER_NAME} 41 | rewrite: 42 | - regexp: 43 | source: "(.*)" 44 | target: "sonarr_anime_$1" 45 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/media/recyclarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | configMapGenerator: 7 | - name: recyclarr-configmap 8 | behavior: replace 9 | files: 10 | - recyclarr.yml=./config/recyclarr.yml 11 | generatorOptions: 12 | disableNameSuffixHash: true 13 | 14 | resources: 15 | - ../../../../../apps/media/recyclarr 16 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/observability/grafana-instance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app grafana-instance 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: grafana-operator 16 | targetNamespace: *namespace 17 | path: ./kubernetes/apps/observability/grafana/instance 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | interval: 30s 24 | retryInterval: 1m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/observability/grafana-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app grafana-operator 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: prometheus-operator-crds 16 | targetNamespace: *namespace 17 | path: ./kubernetes/apps/observability/grafana/operator 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | interval: 30s 24 | retryInterval: 1m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: observability 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./grafana-operator.yaml 11 | - ./grafana-instance.yaml 12 | - ./prometheus-operator-crds.yaml 13 | - ./victoria-logs.yaml 14 | - ./vm-operator-crds.yaml 15 | - ./vm-k8s-stack.yaml 16 | patches: 17 | - target: 18 | kind: Namespace 19 | patch: |- 20 | - op: add 21 | path: /metadata/labels 22 | value: 23 | pod-security.kubernetes.io/enforce: privileged 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/observability/prometheus-operator-crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app prometheus-operator-crds 7 | namespace: &namespace observability 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/observability/prometheus-operator-crds 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | interval: 30s 19 | retryInterval: 1m 20 | timeout: 5m 21 | prune: true 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/observability/victoria-logs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app victoria-logs 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: grafana-operator 16 | - name: vm-operator-crds 17 | targetNamespace: *namespace 18 | path: ./kubernetes/apps/observability/victoria-logs 19 | prune: true 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | interval: 30s 25 | retryInterval: 1m 26 | timeout: 5m 27 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/observability/vm-k8s-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app vm-k8s-stack 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: prometheus-operator-crds 16 | - name: vm-operator-crds 17 | - name: grafana-operator 18 | targetNamespace: *namespace 19 | path: ./kubernetes/apps/observability/victoria-metrics/k8s-stack 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | interval: 30s 26 | retryInterval: 1m 27 | timeout: 5m 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/observability/vm-operator-crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app vm-operator-crds 7 | namespace: &namespace observability 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/observability/victoria-metrics/operator-crds 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | interval: 30s 19 | retryInterval: 1m 20 | timeout: 5m 21 | prune: true 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./rook-ceph.yaml 11 | - ./rook-ceph-cluster.yaml 12 | patches: 13 | - target: 14 | kind: Namespace 15 | patch: |- 16 | - op: add 17 | path: /metadata/labels 18 | value: 19 | pod-security.kubernetes.io/audit: privileged 20 | pod-security.kubernetes.io/enforce: privileged 21 | pod-security.kubernetes.io/warn: privileged 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/rook-ceph/rook-ceph-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app rook-ceph-cluster 7 | namespace: &namespace rook-ceph 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: rook-ceph 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | path: ./kubernetes/apps/storage/rook-ceph/cluster 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | interval: 2m 21 | retryInterval: 1m 22 | timeout: 30m 23 | prune: false 24 | wait: true 25 | patches: 26 | - target: 27 | kind: HelmRelease 28 | name: rook-ceph-cluster 29 | patch: |- 30 | - op: remove 31 | path: /spec/values/cephClusterSpec/storage/encryptedDevice 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/rook-ceph/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app rook-ceph 7 | namespace: &namespace rook-ceph 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: prometheus-operator-crds 12 | namespace: observability 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *app 16 | path: ./kubernetes/apps/storage/rook-ceph/operator 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | interval: 2m 22 | retryInterval: 1m 23 | timeout: 30m 24 | prune: false 25 | wait: true 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/spegel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: spegel 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./spegel.yaml 11 | patches: 12 | - target: 13 | kind: Namespace 14 | patch: |- 15 | - op: add 16 | path: /metadata/labels 17 | value: 18 | pod-security.kubernetes.io/audit: privileged 19 | pod-security.kubernetes.io/enforce: privileged 20 | pod-security.kubernetes.io/warn: privileged 21 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/spegel/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app spegel 7 | namespace: &namespace spegel 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/spegel 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: system-upgrade 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./system-upgrade-controller.yaml 11 | - ./system-upgrade-controller-plans.yaml 12 | patches: 13 | - target: 14 | kind: Namespace 15 | patch: |- 16 | - op: add 17 | path: /metadata/labels 18 | value: 19 | pod-security.kubernetes.io/enforce: privileged 20 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/system-upgrade/system-upgrade-controller-plans.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app system-upgrade-controller-plans 7 | namespace: &namespace system-upgrade 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: system-upgrade-controller 14 | namespace: system-upgrade 15 | interval: 1h 16 | path: ./kubernetes/apps/system-upgrade-controller/plans 17 | postBuild: 18 | substitute: 19 | # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 20 | KUBERNETES_VERSION: v1.33.1 21 | # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 22 | TALOS_VERSION: v1.10.3 23 | prune: true 24 | retryInterval: 2m 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | namespace: flux-system 29 | targetNamespace: *namespace 30 | timeout: 5m 31 | wait: false 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/system-upgrade/system-upgrade-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app system-upgrade-controller 7 | namespace: &namespace system-upgrade 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/system-upgrade-controller/app 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: true 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/tailscale/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: tailscale 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./tailscale-operator.yaml 11 | - ./tailscale-proxyclass.yaml 12 | - ./tailscale-routers.yaml 13 | patches: 14 | - target: 15 | kind: Namespace 16 | patch: |- 17 | - op: add 18 | path: /metadata/labels 19 | value: 20 | pod-security.kubernetes.io/audit: privileged 21 | pod-security.kubernetes.io/enforce: privileged 22 | pod-security.kubernetes.io/warn: privileged 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/tailscale/routers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./router.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/tailscale/routers/router.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tailscale.com/v1alpha1 2 | kind: Connector 3 | metadata: 4 | name: atlantis-ts-rtr 5 | namespace: tailscale 6 | spec: 7 | proxyClass: tailscale-tun 8 | hostname: atlantis-ts-rtr 9 | exitNode: true 10 | subnetRouter: 11 | advertiseRoutes: 12 | - "172.20.0.0/20" 13 | - "172.25.0.0/20" 14 | - "172.26.0.0/20" 15 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/tailscale/tailscale-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app tailscale-operator 7 | namespace: &namespace tailscale 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | dependsOn: 13 | - name: generic-device-plugin 14 | namespace: kube-system 15 | - name: onepassword-store 16 | namespace: external-secrets 17 | commonMetadata: 18 | labels: 19 | app.kubernetes.io/name: *app 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | path: ./kubernetes/apps/networking/tailscale-operator/operator 25 | interval: 30s 26 | retryInterval: 1m 27 | timeout: 5m 28 | prune: true 29 | wait: true 30 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/tailscale/tailscale-proxyclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app tailscale-proxyclass 7 | namespace: &namespace tailscale 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: tailscale-operator 12 | namespace: tailscale 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *app 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | path: ./kubernetes/apps/networking/tailscale-operator/proxyclass 21 | interval: 30s 22 | retryInterval: 1m 23 | timeout: 5m 24 | prune: true 25 | wait: true 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/apps/tailscale/tailscale-routers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app tailscale-routers 7 | namespace: &namespace tailscale 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: tailscale-proxyclass 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/clusters/atlantis-k8s01/apps/tailscale/routers 20 | interval: 30s 21 | retryInterval: 1m 22 | timeout: 5m 23 | prune: true 24 | wait: true 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/atlantis-k8s01/flux/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps 7 | namespace: flux-system 8 | spec: 9 | interval: 15m 10 | path: ./kubernetes/clusters/atlantis-k8s01/apps 11 | prune: true 12 | retryInterval: 2m 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | timeout: 5m 18 | wait: false 19 | postBuild: 20 | substitute: 21 | CLUSTER_NAME: "atlantis-k8s01" 22 | CLUSTER_DOMAIN: "atlantis.freckle.systems" 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/actions-runner-system/actions-infra-runner.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app actions-infra-runner 7 | namespace: &namespace actions-runner-system 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: actions-runner-controller 16 | namespace: *namespace 17 | interval: 1h 18 | # TODO: this should be made generic so we can create different runners via patches 19 | path: ./kubernetes/apps/actions-runner-controller/runners/infra 20 | prune: true 21 | retryInterval: 2m 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | targetNamespace: *namespace 27 | timeout: 5m 28 | wait: false 29 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/actions-runner-system/actions-runner-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app actions-runner-controller 7 | namespace: &namespace actions-runner-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | healthChecks: 13 | - apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | name: *app 16 | namespace: *namespace 17 | interval: 1h 18 | path: ./kubernetes/apps/actions-runner-controller/app 19 | prune: true 20 | retryInterval: 2m 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | targetNamespace: *namespace 26 | timeout: 5m 27 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/actions-runner-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: actions-runner-system 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./actions-runner-controller.yaml 11 | - ./actions-infra-runner.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/cert-manager/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cert-manager 7 | namespace: &namespace cert-manager 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: prometheus-operator-crds 14 | namespace: observability 15 | targetNamespace: *namespace 16 | path: ./kubernetes/apps/cert-manager/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | interval: 1h 23 | retryInterval: 2m 24 | timeout: 5m 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/cert-manager/issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cert-issuers 7 | namespace: &namespace cert-manager 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | targetNamespace: *namespace 15 | path: ./kubernetes/apps/cert-manager/issuers 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | interval: 1h 22 | retryInterval: 2m 23 | timeout: 5m 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cert-manager 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./cert-manager.yaml 11 | - ./issuers.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/cloudflare-tunnel/cloudflare-tunnel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cloudflare-tunnel 7 | namespace: &namespace cloudflare-tunnel 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: external-secrets 14 | namespace: external-secrets 15 | - name: prometheus-operator-crds 16 | namespace: observability 17 | targetNamespace: *namespace 18 | path: ./kubernetes/apps/networking/cloudflare-tunnel 19 | postBuild: 20 | substituteFrom: 21 | - kind: Secret 22 | name: cloudflare-tunnel-id 23 | - kind: ConfigMap 24 | name: infra-info-cluster 25 | prune: true 26 | sourceRef: 27 | kind: GitRepository 28 | name: flux-system 29 | namespace: flux-system 30 | interval: 30m 31 | timeout: 5m 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/cloudflare-tunnel/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: cloudflare-tunnel-id 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: CLOUDFLARE_TUNNEL_ID 13 | remoteRef: 14 | key: cloudflare-tunnel-fairy-k8s01 15 | property: id 16 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/cloudflare-tunnel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: cloudflare-tunnel 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./externalsecret.yaml 11 | - ./cloudflare-tunnel.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/external-dns/cloudflare-tunnel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-dns-cloudflare-tunnel 7 | namespace: &namespace external-dns 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: external-secrets 16 | namespace: external-secrets 17 | - name: prometheus-operator-crds 18 | namespace: observability 19 | targetNamespace: *namespace 20 | path: ./kubernetes/apps/networking/external-dns/cloudflare-tunnel 21 | prune: true 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | interval: 30m 27 | timeout: 5m 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/external-dns/cloudflare.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-dns-cloudflare 7 | namespace: &namespace external-dns 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: external-secrets 16 | namespace: external-secrets 17 | - name: prometheus-operator-crds 18 | namespace: observability 19 | targetNamespace: *namespace 20 | path: ./kubernetes/apps/networking/external-dns/cloudflare 21 | prune: true 22 | sourceRef: 23 | kind: GitRepository 24 | name: flux-system 25 | namespace: flux-system 26 | interval: 30m 27 | timeout: 5m 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/external-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-dns 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./cloudflare.yaml 11 | - ./cloudflare-tunnel.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/external-secrets/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app external-secrets 7 | namespace: &namespace external-secrets 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: onepassword-connect 14 | targetNamespace: *namespace 15 | path: ./kubernetes/apps/secrets/external-secrets 16 | prune: true 17 | wait: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | interval: 1h 23 | timeout: 5m 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: external-secrets 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./external-secrets.yaml 11 | - ./onepassword-connect.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/external-secrets/onepassword-connect.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app onepassword-connect 7 | namespace: &namespace external-secrets 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | targetNamespace: *namespace 13 | path: ./kubernetes/apps/secrets/onepassword/connect 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | interval: 1h 20 | timeout: 5m 21 | 22 | --- 23 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: &app onepassword-store 28 | namespace: &namespace external-secrets 29 | spec: 30 | commonMetadata: 31 | labels: 32 | app.kubernetes.io/name: *app 33 | dependsOn: 34 | - name: external-secrets 35 | targetNamespace: *namespace 36 | path: ./kubernetes/apps/secrets/onepassword/store 37 | prune: true 38 | sourceRef: 39 | kind: GitRepository 40 | name: flux-system 41 | namespace: flux-system 42 | interval: 1h 43 | timeout: 5m 44 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/flux-system/flux-instance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-instance 7 | namespace: &namespace flux-system 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: flux-operator 16 | targetNamespace: *namespace 17 | path: ./kubernetes/apps/flux/instance 18 | prune: false 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | interval: 5m 24 | retryInterval: 2m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/flux-system/flux-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app flux-operator 7 | namespace: &namespace flux-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | targetNamespace: *namespace 13 | path: ./kubernetes/apps/flux/operator 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | interval: 1h 20 | retryInterval: 2m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: flux-system 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./flux-instance.yaml 11 | - ./flux-operator.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/gateway/gateways.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app gateway 7 | namespace: &namespace gateway 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | targetNamespace: *namespace 15 | path: ./kubernetes/apps/networking/gateway 16 | prune: true 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | interval: 1h 22 | retryInterval: 2m 23 | timeout: 5m 24 | patches: 25 | - target: 26 | kind: Gateway 27 | name: external 28 | patch: |- 29 | - op: add 30 | path: /metadata/annotations/external-dns.alpha.kubernetes.io~1cloudflare-proxied 31 | value: "true" 32 | - op: add 33 | path: /metadata/annotations/external-dns.alpha.kubernetes.io~1target 34 | value: "external-gw.${CLUSTER_DOMAIN}" 35 | - op: replace 36 | path: /metadata/labels/gateway.freckle.systems~1dns 37 | value: cloudflare-tunnel 38 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/gateway/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: gateway 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./gateways.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/golink/golink.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app golink 7 | namespace: &namespace golink 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: onepassword-store 14 | namespace: external-secrets 15 | path: ./kubernetes/apps/golink 16 | targetNamespace: *namespace 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | interval: 2m 22 | retryInterval: 1m 23 | timeout: 5m 24 | prune: true 25 | wait: true 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/golink/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: golink 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./golink.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/home-automation/esphome.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app esphome 7 | namespace: &namespace home-automation 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/home-automation/esphome 20 | dependsOn: 21 | - name: rook-ceph-cluster 22 | namespace: rook-ceph 23 | interval: 2m 24 | retryInterval: 1m 25 | timeout: 5m 26 | prune: true 27 | wait: true 28 | patches: 29 | - target: 30 | kind: HelmRelease 31 | patch: |- 32 | - op: add 33 | path: /spec/values/controllers/esphome/pod/annotations/k8s.v1.cni.cncf.io~1networks 34 | value: | 35 | [{ 36 | "name":"multus-iot", 37 | "namespace": "networking", 38 | "ips": ["192.168.227.43/24"], 39 | "mac": "ae:98:3e:1d:eb:99" 40 | }] 41 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/home-automation/homeassistant.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app homeassistant 7 | namespace: &namespace home-automation 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | path: ./kubernetes/clusters/fairy-k8s01/apps/home-automation/homeassistant 18 | dependsOn: 19 | - name: mosquitto 20 | interval: 2m 21 | retryInterval: 1m 22 | timeout: 5m 23 | prune: true 24 | wait: true 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/home-automation/homeassistant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | 6 | labels: 7 | - includeSelectors: true 8 | pairs: 9 | app.kubernetes.io/part-of: fairy-home-automation 10 | 11 | configMapGenerator: 12 | - name: homeassistant-config 13 | files: 14 | - mqtt.conf=files/mqtt.yaml 15 | 16 | resources: 17 | - ../../../../../apps/home-automation/homeassistant 18 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/home-automation/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: home-automation 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - esphome.yaml 11 | # disabled for now 12 | # - homeassistant.yaml 13 | - mosquitto.yaml 14 | - rtl-autodiscovery.yaml 15 | - rtl915.yaml 16 | - scrypted.yaml 17 | - zigbee.yaml 18 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/home-automation/rtl915.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app rtl915 7 | namespace: &namespace home-automation 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: mosquitto 14 | targetNamespace: *namespace 15 | path: ./apps/home-automation/rtl_433/rtl915 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | interval: 2m 21 | retryInterval: 1m 22 | timeout: 5m 23 | prune: true 24 | wait: true 25 | patches: 26 | - target: 27 | kind: ExternalSecret 28 | patch: |- 29 | - op: replace 30 | path: /spec/data/0/remoteRef/key 31 | value: mqtt-fairy-house-rtl915 32 | - op: replace 33 | path: /spec/data/1/remoteRef/key 34 | value: mqtt-fairy-house-rtl915 35 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/cilium-gw-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cilium-gateway-config 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | targetNamespace: *namespace 13 | path: ./kubernetes/apps/networking/cilium/gateway-config 14 | prune: true 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | interval: 1h 20 | retryInterval: 2m 21 | timeout: 5m 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app cilium 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: prometheus-operator-crds 14 | namespace: observability 15 | targetNamespace: *namespace 16 | path: ./kubernetes/apps/networking/cilium/app 17 | prune: true 18 | sourceRef: 19 | kind: GitRepository 20 | name: flux-system 21 | namespace: flux-system 22 | interval: 1h 23 | retryInterval: 2m 24 | timeout: 5m 25 | patches: 26 | - target: 27 | kind: HelmRelease 28 | patch: |- 29 | - op: add 30 | path: /spec/values 31 | value: 32 | devices: br0 33 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/descheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app descheduler 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/descheduler 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/generic-device-plugin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app generic-device-plugin 7 | namespace: &namespace kube-system 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | path: ./kubernetes/apps/devices/generic-device-plugin 18 | interval: 30s 19 | retryInterval: 1m 20 | timeout: 5m 21 | prune: true 22 | wait: true 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/kubelet-csr-approver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app kubelet-csr-approver 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/kubelet-csr-approver 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: kube-system 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./cilium.yaml 11 | - ./cilium-gw-config.yaml 12 | - ./descheduler.yaml 13 | - ./generic-device-plugin.yaml 14 | - ./intel-device-plugin.yaml 15 | - ./kubelet-csr-approver.yaml 16 | - ./metrics-server.yaml 17 | - ./multus.yaml 18 | - ./node-feature-discovery.yaml 19 | - ./reloader.yaml 20 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app metrics-server 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/observability/metrics-server 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/multus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app multus 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/networking/multus 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kube-system/reloader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app reloader 7 | namespace: &namespace kube-system 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/reloader 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ./actions-runner-system 5 | - ./cert-manager 6 | - ./cloudflare-tunnel 7 | - ./external-dns 8 | - ./external-secrets 9 | - ./flux-system 10 | - ./gateway 11 | - ./golink 12 | - ./home-automation 13 | - ./kube-system 14 | - ./media 15 | - ./observability 16 | - ./rook-ceph 17 | - ./spegel 18 | - ./system-upgrade 19 | - ./tailscale 20 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/emby.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app emby 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/media/emby 20 | interval: 2m 21 | retryInterval: 1m 22 | timeout: 5m 23 | prune: true 24 | wait: true 25 | patches: 26 | - target: 27 | kind: HelmRelease 28 | patch: |- 29 | - op: replace 30 | path: /spec/values/persistence/media 31 | value: 32 | existingClaim: store01-vault01-media 33 | globalMounts: 34 | - path: /store01/vault01 35 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/jellyfin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app jellyfin 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/media/jellyfin 20 | interval: 2m 21 | retryInterval: 1m 22 | timeout: 5m 23 | prune: true 24 | wait: true 25 | patches: 26 | - target: 27 | kind: HelmRelease 28 | patch: |- 29 | - op: replace 30 | path: /spec/values/persistence/media 31 | value: 32 | existingClaim: store01-vault01-media 33 | globalMounts: 34 | - path: /store01/vault01 35 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: media 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - emby.yaml 11 | - jellyfin.yaml 12 | - prowlarr.yaml 13 | - radarr.yaml 14 | - recyclarr.yaml 15 | - sabnzbd.yaml 16 | - sonarr.yaml 17 | - vault01-store01.yaml 18 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/prowlarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app prowlarr 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/media/prowlarr 20 | dependsOn: 21 | - name: onepassword-store 22 | namespace: external-secrets 23 | - name: tailscale-proxyclass 24 | namespace: tailscale 25 | - name: rook-ceph-cluster 26 | namespace: rook-ceph 27 | interval: 2m 28 | retryInterval: 1m 29 | timeout: 5m 30 | prune: true 31 | wait: true 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/radarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app radarr 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/media/radarr 20 | dependsOn: 21 | - name: onepassword-store 22 | namespace: external-secrets 23 | - name: tailscale-proxyclass 24 | namespace: tailscale 25 | - name: rook-ceph-cluster 26 | namespace: rook-ceph 27 | interval: 2m 28 | retryInterval: 1m 29 | timeout: 5m 30 | prune: true 31 | wait: true 32 | patches: 33 | - target: 34 | kind: HelmRelease 35 | patch: |- 36 | - op: replace 37 | path: /spec/values/persistence/media 38 | value: 39 | existingClaim: store01-vault01-media 40 | globalMounts: 41 | - path: /store01/vault01 42 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/recyclarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app recyclarr 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/media/recyclarr 20 | dependsOn: 21 | - name: onepassword-store 22 | namespace: external-secrets 23 | interval: 2m 24 | retryInterval: 1m 25 | timeout: 5m 26 | prune: true 27 | wait: true 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/sonarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app sonarr 7 | namespace: &namespace media 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/apps/media/sonarr 20 | dependsOn: 21 | - name: onepassword-store 22 | namespace: external-secrets 23 | - name: tailscale-proxyclass 24 | namespace: tailscale 25 | - name: rook-ceph-cluster 26 | namespace: rook-ceph 27 | interval: 2m 28 | retryInterval: 1m 29 | timeout: 5m 30 | prune: true 31 | wait: true 32 | patches: 33 | - target: 34 | kind: HelmRelease 35 | patch: |- 36 | - op: replace 37 | path: /spec/values/persistence/media 38 | value: 39 | existingClaim: store01-vault01-media 40 | globalMounts: 41 | - path: /store01/vault01 42 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/media/vault01-store01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: store01-vault01-media 5 | spec: 6 | capacity: 7 | storage: 1Ti 8 | accessModes: 9 | - ReadWriteMany 10 | persistentVolumeReclaimPolicy: Retain 11 | claimRef: 12 | name: store01-vault01-media 13 | namespace: media 14 | nfs: 15 | path: /mnt/vault01/media/ 16 | server: 192.168.227.10 17 | readOnly: false 18 | 19 | --- 20 | apiVersion: v1 21 | kind: PersistentVolumeClaim 22 | metadata: 23 | name: store01-vault01-media 24 | namespace: media 25 | spec: 26 | volumeName: store01-vault01-media 27 | accessModes: 28 | - ReadWriteMany 29 | resources: 30 | requests: 31 | storage: 1Ti 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/observability/grafana-instance.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app grafana-instance 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: grafana-operator 16 | targetNamespace: *namespace 17 | path: ./kubernetes/apps/observability/grafana/instance 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | interval: 30s 24 | retryInterval: 1m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/observability/grafana-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app grafana-operator 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: prometheus-operator-crds 16 | targetNamespace: *namespace 17 | path: ./kubernetes/apps/observability/grafana/operator 18 | prune: true 19 | sourceRef: 20 | kind: GitRepository 21 | name: flux-system 22 | namespace: flux-system 23 | interval: 30s 24 | retryInterval: 1m 25 | timeout: 5m 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/observability/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: observability 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./grafana-operator.yaml 11 | - ./grafana-instance.yaml 12 | - ./prometheus-operator-crds.yaml 13 | - ./victoria-logs.yaml 14 | - ./vm-operator-crds.yaml 15 | - ./vm-k8s-stack.yaml 16 | patches: 17 | - target: 18 | kind: Namespace 19 | patch: |- 20 | - op: add 21 | path: /metadata/labels 22 | value: 23 | pod-security.kubernetes.io/enforce: privileged 24 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/observability/prometheus-operator-crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app prometheus-operator-crds 7 | namespace: &namespace observability 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/observability/prometheus-operator-crds 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | interval: 30s 19 | retryInterval: 1m 20 | timeout: 5m 21 | prune: true 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/observability/victoria-logs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app victoria-logs 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: grafana-operator 16 | - name: vm-operator-crds 17 | targetNamespace: *namespace 18 | path: ./kubernetes/apps/observability/victoria-logs 19 | prune: true 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | interval: 30s 25 | retryInterval: 1m 26 | timeout: 5m 27 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/observability/vm-k8s-stack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app vm-k8s-stack 7 | namespace: &namespace observability 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | commonMetadata: 12 | labels: 13 | app.kubernetes.io/name: *app 14 | dependsOn: 15 | - name: prometheus-operator-crds 16 | - name: vm-operator-crds 17 | - name: grafana-operator 18 | targetNamespace: *namespace 19 | path: ./kubernetes/apps/observability/victoria-metrics/k8s-stack 20 | prune: true 21 | sourceRef: 22 | kind: GitRepository 23 | name: flux-system 24 | namespace: flux-system 25 | interval: 30s 26 | retryInterval: 1m 27 | timeout: 5m 28 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/observability/vm-operator-crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app vm-operator-crds 7 | namespace: &namespace observability 8 | spec: 9 | targetNamespace: *namespace 10 | commonMetadata: 11 | labels: 12 | app.kubernetes.io/name: *app 13 | path: ./kubernetes/apps/observability/victoria-metrics/operator-crds 14 | sourceRef: 15 | kind: GitRepository 16 | name: flux-system 17 | namespace: flux-system 18 | interval: 30s 19 | retryInterval: 1m 20 | timeout: 5m 21 | prune: true 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: rook-ceph 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./rook-ceph.yaml 11 | - ./rook-ceph-cluster.yaml 12 | patches: 13 | - target: 14 | kind: Namespace 15 | patch: |- 16 | - op: add 17 | path: /metadata/labels 18 | value: 19 | pod-security.kubernetes.io/audit: privileged 20 | pod-security.kubernetes.io/enforce: privileged 21 | pod-security.kubernetes.io/warn: privileged 22 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/rook-ceph/rook-ceph-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app rook-ceph-cluster 7 | namespace: &namespace rook-ceph 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: rook-ceph 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | path: ./kubernetes/apps/storage/rook-ceph/cluster 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | interval: 2m 21 | retryInterval: 1m 22 | timeout: 30m 23 | prune: false 24 | wait: true 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/rook-ceph/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app rook-ceph 7 | namespace: &namespace rook-ceph 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: prometheus-operator-crds 12 | namespace: observability 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *app 16 | path: ./kubernetes/apps/storage/rook-ceph/operator 17 | sourceRef: 18 | kind: GitRepository 19 | name: flux-system 20 | namespace: flux-system 21 | interval: 2m 22 | retryInterval: 1m 23 | timeout: 30m 24 | prune: false 25 | wait: true 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/spegel/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: spegel 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./spegel.yaml 11 | patches: 12 | - target: 13 | kind: Namespace 14 | patch: |- 15 | - op: add 16 | path: /metadata/labels 17 | value: 18 | pod-security.kubernetes.io/audit: privileged 19 | pod-security.kubernetes.io/enforce: privileged 20 | pod-security.kubernetes.io/warn: privileged 21 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/spegel/spegel.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app spegel 7 | namespace: &namespace spegel 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/spegel 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: false 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: system-upgrade 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./system-upgrade-controller.yaml 11 | - ./system-upgrade-controller-plans.yaml 12 | patches: 13 | - target: 14 | kind: Namespace 15 | patch: |- 16 | - op: add 17 | path: /metadata/labels 18 | value: 19 | pod-security.kubernetes.io/enforce: privileged 20 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/system-upgrade/system-upgrade-controller-plans.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app system-upgrade-controller-plans 7 | namespace: &namespace system-upgrade 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | dependsOn: 13 | - name: system-upgrade-controller 14 | namespace: system-upgrade 15 | interval: 1h 16 | path: ./kubernetes/apps/system-upgrade-controller/plans 17 | postBuild: 18 | substitute: 19 | # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 20 | KUBERNETES_VERSION: v1.33.1 21 | # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 22 | TALOS_VERSION: v1.10.3 23 | prune: true 24 | retryInterval: 2m 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | namespace: flux-system 29 | targetNamespace: *namespace 30 | timeout: 5m 31 | wait: false 32 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/system-upgrade/system-upgrade-controller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app system-upgrade-controller 7 | namespace: &namespace system-upgrade 8 | spec: 9 | commonMetadata: 10 | labels: 11 | app.kubernetes.io/name: *app 12 | interval: 1h 13 | path: ./kubernetes/apps/system-upgrade-controller/app 14 | prune: true 15 | retryInterval: 2m 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | targetNamespace: *namespace 21 | timeout: 5m 22 | wait: true 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/tailscale/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: tailscale 6 | components: 7 | - ../../../../components/common 8 | - ../../../../components/flux-post-build-variables 9 | resources: 10 | - ./tailscale-operator.yaml 11 | - ./tailscale-proxyclass.yaml 12 | - ./tailscale-routers.yaml 13 | patches: 14 | - target: 15 | kind: Namespace 16 | patch: |- 17 | - op: add 18 | path: /metadata/labels 19 | value: 20 | pod-security.kubernetes.io/audit: privileged 21 | pod-security.kubernetes.io/enforce: privileged 22 | pod-security.kubernetes.io/warn: privileged 23 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/tailscale/routers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./router.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/tailscale/routers/router.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tailscale.com/v1alpha1 2 | kind: Connector 3 | metadata: 4 | name: fairy-ts-rtr 5 | namespace: tailscale 6 | spec: 7 | proxyClass: tailscale-tun 8 | hostname: fairy-ts-rtr 9 | exitNode: true 10 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/tailscale/tailscale-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app tailscale-operator 7 | namespace: &namespace tailscale 8 | labels: 9 | infra.freckle.systems/post-build-variables: enabled 10 | spec: 11 | targetNamespace: *namespace 12 | dependsOn: 13 | - name: generic-device-plugin 14 | namespace: kube-system 15 | - name: onepassword-store 16 | namespace: external-secrets 17 | commonMetadata: 18 | labels: 19 | app.kubernetes.io/name: *app 20 | sourceRef: 21 | kind: GitRepository 22 | name: flux-system 23 | namespace: flux-system 24 | path: ./kubernetes/apps/networking/tailscale-operator/operator 25 | interval: 30s 26 | retryInterval: 1m 27 | timeout: 5m 28 | prune: true 29 | wait: true 30 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/tailscale/tailscale-proxyclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app tailscale-proxyclass 7 | namespace: &namespace tailscale 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: tailscale-operator 12 | namespace: tailscale 13 | commonMetadata: 14 | labels: 15 | app.kubernetes.io/name: *app 16 | sourceRef: 17 | kind: GitRepository 18 | name: flux-system 19 | namespace: flux-system 20 | path: ./kubernetes/apps/networking/tailscale-operator/proxyclass 21 | interval: 30s 22 | retryInterval: 1m 23 | timeout: 5m 24 | prune: true 25 | wait: true 26 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/apps/tailscale/tailscale-routers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: &app tailscale-routers 7 | namespace: &namespace tailscale 8 | spec: 9 | targetNamespace: *namespace 10 | dependsOn: 11 | - name: tailscale-proxyclass 12 | commonMetadata: 13 | labels: 14 | app.kubernetes.io/name: *app 15 | sourceRef: 16 | kind: GitRepository 17 | name: flux-system 18 | namespace: flux-system 19 | path: ./kubernetes/clusters/fairy-k8s01/apps/tailscale/routers 20 | interval: 30s 21 | retryInterval: 1m 22 | timeout: 5m 23 | prune: true 24 | wait: true 25 | -------------------------------------------------------------------------------- /kubernetes/clusters/fairy-k8s01/flux/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | name: cluster-apps 7 | namespace: flux-system 8 | spec: 9 | interval: 15m 10 | path: ./kubernetes/clusters/fairy-k8s01/apps 11 | prune: true 12 | retryInterval: 2m 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | namespace: flux-system 17 | timeout: 5m 18 | wait: false 19 | postBuild: 20 | substitute: 21 | CLUSTER_NAME: "fairy-k8s01" 22 | CLUSTER_DOMAIN: "fairy.freckle.systems" 23 | -------------------------------------------------------------------------------- /kubernetes/components/common/github-status/alert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Alert 5 | metadata: 6 | name: github-status 7 | spec: 8 | providerRef: 9 | name: github-status 10 | eventMetadata: 11 | cluster: ${CLUSTER_NAME} 12 | eventSources: 13 | - kind: Kustomization 14 | name: "*" 15 | -------------------------------------------------------------------------------- /kubernetes/components/common/github-status/externalsecret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 3 | apiVersion: external-secrets.io/v1 4 | kind: ExternalSecret 5 | metadata: 6 | name: github-status-token 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword 11 | data: 12 | - secretKey: token 13 | remoteRef: 14 | key: flux-${CLUSTER_NAME} 15 | property: github_status_token 16 | -------------------------------------------------------------------------------- /kubernetes/components/common/github-status/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./alert.yaml 7 | - ./externalsecret.yaml 8 | - ./provider.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/components/common/github-status/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 4 | kind: Provider 5 | metadata: 6 | name: github-status 7 | spec: 8 | type: github 9 | address: https://github.com/nicolerenee/infra 10 | secretRef: 11 | name: github-status-token 12 | -------------------------------------------------------------------------------- /kubernetes/components/common/infra-info-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: infra-info-cluster 5 | data: 6 | CLUSTER_NAME: "${CLUSTER_NAME}" 7 | CLUSTER_DOMAIN: "${CLUSTER_DOMAIN}" 8 | -------------------------------------------------------------------------------- /kubernetes/components/common/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1alpha1 4 | kind: Component 5 | resources: 6 | - ./namespace.yaml 7 | - ./infra-info-cluster.yaml 8 | - ./github-status 9 | - ./repos 10 | -------------------------------------------------------------------------------- /kubernetes/components/common/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: not-used 6 | annotations: 7 | kustomize.toolkit.fluxcd.io/prune: disabled 8 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/app-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: OCIRepository 5 | metadata: 6 | name: app-template 7 | spec: 8 | interval: 5m 9 | layerSelector: 10 | mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip 11 | operation: copy 12 | ref: 13 | tag: 4.0.1 14 | url: oci://ghcr.io/bjw-s-labs/helm/app-template 15 | verify: 16 | provider: cosign 17 | matchOIDCIdentity: 18 | - issuer: ^https://token.actions.githubusercontent.com$ 19 | subject: ^https://github.com/bjw-s-labs/helm-charts.*$ 20 | -------------------------------------------------------------------------------- /kubernetes/components/common/repos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./app-template.yaml 7 | -------------------------------------------------------------------------------- /kubernetes/components/flux-post-build-variables/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1alpha1 2 | kind: Component 3 | patches: 4 | - target: 5 | kind: Kustomization 6 | labelSelector: infra.freckle.systems/post-build-variables=enabled 7 | patch: | 8 | apiVersion: kustomize.toolkit.fluxcd.io/v1 9 | kind: Kustomization 10 | metadata: 11 | name: all 12 | spec: 13 | postBuild: 14 | substituteFrom: 15 | - kind: ConfigMap 16 | name: infra-info-cluster 17 | -------------------------------------------------------------------------------- /monitoring/speedtest-den.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: speedtest-den 5 | namespace: monitoring 6 | annotations: 7 | flux.weave.works/tag.fluxcloud: glob:master-* 8 | flux.weave.works/automated: 'true' 9 | labels: 10 | app: speedtest 11 | server: denver-centurylink 12 | spec: 13 | replicas: 1 14 | revisionHistoryLimit: 2 15 | selector: 16 | matchLabels: 17 | app: speedtest 18 | server: denver-centurylink 19 | template: 20 | metadata: 21 | annotations: 22 | prometheus.io/scrape: "true" 23 | labels: 24 | app: speedtest 25 | server: denver-centurylink 26 | spec: 27 | containers: 28 | - image: quay.io/nicolerenee/speedtest-exporter:master-7863961 29 | imagePullPolicy: IfNotPresent 30 | name: speedtest 31 | ports: 32 | - containerPort: 9104 33 | protocol: TCP 34 | env: 35 | - name: SERVERS 36 | value: "8862" 37 | - name: DURATION 38 | value: "120" 39 | -------------------------------------------------------------------------------- /monitoring/speedtest-tx-att.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: speedtest-tx-att 5 | namespace: monitoring 6 | annotations: 7 | flux.weave.works/tag.fluxcloud: glob:master-* 8 | flux.weave.works/automated: 'true' 9 | labels: 10 | app: speedtest 11 | server: texas-att 12 | spec: 13 | replicas: 0 14 | revisionHistoryLimit: 2 15 | selector: 16 | matchLabels: 17 | app: speedtest 18 | server: texas-att 19 | template: 20 | metadata: 21 | annotations: 22 | prometheus.io/scrape: "true" 23 | labels: 24 | app: speedtest 25 | server: texas-att 26 | spec: 27 | containers: 28 | - image: quay.io/nicolerenee/speedtest-exporter:master-7863961 29 | imagePullPolicy: IfNotPresent 30 | name: speedtest 31 | ports: 32 | - containerPort: 9104 33 | protocol: TCP 34 | env: 35 | - name: SERVERS 36 | value: "5023" 37 | - name: DURATION 38 | value: "300" 39 | -------------------------------------------------------------------------------- /scripts/install-gateway-api-crds.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # renovate: datasource=github-releases depName=kubernetes-sigs/gateway-api 4 | kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml 5 | # renovate: datasource=github-releases depName=kubernetes-sigs/gateway-api 6 | kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.3.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml 7 | --------------------------------------------------------------------------------