├── .github ├── renovate.json5 ├── renovate │ ├── autoMerge.json5 │ ├── commitMessage.json5 │ ├── labels.json5 │ └── semanticCommits.json5 └── workflows │ └── diff-helm-releases.yaml ├── .gitignore ├── LICENSE ├── README.md ├── archive ├── apps │ ├── ladder │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── overseerr │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ ├── plex │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── secrets.yaml │ ├── tautulli │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ └── wizarr │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml └── core │ ├── namespaces │ ├── ladder.yaml │ ├── overseerr.yaml │ ├── plex.yaml │ ├── tautulli.yaml │ └── wizarr.yaml │ └── netpol │ ├── ladder.yaml │ ├── overseerr.yaml │ ├── plex.yaml │ ├── tautulli.yaml │ └── wizarr.yaml ├── cluster ├── apps │ ├── adguard │ │ ├── cm.yaml │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ ├── autoscan │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ ├── pvc.yaml │ │ └── secrets.yaml │ ├── aws-ddns │ │ ├── files │ │ │ ├── aws-ddns.sh │ │ │ └── main.tf │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── secrets.yaml │ ├── bazarr │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── galera │ │ ├── README.md │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── secrets.yaml │ ├── hajimari │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ ├── home-automation │ │ ├── README.md │ │ ├── emqx │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secrets.yaml │ │ ├── esphome │ │ │ ├── README.md │ │ │ ├── docs │ │ │ │ ├── esp32_pentair_controller_wiring.png │ │ │ │ ├── shelly1_pinout.jpeg │ │ │ │ ├── shelly1_plus_pinout.jpg │ │ │ │ ├── shelly1pm_3way_wiring.jpeg │ │ │ │ ├── shelly1pm_outlet_wiring.jpg │ │ │ │ └── shelly25_pinout.jpeg │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ ├── fireboard2mqtt │ │ │ ├── README.md │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secret.yaml │ │ ├── home-assistant │ │ │ ├── cm.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── secrets.yaml │ │ ├── kustomization.yaml │ │ ├── mosquitto │ │ │ ├── certificate.yaml │ │ │ ├── cm.yaml │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── pvc.yaml │ │ │ └── secrets.yaml │ │ ├── node-red │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ ├── piper │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ │ └── whisper │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── pvc.yaml │ ├── jellyfin │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ ├── post-process-wrapper.sh │ │ ├── post-process.sh │ │ └── pvc.yaml │ ├── jellyseerr │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── metrics-server │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── nginx │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── ntpd │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── prowlarr │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── secrets.yaml │ ├── radarr │ │ ├── README.md │ │ ├── kustomization.yaml │ │ ├── radarr-anime │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── radarr-remux │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── radarr-trailers │ │ │ ├── get_trailers.sh │ │ │ ├── helmrelease.yaml │ │ │ ├── kustomization.yaml │ │ │ └── secrets.yaml │ │ └── radarr │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── rclone │ │ ├── kustomization.yaml │ │ ├── rclone-cronjob.yaml │ │ └── rclone-secrets.yaml │ ├── recyclarr │ │ ├── config │ │ │ └── recyclarr.yml │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── secrets.yaml │ ├── sabnzbd │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── secrets.yaml │ ├── sonarr │ │ ├── kustomization.yaml │ │ ├── sonarr-anime │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ ├── sonarr-remux │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ │ └── sonarr │ │ │ ├── helmrelease.yaml │ │ │ └── kustomization.yaml │ ├── speedtest │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── traefik-forward-auth │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ ├── middleware.yaml │ │ └── secrets.yaml │ ├── traefik │ │ ├── helmrelease.yaml │ │ ├── ingressroute.yaml │ │ ├── kustomization.yaml │ │ ├── middlewares.yaml │ │ └── tlsoptions.yaml │ ├── unmanic │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ ├── uptime │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── pvc.yaml │ └── ytdl-sub │ │ ├── cm.yaml │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml ├── base │ ├── apps.yaml │ ├── cluster-settings.yaml │ ├── core.yaml │ ├── crds.yaml │ └── flux-system │ │ ├── README.md │ │ ├── gotk-components.yaml │ │ ├── gotk-sources.yaml │ │ ├── gotk-sync.yaml │ │ ├── helm-repositories │ │ ├── authentik-charts.yaml │ │ ├── bitnami-charts.yaml │ │ ├── bitnami-labs-charts.yaml │ │ ├── bjw-s-charts.yaml │ │ ├── emqx-charts.yaml │ │ ├── hajimari-charts.yaml │ │ ├── jetstack-charts.yaml │ │ ├── k8s-at-home-charts.yaml │ │ ├── kubernetes-charts.yaml │ │ ├── kubernetes-sigs-metrics-server.yaml │ │ ├── longhorn-charts.yaml │ │ ├── node-feature-discovery.yaml │ │ ├── stakater-charts.yaml │ │ └── traefik-charts.yaml │ │ └── kustomization.yaml ├── core │ ├── cert-manager │ │ ├── certificates.yaml │ │ ├── cronjob │ │ │ ├── cronjob-cm.yaml │ │ │ ├── cronjob-email-secrets.yaml │ │ │ ├── cronjob-rbac.yaml │ │ │ ├── cronjob-ssh-secrets.yaml │ │ │ ├── cronjob.yaml │ │ │ └── kustomization.yaml │ │ ├── helmrelease.yaml │ │ ├── issuers.yaml │ │ ├── kustomization.yaml │ │ ├── reflector │ │ │ ├── kustomization.yaml │ │ │ ├── reflector-rbac.yaml │ │ │ └── reflector.yaml │ │ └── secrets.yaml │ ├── flux │ │ ├── kustomization.yaml │ │ └── notifications │ │ │ ├── kustomization.yaml │ │ │ └── slack │ │ │ ├── alerts.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── provider.yaml │ │ │ └── slack-url-secret.yaml │ ├── intel-gpu-plugin │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── longhorn-system │ │ ├── README.md │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── metallb │ │ ├── config-advertisement.yaml │ │ ├── config-pool.yaml │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ ├── namespaces │ │ ├── adguard.yaml │ │ ├── autoscan.yaml │ │ ├── aws-ddns.yaml │ │ ├── bazarr.yaml │ │ ├── cert-manager.yaml │ │ ├── galera.yaml │ │ ├── hajimari.yaml │ │ ├── home-automation.yaml │ │ ├── jellyfin.yaml │ │ ├── jellyseerr.yaml │ │ ├── kustomization.yaml │ │ ├── longhorn-system.yaml │ │ ├── metallb.yaml │ │ ├── nginx.yaml │ │ ├── ntpd.yaml │ │ ├── prowlarr.yaml │ │ ├── radarr.yaml │ │ ├── rclone.yaml │ │ ├── recyclarr.yaml │ │ ├── sabnzbd.yaml │ │ ├── sonarr.yaml │ │ ├── speedtest.yaml │ │ ├── traefik.yaml │ │ ├── unmanic.yaml │ │ ├── uptime.yaml │ │ └── ytdl-sub.yaml │ ├── netpol │ │ ├── adguard.yaml │ │ ├── autoscan.yaml │ │ ├── aws-ddns.yaml │ │ ├── bazarr.yaml │ │ ├── emqx.yaml │ │ ├── esphome.yaml │ │ ├── fireboard2mqtt.yaml │ │ ├── galera.yaml │ │ ├── hajimari.yaml │ │ ├── home-assistant.yaml │ │ ├── home-automation.yaml │ │ ├── jellyfin.yaml │ │ ├── jellyseerr.yaml │ │ ├── kustomization.yaml │ │ ├── mosquitto.yaml │ │ ├── nginx.yaml │ │ ├── node-red.yaml │ │ ├── ntpd.yaml │ │ ├── piper.yaml │ │ ├── prowlarr.yaml │ │ ├── radarr-anime.yaml │ │ ├── radarr-remux.yaml │ │ ├── radarr-trailers.yaml │ │ ├── radarr.yaml │ │ ├── rclone.yaml │ │ ├── recyclarr.yaml │ │ ├── sabnzbd.yaml │ │ ├── sonarr-anime.yaml │ │ ├── sonarr-remux.yaml │ │ ├── sonarr.yaml │ │ ├── speedtest.yaml │ │ ├── traefik-forward-auth.yaml │ │ ├── traefik.yaml │ │ ├── uptime.yaml │ │ ├── whisper.yaml │ │ └── ytdl-sub.yaml │ ├── node-feature-discovery │ │ ├── README.md │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── rules │ │ │ ├── amd-igpu.yaml │ │ │ ├── broadcom-ble.yaml │ │ │ ├── intel-arc.yaml │ │ │ ├── intel-igpu.yaml │ │ │ └── kustomization.yaml │ ├── reloader │ │ ├── helmrelease.yaml │ │ └── kustomization.yaml │ └── sealed-secrets │ │ ├── helmrelease.yaml │ │ ├── kustomization.yaml │ │ └── sealed-secrets-key.yaml └── crds │ ├── cert-manager │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── sealed-secrets │ ├── crds.yaml │ └── kustomization.yaml │ └── traefik │ ├── crds.yaml │ └── kustomization.yaml ├── hack └── create-helmrelease-annotations.sh ├── kubectl └── kubectl-amd64 /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base", 4 | "docker:enableMajor", 5 | ":disableRateLimiting", 6 | ":dependencyDashboard", 7 | ":semanticCommits", 8 | // ":automergeDisabled", 9 | ":automergeDigest", 10 | ":automergeBranch", 11 | ":separatePatchReleases", 12 | "github>npawelek/k8s-gitops//.github/renovate/autoMerge.json5", 13 | "github>npawelek/k8s-gitops//.github/renovate/commitMessage.json5", 14 | "github>npawelek/k8s-gitops//.github/renovate/labels.json5", 15 | "github>npawelek/k8s-gitops//.github/renovate/semanticCommits.json5" 16 | ], 17 | "timezone": "America/Chicago", 18 | "dependencyDashboardTitle": "Renovate Dashboard", 19 | "suppressNotifications": ["prIgnoreNotification"], 20 | "rebaseWhen": "conflicted", 21 | "assignees": ["@npawelek"], 22 | "repositories": ["npawelek/k8s-gitops"], 23 | // Standard manifest files (https://docs.renovatebot.com/modules/manager/kubernetes/) 24 | "flux": { 25 | "fileMatch": ["cluster/.+\\.ya?ml$"] 26 | }, 27 | "kubernetes": { 28 | "fileMatch": ["cluster/.+\\.ya?ml$"], 29 | "ignorePaths": ["cluster/base/"] 30 | }, 31 | "helm-values": { 32 | "fileMatch": ["cluster/.+\\.ya?ml$"] 33 | }, 34 | "packageRules": [ 35 | { 36 | "description": "Loose versioning for one-off packages", 37 | "matchDatasources": ["docker"], 38 | "versioning": "loose", 39 | "matchPackagePatterns": [ 40 | "autoscan", 41 | "plex", 42 | "ytdl-sub" 43 | ] 44 | } 45 | ] 46 | } 47 | -------------------------------------------------------------------------------- /.github/renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "description": "Auto merge container digests", 6 | "matchDatasources": ["docker"], 7 | "automerge": true, 8 | "automergeType": "branch", 9 | "ignoreTests": true, 10 | "matchUpdateTypes": ["digest"], 11 | "matchPackagePattern": [ 12 | "ghcr.io/onedr0p", 13 | "ghcr.io/recyclarr/recyclarr", 14 | "ghcr.io/jmbannon/ytdl-sub", 15 | "ghcr.io/wizarrrr/wizarr", 16 | "docker.io/qmcgaw/gluetun", 17 | "jauderho/yt-dlp", 18 | "cloudb0x/autoscan" 19 | ] 20 | }, 21 | { 22 | "description": "Auto merge GitHub Actions", 23 | "matchManagers": ["github-actions"], 24 | "matchDatasources": ["github-tags"], 25 | "automerge": true, 26 | "ignoreTests": true, 27 | "automergeType": "branch", 28 | "matchUpdateTypes": [ 29 | "minor", 30 | "patch" 31 | ] 32 | } 33 | ] 34 | } 35 | -------------------------------------------------------------------------------- /.github/renovate/commitMessage.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "commitMessageTopic": "{{depName}}", 4 | "commitMessageExtra": "to {{newVersion}}", 5 | "commitMessageSuffix": "", 6 | "packageRules": [ 7 | { 8 | "matchDatasources": ["helm"], 9 | "commitMessageTopic": "chart {{depName}}" 10 | }, 11 | { 12 | "matchDatasources": ["docker"], 13 | "commitMessageTopic": "image {{depName}}" 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /.github/renovate/labels.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "matchUpdateTypes": ["major"], 6 | "labels": ["type/major"] 7 | }, 8 | { 9 | "matchUpdateTypes": ["minor"], 10 | "labels": ["type/minor"] 11 | }, 12 | { 13 | "matchUpdateTypes": ["patch"], 14 | "labels": ["type/patch"] 15 | }, 16 | { 17 | "matchUpdateTypes": ["digest"], 18 | "labels": ["type/digest"] 19 | }, 20 | { 21 | "matchDatasources": ["docker"], 22 | "addLabels": ["renovate/container"] 23 | }, 24 | { 25 | "matchDatasources": ["helm"], 26 | "addLabels": ["renovate/helm"] 27 | }, 28 | { 29 | "matchDatasources": ["galaxy", "galaxy-collection"], 30 | "addLabels": ["renovate/ansible"] 31 | }, 32 | { 33 | "matchDatasources": ["terraform-provider"], 34 | "addLabels": ["renovate/terraform"] 35 | }, 36 | { 37 | "matchDatasources": ["github-releases", "github-tags"], 38 | "addLabels": ["renovate/github-release"] 39 | }, 40 | { 41 | "matchManagers": ["github-actions"], 42 | "addLabels": ["renovate/github-action"] 43 | }, 44 | { 45 | "matchDatasources": ["pypi"], 46 | "addLabels": ["renovate/pip"] 47 | } 48 | ] 49 | } 50 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/ 2 | stage/ 3 | .DS_Store 4 | *.retry 5 | Thumbs.db 6 | bin/ 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Nathan Pawelek 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /archive/apps/ladder/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: ladder 6 | namespace: ladder 7 | spec: 8 | dependsOn: 9 | - name: longhorn 10 | namespace: longhorn-system 11 | interval: 1h 12 | chart: 13 | spec: 14 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 15 | chart: app-template 16 | version: 1.5.1 17 | sourceRef: 18 | kind: HelmRepository 19 | name: bjw-s-charts 20 | namespace: flux-system 21 | 22 | values: 23 | image: 24 | repository: ghcr.io/everywall/ladder 25 | tag: v0.0.21@sha256:780c8a611fd5a1cfdebe2ad385dea4af36a158475424fa91aca90f9f96bd545d 26 | 27 | controller: 28 | type: statefulset 29 | annotations: 30 | reloader.stakater.com/auto: "true" 31 | 32 | env: 33 | TZ: ${TIMEZONE} 34 | http_proxy: ${HTTP_PROXY} 35 | https_proxy: ${HTTP_PROXY} 36 | no_proxy: ${NO_PROXY} 37 | RULESET: https://raw.githubusercontent.com/everywall/ladder-rules/main/ruleset.yaml 38 | 39 | service: 40 | main: 41 | ports: 42 | http: 43 | port: 8080 44 | protocol: TCP 45 | 46 | ingress: 47 | main: 48 | enabled: true 49 | ingressClassName: traefik 50 | annotations: 51 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 52 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 53 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 54 | hajimari.io/enable: "true" 55 | hajimari.io/icon: mdi:access-point-network 56 | hajimari.io/group: network 57 | hosts: 58 | - host: &host ladder.${DOMAIN} 59 | paths: 60 | - path: / 61 | pathType: Prefix 62 | tls: 63 | - hosts: 64 | - *host 65 | - secretName: nathanpawelek-com-tls 66 | 67 | resources: 68 | requests: 69 | cpu: 100m 70 | memory: 128M 71 | limits: 72 | memory: 256M 73 | -------------------------------------------------------------------------------- /archive/apps/ladder/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: ladder 5 | resources: 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /archive/apps/overseerr/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: overseerr 6 | namespace: overseerr 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: longhorn 13 | namespace: longhorn-system 14 | - name: traefik 15 | namespace: traefik 16 | - name: sonarr 17 | namespace: sonarr 18 | - name: radarr 19 | namespace: radarr 20 | 21 | install: 22 | createNamespace: true 23 | remediation: 24 | retries: 3 25 | 26 | upgrade: 27 | cleanupOnFail: true 28 | remediation: 29 | retries: 3 30 | 31 | uninstall: 32 | keepHistory: false 33 | 34 | chart: 35 | spec: 36 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 37 | chart: app-template 38 | version: 1.5.1 39 | sourceRef: 40 | kind: HelmRepository 41 | name: bjw-s-charts 42 | namespace: flux-system 43 | 44 | values: 45 | image: 46 | repository: ghcr.io/sct/overseerr 47 | tag: 1.33.2 48 | 49 | controller: 50 | type: deployment 51 | annotations: 52 | reloader.stakater.com/auto: "true" 53 | 54 | env: 55 | TZ: ${TIMEZONE} 56 | LOG_LEVEL: info 57 | 58 | service: 59 | main: 60 | enabled: true 61 | type: ClusterIP 62 | ports: 63 | http: 64 | port: 5055 65 | protocol: TCP 66 | 67 | ingress: 68 | main: 69 | enabled: true 70 | ingressClassName: traefik 71 | annotations: 72 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 73 | traefik.ingress.kubernetes.io/router.middlewares: traefik-external-middlewares-chain@kubernetescrd 74 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 75 | hajimari.io/enable: "true" 76 | hajimari.io/icon: eye-circle 77 | hajimari.io/group: downloads 78 | hosts: 79 | - host: &int requests.${DOMAIN} 80 | paths: 81 | - path: / 82 | pathType: Prefix 83 | tls: 84 | - hosts: 85 | - *int 86 | - secretName: nathanpawelek-com-tls 87 | external: 88 | enabled: true 89 | ingressClassName: traefik 90 | annotations: 91 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 92 | traefik.ingress.kubernetes.io/router.middlewares: traefik-external-middlewares-chain@kubernetescrd 93 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 94 | hosts: 95 | - host: &ext req.${DOMAIN} 96 | paths: 97 | - path: / 98 | pathType: Prefix 99 | tls: 100 | - hosts: 101 | - *ext 102 | - secretName: nathanpawelek-com-tls 103 | 104 | persistence: 105 | config: 106 | enabled: true 107 | existingClaim: overseerr-config 108 | mountPath: /app/config 109 | 110 | resources: 111 | requests: 112 | memory: 250Mi 113 | cpu: 100m 114 | limits: 115 | memory: 750Mi 116 | -------------------------------------------------------------------------------- /archive/apps/overseerr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /archive/apps/overseerr/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: overseerr-config 6 | namespace: overseerr 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /archive/apps/plex/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./secrets.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /archive/apps/tautulli/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: tautulli 6 | namespace: tautulli 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: longhorn 13 | namespace: longhorn-system 14 | - name: traefik 15 | namespace: traefik 16 | 17 | install: 18 | createNamespace: true 19 | remediation: 20 | retries: 3 21 | 22 | upgrade: 23 | cleanupOnFail: true 24 | remediation: 25 | retries: 3 26 | 27 | uninstall: 28 | keepHistory: false 29 | 30 | chart: 31 | spec: 32 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 33 | chart: app-template 34 | version: 1.5.1 35 | sourceRef: 36 | kind: HelmRepository 37 | name: bjw-s-charts 38 | namespace: flux-system 39 | 40 | values: 41 | image: 42 | repository: ghcr.io/onedr0p/tautulli 43 | tag: 2.13.2@sha256:960fef79051c992dcbb077dcf196f81afad9c5753cb04462910b59dbac3f21f6 44 | 45 | controller: 46 | type: statefulset 47 | annotations: 48 | reloader.stakater.com/auto: "true" 49 | 50 | env: 51 | TZ: ${TIMEZONE} 52 | 53 | podSecurityContext: 54 | runAsUser: 1000 55 | runAsGroup: 1000 56 | fsGroup: 1000 57 | fsGroupChangePolicy: "OnRootMismatch" 58 | 59 | service: 60 | main: 61 | enabled: true 62 | type: ClusterIP 63 | ports: 64 | http: 65 | port: 8181 66 | protocol: TCP 67 | 68 | ingress: 69 | main: 70 | enabled: true 71 | ingressClassName: traefik 72 | annotations: 73 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 74 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 75 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 76 | hajimari.io/enable: "true" 77 | hajimari.io/icon: graph-outline 78 | hajimari.io/group: media 79 | hosts: 80 | - host: &host tautulli.${DOMAIN} 81 | paths: 82 | - path: / 83 | pathType: Prefix 84 | tls: 85 | - hosts: 86 | - *host 87 | - secretName: nathanpawelek-com-tls 88 | 89 | persistence: 90 | config: 91 | enabled: true 92 | existingClaim: tautulli-config 93 | shared: 94 | enabled: true 95 | type: emptyDir 96 | mountPath: /opt/plex-scripts 97 | 98 | resources: 99 | requests: 100 | memory: 250Mi 101 | cpu: 100m 102 | limits: 103 | memory: 750Mi 104 | 105 | initContainers: 106 | jbops: 107 | name: jbops 108 | image: ghcr.io/onedr0p/alpine:3.18.4@sha256:b0b6f6f42bf9649ccaf0e98cd74d5e123471e2c4a4db4a5ee417b18dde9973a9 109 | command: 110 | - ash 111 | - -c 112 | - wget -q https://raw.githubusercontent.com/blacktwin/JBOPS/master/killstream/kill_stream.py 113 | workingDir: /opt/plex-scripts 114 | volumeMounts: 115 | - name: shared 116 | mountPath: /opt/plex-scripts 117 | -------------------------------------------------------------------------------- /archive/apps/tautulli/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /archive/apps/tautulli/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tautulli-config 6 | namespace: tautulli 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /archive/apps/wizarr/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 4 | kind: HelmRelease 5 | metadata: 6 | name: wizarr 7 | namespace: wizarr 8 | spec: 9 | interval: 1h 10 | maxHistory: 3 11 | chart: 12 | spec: 13 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 14 | chart: app-template 15 | version: 1.5.1 16 | sourceRef: 17 | kind: HelmRepository 18 | name: bjw-s-charts 19 | namespace: flux-system 20 | 21 | install: 22 | createNamespace: true 23 | remediation: 24 | retries: 3 25 | 26 | upgrade: 27 | cleanupOnFail: true 28 | remediation: 29 | retries: 3 30 | 31 | uninstall: 32 | keepHistory: false 33 | 34 | values: 35 | image: 36 | repository: ghcr.io/wizarrrr/wizarr 37 | tag: 3.5.1@sha256:660b309f8a8c298910cb8f0e1ba13b980d8b30df6d836e78c5e0f3d0713cc352 38 | 39 | controller: 40 | type: statefulset 41 | 42 | podSecurityContext: 43 | runAsUser: 568 44 | runAsGroup: 568 45 | fsGroup: 568 46 | fsGroupChangePolicy: "OnRootMismatch" 47 | 48 | env: 49 | TZ: ${TIMEZONE} 50 | APP_URL: https://wizarr.${DOMAIN} 51 | DISABLE_BUILTIN_AUTH: "true" 52 | 53 | service: 54 | main: 55 | ports: 56 | http: 57 | port: 5690 58 | 59 | ingress: 60 | main: 61 | enabled: true 62 | ingressClassName: traefik 63 | annotations: 64 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 65 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 66 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 67 | hajimari.io/enable: "true" 68 | hajimari.io/icon: mdi:account-question 69 | hajimari.io/group: media 70 | hosts: 71 | - host: &host wizarr.${DOMAIN} 72 | paths: 73 | - path: / 74 | pathType: Prefix 75 | tls: 76 | - hosts: 77 | - *host 78 | - secretName: nathanpawelek-com-tls 79 | 80 | volumeClaimTemplates: 81 | - name: config 82 | mountPath: /data/database 83 | accessMode: ReadWriteOnce 84 | size: 1Gi 85 | storageClass: longhorn 86 | 87 | resources: 88 | requests: 89 | cpu: 100m 90 | memory: 128Mi 91 | limits: 92 | memory: 512Mi 93 | -------------------------------------------------------------------------------- /archive/apps/wizarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /archive/core/namespaces/ladder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ladder 6 | labels: 7 | ns: ladder 8 | -------------------------------------------------------------------------------- /archive/core/namespaces/overseerr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: overseerr 6 | labels: 7 | ns: overseerr 8 | -------------------------------------------------------------------------------- /archive/core/namespaces/plex.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: plex 6 | labels: 7 | ns: plex 8 | -------------------------------------------------------------------------------- /archive/core/namespaces/tautulli.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: tautulli 6 | labels: 7 | ns: tautulli 8 | -------------------------------------------------------------------------------- /archive/core/namespaces/wizarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: wizarr 6 | labels: 7 | ns: wizarr 8 | -------------------------------------------------------------------------------- /archive/core/netpol/ladder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: ladder 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-ladder-ingress 17 | namespace: ladder 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: ladder 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - protocol: TCP 34 | port: 8080 35 | --- 36 | apiVersion: networking.k8s.io/v1 37 | kind: NetworkPolicy 38 | metadata: 39 | name: allow-ladder-egress 40 | namespace: ladder 41 | spec: 42 | policyTypes: 43 | - Egress 44 | podSelector: 45 | matchLabels: 46 | app.kubernetes.io/name: ladder 47 | egress: 48 | - to: 49 | - namespaceSelector: 50 | matchLabels: 51 | kubernetes.io/metadata.name: kube-system 52 | podSelector: 53 | matchLabels: 54 | k8s-app: kube-dns 55 | ports: 56 | - port: 53 57 | protocol: UDP 58 | - port: 53 59 | protocol: TCP 60 | - to: 61 | - namespaceSelector: 62 | matchLabels: 63 | ns: adguard 64 | podSelector: 65 | matchLabels: 66 | app.kubernetes.io/name: adguard-home 67 | ports: 68 | - port: 53 69 | protocol: UDP 70 | - port: 53 71 | protocol: TCP 72 | - to: 73 | - ipBlock: 74 | cidr: 192.168.0.10/32 75 | ports: 76 | - port: 53 77 | protocol: UDP 78 | - port: 53 79 | protocol: TCP 80 | - to: 81 | - namespaceSelector: 82 | matchLabels: 83 | ns: sabnzbd 84 | podSelector: 85 | matchLabels: 86 | app.kubernetes.io/name: sabnzbd 87 | ports: 88 | - port: 8888 89 | protocol: TCP 90 | - to: 91 | - ipBlock: 92 | cidr: 0.0.0.0/0 93 | except: 94 | - 10.0.0.0/8 95 | - 172.16.0.0/12 96 | - 192.168.0.0/16 97 | ports: 98 | - port: 443 99 | protocol: TCP 100 | - port: 80 101 | protocol: TCP 102 | -------------------------------------------------------------------------------- /archive/core/netpol/plex.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: plex 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-plex-ingress 17 | namespace: plex 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: plex 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - ports: 26 | - protocol: TCP 27 | port: 32400 28 | --- 29 | apiVersion: networking.k8s.io/v1 30 | kind: NetworkPolicy 31 | metadata: 32 | name: allow-plex-egress 33 | namespace: plex 34 | spec: 35 | policyTypes: 36 | - Egress 37 | podSelector: 38 | matchLabels: 39 | app.kubernetes.io/name: plex 40 | egress: 41 | - to: 42 | - namespaceSelector: 43 | matchLabels: 44 | kubernetes.io/metadata.name: kube-system 45 | podSelector: 46 | matchLabels: 47 | k8s-app: kube-dns 48 | ports: 49 | - port: 53 50 | protocol: UDP 51 | - port: 53 52 | protocol: TCP 53 | - to: 54 | - namespaceSelector: 55 | matchLabels: 56 | ns: adguard 57 | podSelector: 58 | matchLabels: 59 | app.kubernetes.io/name: adguard-home 60 | ports: 61 | - port: 53 62 | protocol: UDP 63 | - port: 53 64 | protocol: TCP 65 | - to: 66 | - ipBlock: 67 | cidr: 192.168.0.10/32 68 | ports: 69 | - port: 53 70 | protocol: UDP 71 | - port: 53 72 | protocol: TCP 73 | - to: 74 | - ipBlock: 75 | cidr: 0.0.0.0/0 76 | except: 77 | - 10.0.0.0/8 78 | - 172.16.0.0/12 79 | - 192.168.0.0/16 80 | ports: 81 | - port: 443 82 | protocol: TCP 83 | - port: 80 84 | protocol: TCP 85 | - to: 86 | - ipBlock: 87 | cidr: 192.168.20.98/32 88 | -------------------------------------------------------------------------------- /archive/core/netpol/tautulli.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: tautulli 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-tautulli-ingress 17 | namespace: tautulli 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: tautulli 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - protocol: TCP 34 | port: 8181 35 | - from: 36 | - namespaceSelector: 37 | matchLabels: 38 | ns: uptime 39 | - podSelector: 40 | matchLabels: 41 | app.kubernetes.io/name: uptime 42 | ports: 43 | - protocol: TCP 44 | port: 8181 45 | - from: 46 | - namespaceSelector: 47 | matchLabels: 48 | ns: overseerr 49 | - podSelector: 50 | matchLabels: 51 | app.kubernetes.io/name: overseerr 52 | ports: 53 | - protocol: TCP 54 | port: 8181 55 | --- 56 | apiVersion: networking.k8s.io/v1 57 | kind: NetworkPolicy 58 | metadata: 59 | name: allow-tautulli-egress 60 | namespace: tautulli 61 | spec: 62 | policyTypes: 63 | - Egress 64 | podSelector: 65 | matchLabels: 66 | app.kubernetes.io/name: tautulli 67 | egress: 68 | - to: 69 | - namespaceSelector: 70 | matchLabels: 71 | kubernetes.io/metadata.name: kube-system 72 | podSelector: 73 | matchLabels: 74 | k8s-app: kube-dns 75 | ports: 76 | - port: 53 77 | protocol: UDP 78 | - port: 53 79 | protocol: TCP 80 | - to: 81 | - namespaceSelector: 82 | matchLabels: 83 | ns: adguard 84 | podSelector: 85 | matchLabels: 86 | app.kubernetes.io/name: adguard-home 87 | ports: 88 | - port: 53 89 | protocol: UDP 90 | - port: 53 91 | protocol: TCP 92 | - to: 93 | - ipBlock: 94 | cidr: 192.168.0.10/32 95 | ports: 96 | - port: 53 97 | protocol: UDP 98 | - port: 53 99 | protocol: TCP 100 | - to: 101 | - namespaceSelector: 102 | matchLabels: 103 | ns: plex 104 | podSelector: 105 | matchLabels: 106 | app.kubernetes.io/name: plex 107 | ports: 108 | - port: 32400 109 | protocol: TCP 110 | - to: 111 | - ipBlock: 112 | cidr: 0.0.0.0/0 113 | except: 114 | - 10.0.0.0/8 115 | - 172.16.0.0/12 116 | - 192.168.0.0/16 117 | ports: 118 | - port: 587 119 | protocol: TCP 120 | - port: 443 121 | protocol: TCP 122 | - port: 80 123 | protocol: TCP 124 | -------------------------------------------------------------------------------- /archive/core/netpol/wizarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: wizarr 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-wizarr-ingress 17 | namespace: wizarr 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: wizarr 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | - podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - protocol: TCP 34 | port: 5690 35 | - from: 36 | - namespaceSelector: 37 | matchLabels: 38 | ns: uptime 39 | - podSelector: 40 | matchLabels: 41 | app.kubernetes.io/name: uptime 42 | ports: 43 | - protocol: TCP 44 | port: 5690 45 | --- 46 | apiVersion: networking.k8s.io/v1 47 | kind: NetworkPolicy 48 | metadata: 49 | name: allow-wizarr-egress 50 | namespace: wizarr 51 | spec: 52 | policyTypes: 53 | - Egress 54 | podSelector: 55 | matchLabels: 56 | app.kubernetes.io/name: wizarr 57 | egress: 58 | - to: 59 | - namespaceSelector: 60 | matchLabels: 61 | kubernetes.io/metadata.name: kube-system 62 | podSelector: 63 | matchLabels: 64 | k8s-app: kube-dns 65 | ports: 66 | - port: 53 67 | protocol: UDP 68 | - port: 53 69 | protocol: TCP 70 | - to: 71 | - namespaceSelector: 72 | matchLabels: 73 | ns: adguard 74 | podSelector: 75 | matchLabels: 76 | app.kubernetes.io/name: adguard-home 77 | ports: 78 | - port: 53 79 | protocol: UDP 80 | - port: 53 81 | protocol: TCP 82 | - to: 83 | - ipBlock: 84 | cidr: 192.168.0.10/32 85 | ports: 86 | - port: 53 87 | protocol: UDP 88 | - port: 53 89 | protocol: TCP 90 | - to: 91 | - namespaceSelector: 92 | matchLabels: 93 | ns: jellyfin 94 | podSelector: 95 | matchLabels: 96 | app.kubernetes.io/name: jellyfin 97 | ports: 98 | - port: 8096 99 | protocol: TCP 100 | -------------------------------------------------------------------------------- /cluster/apps/adguard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cm.yaml 6 | - ./pvc.yaml 7 | - ./helmrelease.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/adguard/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: adguard-home-data 6 | namespace: adguard 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/autoscan/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: autoscan 6 | namespace: autoscan 7 | spec: 8 | dependsOn: 9 | - name: longhorn 10 | namespace: longhorn-system 11 | interval: 1h 12 | chart: 13 | spec: 14 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 15 | chart: app-template 16 | version: 1.5.1 17 | sourceRef: 18 | kind: HelmRepository 19 | name: bjw-s-charts 20 | namespace: flux-system 21 | 22 | values: 23 | image: 24 | repository: cloudb0x/autoscan 25 | tag: master@sha256:3df536844063c3bdc73fb36793e24a7cb116032af97dcc74fc03c478deded831 26 | 27 | controller: 28 | type: statefulset 29 | annotations: 30 | reloader.stakater.com/auto: "true" 31 | 32 | env: 33 | TZ: ${TIMEZONE} 34 | PUID: "1024" 35 | PGID: "100" 36 | AUTOSCAN_VERBOSITY: 1 37 | 38 | service: 39 | main: 40 | ports: 41 | http: 42 | port: 3030 43 | protocol: TCP 44 | 45 | ingress: 46 | main: 47 | enabled: false 48 | 49 | persistence: 50 | config: 51 | enabled: true 52 | existingClaim: config-autoscan-0 53 | config-secret: 54 | enabled: true 55 | type: secret 56 | name: autoscan-secrets 57 | subPath: config.yml 58 | mountPath: /config/config.yml 59 | readOnly: true 60 | library: 61 | enabled: true 62 | mountPath: /library 63 | path: /volume1/media 64 | server: ${RACKNAS_ADDR} 65 | type: nfs 66 | readOnly: true 67 | 68 | resources: 69 | requests: 70 | cpu: 100m 71 | memory: 128M 72 | limits: 73 | memory: 512M 74 | -------------------------------------------------------------------------------- /cluster/apps/autoscan/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: autoscan 5 | resources: 6 | - ./pvc.yaml 7 | - ./helmrelease.yaml 8 | - ./secrets.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/autoscan/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: config-autoscan-0 6 | namespace: autoscan 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/autoscan/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: autoscan-secrets 7 | namespace: autoscan 8 | spec: 9 | encryptedData: 10 | config.yml: AgC18NLhznm6qRa5GNgD3lrxL8D4wOoorVt2hKpLGPXcmjJgyOK7HbXtc6LtZLWA453u9ciTkiDg1ajMG02jPM9jl8ZijKjdUvsyM7hyAC9bzY2DpOwIqXnHY+qlba7SsBTQtTUFkltFb+cza+F316vpX5C+9VIhFEeywORgQ7/+9aREHVYzn6BlC2hcgGXLag11gX5vlhCq5/QK7WbdAZorzG9wJA78YrU5/57aoIyvy0+gcsr8L7i9w00lVPSAskweyOU9i3Z0pKtg3c/Go9ZzvJ6ncPwhh31+n262q06r+0va7wRemviflow/cZcljPyvb8VUUSe2a96N/HmXrjDSdiHKKR3fXl+UqCdToaXSNbDNBejveb12mtjoES21ZKkxib2JRCm4OidOMP0021QjB96bfZwmzDphq7YK8ika4+LAY/f81YhRzODayW/LfonyV/62fBn0MCpQt36NRXY2Bmz6eLmk1bWh5x79IQeOXryG0FJ3Mp5Ci2gktlFsGC5eeMoUkLYo47/Jb+r4L4b5FsxvwEM28yOvwLg98vUB+o2M5e2Uu7JPNDNEdS5EmqFKG2Gr0gAilDE4uc+TXRnIS1jOjSrh2WA7IJ6TOQ0pm//lPjMawu6wlTaeR2ekDJ8Ag/McgwccVPvK9eC8KVkCGcPGRGVFAhGmrCv8wHT7y66L3IQmN0ucYZcQJQiYW6kiYA8O8DqsY6fxTNKYxfj3aSQL7MHYrfVMMNUAiCemw3n6fYHECRaayEnQrOg0rrXkLRSlHNYc1mhqj3NJnM8V5iM6lxPZEvs6d1SCoUbHOMsjPzhqtO2qlaZ1nU2rQ6X0yhbWJuSfiszQOKgSzpHniut2RAOWm1M7vFsWABkNtaVQtKc3b+pZqjiXIhMZWq1fPWWPJBEIgRAZhg0sxGhuihgebsusEV9ieXUJw7Soum2th4Xoc0h7k47QvmndHrgFWTKvHpXHO9ATVDk8ZQTy19aTjY9lsvuw+XdwSEsfx232Hvt6RIc/KZTNJ27vCn/b5Fd0n7dpAWCFdDfCsTUeRkXhGqowy+9yfTcZ51d+a6KGDumrKgoktRLaUDi+p4k+GsWD4KQMUdQf5zaIOMtuOBpy7Q7Wt80HwW5+Qj0DfzfjR9GiMO6UOGzGo8jDVX4Kdo+FHdMcZTI3sW9EAwX7amJSyq09ISCvOgN/bB08pSdhNmXklVEQAGqI/6J2vXN486O4xgHOQRKeiNObPGfNTFpJy2R1bR4L+r2V 11 | template: 12 | metadata: 13 | creationTimestamp: null 14 | name: autoscan-secrets 15 | namespace: autoscan 16 | -------------------------------------------------------------------------------- /cluster/apps/aws-ddns/files/aws-ddns.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | set -o nounset 4 | set -o errexit 5 | 6 | cd /app 7 | terraform init -upgrade 8 | terraform plan -out terraform.plan 9 | terraform apply -auto-approve terraform.plan 10 | -------------------------------------------------------------------------------- /cluster/apps/aws-ddns/files/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | 3 | required_providers { 4 | aws = { 5 | source = "hashicorp/aws" 6 | version = "5.96.0" 7 | } 8 | http = { 9 | source = "hashicorp/http" 10 | version = "3.5.0" 11 | } 12 | } 13 | } 14 | 15 | variable "AWS_DOMAIN" { 16 | type = string 17 | description = "Use the defined domain within TF_VAR_AWS_DOMAIN environment variable" 18 | } 19 | 20 | provider "aws" {} 21 | 22 | data "aws_route53_zone" "domain" { 23 | name = var.AWS_DOMAIN 24 | } 25 | 26 | data "http" "ipv4" { 27 | url = "http://checkip.amazonaws.com" 28 | } 29 | 30 | resource "aws_route53_record" "ext-speed" { 31 | zone_id = data.aws_route53_zone.domain.zone_id 32 | name = "ext-speed" 33 | type = "A" 34 | ttl = 300 35 | records = [chomp(data.http.ipv4.response_body)] 36 | } 37 | 38 | resource "aws_route53_record" "vpn" { 39 | zone_id = data.aws_route53_zone.domain.zone_id 40 | name = "vpn" 41 | type = "A" 42 | ttl = 300 43 | records = [chomp(data.http.ipv4.response_body)] 44 | } 45 | 46 | resource "aws_route53_record" "video" { 47 | zone_id = data.aws_route53_zone.domain.zone_id 48 | name = "video" 49 | type = "A" 50 | ttl = 300 51 | records = [chomp(data.http.ipv4.response_body)] 52 | } 53 | 54 | resource "aws_route53_record" "req" { 55 | zone_id = data.aws_route53_zone.domain.zone_id 56 | name = "req" 57 | type = "A" 58 | ttl = 300 59 | records = [chomp(data.http.ipv4.response_body)] 60 | } 61 | -------------------------------------------------------------------------------- /cluster/apps/aws-ddns/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: aws-ddns 6 | namespace: aws-ddns 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | install: 12 | createNamespace: true 13 | remediation: 14 | retries: 3 15 | 16 | upgrade: 17 | cleanupOnFail: true 18 | remediation: 19 | retries: 3 20 | 21 | uninstall: 22 | keepHistory: false 23 | 24 | chart: 25 | spec: 26 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 27 | chart: app-template 28 | version: 1.5.1 29 | sourceRef: 30 | kind: HelmRepository 31 | name: bjw-s-charts 32 | namespace: flux-system 33 | 34 | values: 35 | restartPolicy: OnFailure 36 | 37 | controller: 38 | type: cronjob 39 | cronjob: 40 | concurrencyPolicy: Forbid 41 | schedule: "*/15 * * * *" 42 | successfulJobsHistory: 8 43 | 44 | image: 45 | repository: public.ecr.aws/hashicorp/terraform 46 | tag: 1.12.1@sha256:e5ce21d082d804f7e590847f91fd5c0357b45f480a73b71dd19ee6aa2c23500a 47 | 48 | command: 49 | - /bin/sh 50 | - /app/aws-ddns.sh 51 | 52 | envFrom: 53 | - secretRef: 54 | name: aws-ddns-secrets 55 | 56 | service: 57 | main: 58 | enabled: false 59 | 60 | persistence: 61 | config: 62 | enabled: true 63 | type: configMap 64 | name: aws-ddns-configmap 65 | subPath: aws-ddns.sh 66 | mountPath: /app/aws-ddns.sh 67 | defaultMode: 0775 68 | readOnly: true 69 | terraform: 70 | enabled: true 71 | type: configMap 72 | name: tf-configmap 73 | subPath: main.tf 74 | mountPath: /app/main.tf 75 | defaultMode: 0644 76 | readOnly: true 77 | backend: 78 | enabled: true 79 | type: secret 80 | name: aws-ddns-tf-backend 81 | subPath: backend.tf 82 | mountPath: /app/backend.tf 83 | readOnly: true 84 | -------------------------------------------------------------------------------- /cluster/apps/aws-ddns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: aws-ddns 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./secrets.yaml 8 | configMapGenerator: 9 | - name: aws-ddns-configmap 10 | files: 11 | - ./files/aws-ddns.sh 12 | - name: tf-configmap 13 | files: 14 | - ./files/main.tf 15 | generatorOptions: 16 | disableNameSuffixHash: true 17 | annotations: 18 | kustomize.toolkit.fluxcd.io/substitute: disabled 19 | -------------------------------------------------------------------------------- /cluster/apps/bazarr/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: bazarr 6 | namespace: bazarr 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | dependsOn: 11 | - name: longhorn 12 | namespace: longhorn-system 13 | - name: traefik 14 | namespace: traefik 15 | - name: sabnzbd 16 | namespace: sabnzbd 17 | 18 | install: 19 | createNamespace: true 20 | remediation: 21 | retries: 3 22 | 23 | upgrade: 24 | cleanupOnFail: true 25 | remediation: 26 | retries: 3 27 | 28 | uninstall: 29 | keepHistory: false 30 | 31 | chart: 32 | spec: 33 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 34 | chart: app-template 35 | version: 1.5.1 36 | sourceRef: 37 | kind: HelmRepository 38 | name: bjw-s-charts 39 | namespace: flux-system 40 | 41 | values: 42 | image: 43 | repository: ghcr.io/home-operations/bazarr 44 | tag: 1.5.2@sha256:dbc87e5ce9e199709188e152e82b3ff5d33e6521a1b3d61e465aa75b4b739e7f 45 | 46 | controller: 47 | type: statefulset 48 | annotations: 49 | reloader.stakater.com/auto: "true" 50 | 51 | podSecurityContext: 52 | runAsUser: 568 53 | runAsGroup: 568 54 | fsGroup: 568 55 | fsGroupChangePolicy: "OnRootMismatch" 56 | 57 | env: 58 | TZ: ${TIMEZONE} 59 | http_proxy: ${HTTP_PROXY} 60 | https_proxy: ${HTTP_PROXY} 61 | no_proxy: ${NO_PROXY} 62 | 63 | service: 64 | main: 65 | ports: 66 | http: 67 | port: 6767 68 | protocol: TCP 69 | 70 | ingress: 71 | main: 72 | enabled: true 73 | ingressClassName: traefik 74 | annotations: 75 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 76 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 77 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 78 | hajimari.io/enable: "true" 79 | hajimari.io/icon: mdi:filmstrip 80 | hajimari.io/group: downloads 81 | hosts: 82 | - host: &host bazarr.${DOMAIN} 83 | paths: 84 | - path: / 85 | pathType: Prefix 86 | tls: 87 | - hosts: 88 | - *host 89 | - secretName: nathanpawelek-com-tls 90 | 91 | volumeClaimTemplates: 92 | - name: config 93 | mountPath: /config 94 | accessMode: ReadWriteOnce 95 | size: 15Gi 96 | storageClass: longhorn 97 | 98 | persistence: 99 | library: 100 | enabled: true 101 | mountPath: /library 102 | path: /volume1/media 103 | server: ${RACKNAS_ADDR} 104 | type: nfs 105 | 106 | resources: 107 | requests: 108 | cpu: 10m 109 | memory: 128Mi 110 | limits: 111 | memory: 1024Mi 112 | -------------------------------------------------------------------------------- /cluster/apps/bazarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: bazarr 5 | resources: 6 | - ./helmrelease.yaml 7 | # configMapGenerator: 8 | # - name: bazarr-scripts 9 | # files: 10 | # - ./scripts/post-process.sh 11 | # generatorOptions: 12 | # disableNameSuffixHash: true -------------------------------------------------------------------------------- /cluster/apps/galera/README.md: -------------------------------------------------------------------------------- 1 | # Galera Notes 2 | 3 | ## Safely bootstrap a specific node 4 | 5 | 1. Scale to galera nodes to 0 6 | 7 | ``` 8 | k scale -n galera sts mariadb-galera --replicas 0 9 | ``` 10 | 11 | 2. Determine nodes grastate.dat 12 | 13 | ``` 14 | k apply -f galera_recovery.yaml 15 | k exec -it -n galera recovery- -- bash 16 | cat /data[012]/data/grastate.dat 17 | ``` 18 | 19 | 3. Update galera-helm-secrets with with bootstrap section 20 | 21 | ``` 22 | galera: 23 | name: galera 24 | # Use node numbering based on the sts node: 0, 1, or 2 25 | # Must also set helmrelease podManagementPolicy to Parallel 26 | bootstrap: 27 | bootstrapFromNode: 0 28 | forceSafeToBootstrap: true 29 | ``` 30 | 31 | 4. Set HelmRelease podManagementPolicy to Parallel 32 | 33 | ``` 34 | podManagementPolicy: Parallel 35 | ``` 36 | 37 | 5. Commit 38 | 6. Push 39 | 7. Delete sts, hr, and helm secret 40 | 41 | ``` 42 | k delete -n galera secret galera-helm-values 43 | k delete -n galera sealedsecrets.bitnami.com galera-helm-values 44 | k delete -n galera sts mariadb-galera 45 | k delete -n galera hr mariadb-galera 46 | ``` 47 | 48 | 8. Reconcile 49 | 50 | ``` 51 | fr 52 | flux reconcile kustomization cluster-apps 53 | ``` 54 | 55 | 9. Scale galera nodes to 0 (this will ensure proper state for reverting configs) 56 | 57 | ``` 58 | k scale -n galera sts mariadb-galera --replicas 2 59 | # wait 60 | k scale -n galera sts mariadb-galera --replicas 1 61 | # wait 62 | k scale -n galera sts mariadb-galera --replicas 0 63 | ``` 64 | 65 | 10. Suspend Flux 66 | 67 | ``` 68 | flux suspend kustomization --all 69 | ``` 70 | 71 | 11. Delete sts, hr, and helm secret 72 | 73 | ``` 74 | k delete -n galera secret galera-helm-values 75 | k delete -n galera sealedsecrets.bitnami.com galera-helm-values 76 | k delete -n galera sts mariadb-galera 77 | k delete -n galera hr mariadb-galera 78 | ``` 79 | 80 | 12. Revert configs 81 | 13. Commit 82 | 14. Push 83 | 15. Resume Flux 84 | 85 | ``` 86 | flux resume source git flux-system 87 | flux resume kustomization --all 88 | ``` 89 | 90 | 16. Reconcile -------------------------------------------------------------------------------- /cluster/apps/galera/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./secrets.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/galera/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: galera-helm-values 7 | namespace: galera 8 | spec: 9 | encryptedData: 10 | values.yaml: AgB2Y5jluyCMC6VxszCPBvp3SJSZwFhrZcKp9nSAIXGn1R1mqqYP13hmfjLphK9Og/vctgyVGd6T0MVCrJ9SMB5Fp2POVL2xYA00D6400SxYr1PSI5GP+jGKMQFhnJhmhoE0z0ZlWZSgLIQYmnIAckvk8nL860VQI1qU3Dy0UiEaxYvZBeKA6hFN88nb24MV4QAP5TzgpMz42eEmEDluTau0ED7jCr3yBdvbZdBshLIWKqTz66i0C4zqRXziGL1Df+M6bX81Me1wbtYrdNzhFzHszq96F6m/gN/9xQyH4Kg4MbIutaLn0gSbX/aF4smhVgmHoCThrMJaNr1U3ET1DnsVvFsIx15R15yDBgbV8032UFhbb0Q9mdOeVFicRGu3BZU7SFEWCBddLn6J5/j6qKZng+EX+B+41Sz88sLr60XN1YfRZkBHlrLe1j7ik8ttI954nxvdFFuR8xZqWd2Hx4LNo1bkqEKh1eJSC003oz9HB7iF+34fVxVFY1iw9fdADgJcyfjLZRSuQN/gU7OK1Hj8LaNKzPTyhjC3S7jsqjahqvPbvQ7BLsCJrC/zYcT31uFutu5Jca9jH4j79+KAUXpDRynCdKuPz8vWxydRuxBC8Zj6g49V1/a9OdIXGUZ/X22aUla+3/HU6MrBLI8C75rNe5prEXQUArIFai/8EvKAZP1AYCKHp11g7JY75PD3NmF6lgoZsUyZg/0A+2DvFZlzfZMCoqR4rfsTx2bkF1upgaGF34rcXOA4m1ooxB9NRZSKDglFsylOTicKueMGlgLU4Qze2cJ4nqv4Jm8dPXg4II5dxwhMO6JNIJyfppHZyoA8QzhgQ7mdwDFpP3TjgO45hUwsTUDXmQFjv9fud6mG8l0ribtCPUYW1z7fVfZPQJb47IE6mSVgPnqhtbz9GGyEw+SnIXhew2Mp0TiwNq6GV+ufm9mLGz9eImUSRJZHtiLFcx5wa4slpKDKeqWzcnCktizN3LHrCo0se7Gr4PUaLUmFiMGrtNiOzb3TmlR93brakq+49Y1MU4wLRuZ6vu7npT2znrf57r9ejfYwNBldonUIH7Yv7BDHp2Mw5zknLZvYunwgIKYc18UmAVLyAsd+Nh8mQlGuSxM4wat1dkJCsid1EKQ8kupXARYpYEzwFMgPB6yjbIXhIzGUblnq7WTCMDn4/v7cqcQIPaqdps0BP8MNpfCtx+cnpyWwTfcUik/Kk2rrmxiZziMcUAY= 11 | template: 12 | data: null 13 | metadata: 14 | creationTimestamp: null 15 | name: galera-helm-values 16 | namespace: galera 17 | type: Opaque 18 | -------------------------------------------------------------------------------- /cluster/apps/hajimari/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/hajimari/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: hajimari-config 6 | namespace: hajimari 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/emqx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./secrets.yaml 7 | # - ./certificate.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/emqx/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: emqx-secrets 7 | namespace: home-automation 8 | spec: 9 | encryptedData: 10 | admin_password: AgAqchSJaPFUc34TqQbPqwIdYL0VnoRzxKGPMOcsKOkjTzzoqRtRY4RbfSdob5pksMRpxIbuo9koXX9OD+TGlAmwyshx7EUb0ssgo2q6d4hKtP37kT4QQY+IWHdaOXNEO7iUn5lLHxg4I53AeI68hjRdRwvQsDTRgKDJZkx0+ml3Ugq5MHnKniiAMEjOugSO+FEYgI4rsKF1BIb/YGryVo4fgkVHnPJfmqzkZLjhAj8gxUVjSrXX0vcZ+1LnqIrPBzl65JqqbWgLfUlVMPf4tz12iKQ9ajxpskXT8AcqTsnqVlRZY+4INmen7yxJ7OuOyCX5E87WDOFJ3kU2UrXMmjUBBCKjQPnQ4Etsvv0XQ8NFOpEKw9/z4VfM1sYmjhpknu8Bnfmlnm/Sg97Z2NWR31FqaA/zT7w4+Bb5PcybQI6p4OG1EX+i9AhzdSpehdfOlUZpBIc221PCMgY26086cP62SD4+1llE9XqXg3b9jo4NgczfjoGrIaRm5DBULZf5qQeQ2Oui/bCSicNlVjSD/ZzztW5e0DkOdsPoSqKn98/n3yq+4OPlBhCWPJ8bEOujrmM0xNU7rz+glsPKgh4TTeZtKtKAGds19EPoPrmBmqTsl4n4yNMq/wXREUfUWt81osPSzy3PqFtlvlg/dsrFjtDGSqLgRAgxoQaYQBP/78NAeG6IHQR9jLntUlDHE9+71IE7+N+bCPoHJL/Fldaqj7pGL4PUqYRSIhUZifPISq22N2Y= 11 | user_1_password: AgBAAFenHEKTN3rbk98Iv5mETEuTCLpR7w1L3ss4w0l+czRAqH5WMIiP1NwvGbbnO6UUrpsufHpOOqtnaAU9w4OEo4hNWrG1dKIpiy++RSiEmP4sfmfeQGj/+A80RldJ6AULGGhbPTjAt3H5YEgjrJCAQyT6FvUMXeABO1g1XJbM9FGHNU2jHjIGblIwg8sLh9dzt8IM1brk8iHNL0xX5Ufz10bQOPoRBOTfmXLE7H6drZg7vHaM+vMbXybIpJprqcE48cRw+PgiFZawzM8IeS4Jq3dHlml31q+3eZaJc0dfVy24GeSTTNSGZ10YC+wvG9A9aOxF8p283cmcumP+gDlV7ADvZn0pWJcQUiLGwFhiKCy4Uz05Qnfca/zG9xbaoGXnPqgCg94bYdwEY9diU8KShoF7/sewEaQwSGJ4JqM8/72QncKXlfqP4CGIzK5kvXqkMjywHjwzTrBeEJp9Lq9DnbJaFVFw8HJwqetjbmHF+h0M+gmJ99giMrZ/TzZ92z9w1f86fQeyK9nFn8fgXPlcVguxqN3R7jqnKzfb4j+3nmCqBOrMheCU9cpwHz3ETMXJ6VIxrDjJF8F4i9FT5fMca+XEf/29567KQPRYQPJiC645IKOBu4qA9ZjlxAHewqpDjiC8MFNyQM/Vf8mCRzJlKDheiTbQfz0ZQbhcvx3y3YRbmy5Nxbgh1Yjp4288mL5A5ZVy1WCrTzafm8/kwYzg63LRwaDqARrpmdilnTS+uQ== 12 | user_1_username: AgCTwgs0mvyb883zJ/6YmsfOELdZ5mivxN+tmbeJsd3GW2MWTk++XO1yi7Xu2Jex3EhJdQke5yf6Av0plcewcYCkdKictKEcc0+34ce4L6wn5Ui+scBOqjFKp5rSsDuVKxvyIm0ts76e4btVRUmy1wooibGw2CtcM28gajZJQhViFhkXXzDOq8gqL3T9EwN2vsahX1Xe98U3QF0YRTTILx/qqLlDWJX+wgDLE7l4uXDddiTAgp8SobhapDY2YcQt3dFFTyksMbj42UwIPe8tWjwlNds70SMJci2teuadiFSzSIqbZZdfrfVpzuY1lwKCCPwVB3zsQjQdWhVHUhdoqQuv2DaXpuFzM2OUMRR+8ViQjhuOBOTua7YCZD6aNylwlFBn/bhn1zdTnoGvub1l2a+WHsXSQJFvnwKU83Brzz5DL8IuC4enMOURCd0pa2jrc5LOESjw7y7gELtYOIlnGZfKurwZWDaY9CaSc4Kp9qfQCXOESDjjOaispZ2IiyF8Em94VV/NoK6hTL3y4bzH+668WsaSS3u1LwPOSkXx2oF66d1UInPRszX3Qci2atJ6Ca/+Jl+sr2TjfVuKJ9TG1z2CMn6PoByuni4RbWhvup5bh06XL5bZmlLfTkZnbOFUoVPShRidmgriB6tHuBMXSMwvHl1r9v8W8lSLrTSHsF07a0z48O+wfbl3LYrORbQiqxpeje4= 13 | template: 14 | data: null 15 | metadata: 16 | creationTimestamp: null 17 | name: emqx-secrets 18 | namespace: home-automation 19 | type: Opaque 20 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/README.md: -------------------------------------------------------------------------------- 1 | # ESPHome-related devices 2 | 3 | ## Shelly 4 | 5 | ### Shelly Plus 1 6 | 7 | ![shelly1plus pinout](docs/shelly1_plus_pinout.jpg) 8 | 9 | ### Shelly 1 10 | 11 | ![shelly1 pinout](docs/shelly1_pinout.jpeg) 12 | 13 | ### Shelly 1PM 14 | 15 | In the current implmentation of Shelly 1PM, it wasn't feasible to bridge the GPIO pins to obtain these readings ([Amp/Voltage Thread](https://github.com/arendst/Tasmota/issues/5716)). Shelly mentioned they planned to get in the future, but that has yet to happen. 16 | 17 | ### Shelly 2.5 18 | 19 | ![shelly25 pinout](docs/shelly25_pinout.jpeg) 20 | 21 | ## Sensors 22 | 23 | ### Xiaomi LYWSD03MMC (Temp and Humidity) 24 | 25 | Flashed with the custom [pvvx firmware](https://github.com/pvvx/ATC_MiThermometer). 26 | 27 | [Firmware flashing page](https://pvvx.github.io/ATC_MiThermometer/TelinkMiFlasher.html) 28 | 29 | Settings configured as follows: 30 | - Temperature: `F` 31 | - Comfort 32 | - Show battery 33 | - Advertising type: `Custom` (default intervals) 34 | - RF TX Power: `VANT +3.01 dbm` 35 | - Minimum LCD refresh rate: `12.75`s (longest configurable) 36 | - Comfort parameters: 37 | - Temp low: `20.00` 38 | - Temp high: `22.77` 39 | 40 | ### Xiaomi HHCCJCY01 (MiFlora, Huahuacaocao) 41 | 42 | Use the [Flower Care app](https://apps.apple.com/us/app/flower-care/id1095274672) to update the firmware. It's confirmed that battery levels are not reported as of firmware version 3.2.1. Use the standard [ATC tool](https://atc1441.github.io/TelinkFlasher.html) to pair with the device, then use bluetooth settings under MacOS to determine the underlying BLE address. 43 | 44 | Link to previously purchased devices that seem to work: [AliExpress (Smart Version)](https://www.aliexpress.com/item/4001264603672.html). I received a green one which seems to indicate a CN version, and it seems to work fine in ESPHome. 45 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/docs/esp32_pentair_controller_wiring.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/cluster/apps/home-automation/esphome/docs/esp32_pentair_controller_wiring.png -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/docs/shelly1_pinout.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/cluster/apps/home-automation/esphome/docs/shelly1_pinout.jpeg -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/docs/shelly1_plus_pinout.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/cluster/apps/home-automation/esphome/docs/shelly1_plus_pinout.jpg -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/docs/shelly1pm_3way_wiring.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/cluster/apps/home-automation/esphome/docs/shelly1pm_3way_wiring.jpeg -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/docs/shelly1pm_outlet_wiring.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/cluster/apps/home-automation/esphome/docs/shelly1pm_outlet_wiring.jpg -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/docs/shelly25_pinout.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/cluster/apps/home-automation/esphome/docs/shelly25_pinout.jpeg -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/esphome/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: esphome-config 6 | namespace: home-automation 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/fireboard2mqtt/README.md: -------------------------------------------------------------------------------- 1 | # [fireboard2mqtt](https://github.com/gordlea/fireboard2mqtt/) 2 | 3 | A simple service to bring your Fireboard wireless thermometer into home assistant via mqtt auto discovery. 4 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/fireboard2mqtt/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: fireboard2mqtt 6 | namespace: home-automation 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: mosquitto 13 | namespace: home-automation 14 | 15 | install: 16 | createNamespace: true 17 | remediation: 18 | retries: 3 19 | 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | 25 | uninstall: 26 | keepHistory: false 27 | 28 | chart: 29 | spec: 30 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 31 | chart: app-template 32 | version: 1.5.1 33 | sourceRef: 34 | kind: HelmRepository 35 | name: bjw-s-charts 36 | namespace: flux-system 37 | 38 | values: 39 | image: 40 | repository: gordlea/fireboard2mqtt 41 | tag: latest@sha256:b826af466b354ff54b8056f40732c367a629c01a02c0e12d84ac27b1de4e8ab0 42 | 43 | controller: 44 | type: deployment 45 | annotations: 46 | reloader.stakater.com/auto: "true" 47 | 48 | podSecurityContext: 49 | runAsUser: 568 50 | runAsGroup: 568 51 | fsGroup: 568 52 | fsGroupChangePolicy: "OnRootMismatch" 53 | 54 | env: 55 | TZ: ${TIMEZONE} 56 | RUST_LOG: "fireboard2mqtt=debug" 57 | FB2MQTT_FIREBOARD_ENABLE_DRIVE: "true" 58 | FB2MQTT_MQTT_BASE_TOPIC: "homeassistant/fireboard2mqtt" 59 | 60 | envFrom: 61 | - secretRef: 62 | name: fireboard2mqtt-secrets 63 | 64 | ingress: 65 | main: 66 | enabled: false 67 | 68 | service: 69 | main: 70 | enabled: false 71 | 72 | resources: 73 | requests: 74 | memory: 64Mi 75 | cpu: 10m 76 | limits: 77 | memory: 128Mi 78 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/fireboard2mqtt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./secret.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/home-assistant/cm.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: ssh-config 6 | namespace: home-automation 7 | data: 8 | config: |- 9 | Host github.com 10 | StrictHostKeyChecking no 11 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/home-assistant/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | - ./cm.yaml 7 | - ./secrets.yaml 8 | - ./helmrelease.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/home-assistant/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: home-assistant-config 6 | namespace: home-automation 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - emqx 6 | - fireboard2mqtt 7 | - mosquitto 8 | - home-assistant 9 | - esphome 10 | - node-red 11 | - piper 12 | - whisper 13 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/mosquitto/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: mqtt-nathanpawelek-com 6 | namespace: home-automation 7 | spec: 8 | secretName: mqtt-nathanpawelek-com-tls 9 | duration: 2160h 10 | renewBefore: 576h 11 | privateKey: 12 | rotationPolicy: Always 13 | size: 4096 14 | algorithm: RSA 15 | issuerRef: 16 | name: letsencrypt-prod 17 | kind: ClusterIssuer 18 | dnsNames: 19 | - mqtt.nathanpawelek.com 20 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/mosquitto/cm.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: mosquitto-conf 6 | namespace: home-automation 7 | data: 8 | mqtt.conf: |- 9 | listener 8883 0.0.0.0 10 | cafile /etc/ssl/mosquitto/tls.crt 11 | certfile /etc/ssl/mosquitto/tls.crt 12 | keyfile /etc/ssl/mosquitto/tls.key 13 | acl_file /mosquitto/configinc/auth/acl 14 | password_file /mosquitto/configinc/auth/passwd 15 | autosave_interval 60 16 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/mosquitto/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: mosquitto 6 | namespace: home-automation 7 | spec: 8 | dependsOn: 9 | - name: metallb 10 | namespace: metallb-system 11 | - name: longhorn 12 | namespace: longhorn-system 13 | interval: 1h 14 | chart: 15 | spec: 16 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 17 | chart: mosquitto 18 | version: 4.8.2 19 | sourceRef: 20 | kind: HelmRepository 21 | name: k8s-at-home-charts 22 | namespace: flux-system 23 | values: 24 | podAnnotations: 25 | secret.reloader.stakater.com/reload: mqtt-nathanpawelek-com-tls,mosquitto-secrets 26 | image: 27 | repository: public.ecr.aws/docker/library/eclipse-mosquitto 28 | tag: 2.0.18 29 | controller: 30 | type: statefulset 31 | replicas: 1 32 | env: 33 | TZ: ${TIMEZONE} 34 | auth: 35 | enabled: true 36 | service: 37 | main: 38 | type: LoadBalancer 39 | annotations: 40 | metallb.universe.tf/loadBalancerIPs: ${MOSQUITTO_LB} 41 | externalTrafficPolicy: Local 42 | ports: 43 | http: 44 | enabled: false 45 | mqtt: 46 | enabled: true 47 | port: 1883 48 | mqtts: 49 | enabled: true 50 | port: 8883 51 | persistence: 52 | data: 53 | enabled: true 54 | existingClaim: mosquitto-data 55 | mountPath: /mosquitto/data 56 | configinc: 57 | enabled: true 58 | type: configMap 59 | mountPath: /mosquitto/configinc 60 | name: mosquitto-conf 61 | mosquitto-auth: 62 | enabled: true 63 | type: custom 64 | volumeSpec: 65 | secret: 66 | secretName: mosquitto-secrets 67 | mountPath: /mosquitto/configinc/auth 68 | readOnly: true 69 | mosquitto-tls: 70 | enabled: true 71 | type: custom 72 | volumeSpec: 73 | secret: 74 | secretName: mqtt-nathanpawelek-com-tls 75 | mountPath: /etc/ssl/mosquitto 76 | readOnly: true 77 | resources: 78 | requests: 79 | memory: 128Mi 80 | cpu: 15m 81 | limits: 82 | memory: 256Mi 83 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/mosquitto/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | - ./cm.yaml 8 | - ./secrets.yaml 9 | - ./certificate.yaml 10 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/mosquitto/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: mosquitto-data 6 | namespace: home-automation 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/mosquitto/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: mosquitto-secrets 7 | namespace: home-automation 8 | spec: 9 | encryptedData: 10 | acl: AgBpQI23u7jyHdRkH+IsWYdw0x2hUNMrok3iKam4ZDZNWXI/DHnWFmiMNQXirPbv/kMNK+7wneJkEvjlfE8U5Is5WDuBDCZaRpF0MHUhbTLavd3NOMheQ4VTc7IAtc40swMmpWqZjuULf/1P5AqAbWgN+/oEJhkTWMAy0eeaVG/RHKGDmFRsospzKIcGMPz2/Vfue9qbORU9XGO92tHqEXbQrM865lRDwVVNNDsl6pK16qO3RV3Hoj4cOlX2MAok6Pt5xpXmrJwqOH34GslrV1c62mmVfeH/daN2CF9I6WZnTeOWAxaB4EqGmBEYcNZf9jHZIN4PaJbAp/a8N7M5oH8WXEyAEII2+M3vBmM3uuAofkXdnT6vMJ4mW+fXhYONcVdjlsRDDMZiA8REjwkH6KFey4BwOzb1u7dr2wDbgUnZ/UROOQMEO9VGGEyq26bWb0zfbos9pimF3Fb6z6/GA8Y455BEEs1qBUbSrN4Ctz8d6iQh/HDFzds4ArC4iot8C2Ie85aRjVrwm4RzviJccQcJgDpoZoym21Bu4oqLCzrcJCRJJX2NOKrCjvfVndkiqgmMqsGQJU/QyTc3FqvFdwQc4cOjtAm9O8d8Tr6+QimfdtkFDtN5dWXkqj7Kt5JeKslR3h8gMquN/ptDBbVUZGYlyzixJvK+CtuG/RmuiQgzADlHmlg/KldxJokfaov2oD+7WKYkRaYd4+ja11sBCh3AMCJ8HmtKcqM85VYMpqhAg9qIWLKzgJwk2KAjz+uGkW+8FfS8rv1bhf1AHJBnpwILWy/CN8kAeDmlo0VUOiIzKwnuJKXTefCWn4FNUuCInJv44bEDrKA/vv445x36LtxFxE28rZkWVM/e5qw2A1B/pRxEabA+ikDfMnRgmBXE1V9LKX2uSXpX6/nVMnfhl1vUA3ejR3ZjmvP1YMATgJUWAvNfuauY 11 | passwd: AgAADoTUVBEPY3HN7qs/7AYHg0sGlPj2zfqmGZ1n++lijfVn1zyBjUBnJb25psyyq+E9TGmR578Fl20LpJH9Wu/c3sReuTLSVfKYbWWVj7dYJU1zsRmH9Kq7uXM2bh14zZ3BXhNR/33Lbc9X/GT9KAiBye2sGFBn0UdLp2Enz/v/Jm0LTJhxMn9R2KDUNna9y0o7nXwM9BrN/tY5PRsTsv/LClu5CLXlhWqzFl8DikzDYMfbi+vydE6BE+XK6sDFP6abG+Ts8kUjDkyRRvLpOllHcoGX4wFPJsZuUvZPsngi2O72Cg5KqImYFJrTq+TtW8slxFDiEhr8rx7ZARmhLPovJ7tO6AxOEU2TwCnpvTLFHZGGEwqyL5BRp4a0iXivSGWBpNJj5Aion7NgVAUJLJ+QybrTx247pEwC+pYAGAFvZsomqWXEpczLSzSYGLRtKze9Ey217oazjzvO6EZ2r3ryGYdpw8sFSwdDXTPqT0bQvwN/LKZCwoqEUfoi515AkiFsfMg+4+BE3/FnVvweK8AiIXNyIYdX1ZUyBBE2y4ErTFw9D9yNe+8a3C9k+auAe1zTYfDe5LtOgGggHbVcOn5FahoKuWg16ir06TetAbdbRfSqt0ZqrVUAJXX6oOrtXDie1u7gpcQquwZDu73xu9nUiroQGCZhpsj+gy1fodkNG5PpwKWPCepMu388FRs4X31cFPzzoK16iLd/B64uPlaIBGHV+06tr+dNSSchWTGCFfb5pA+liUlHx9aAqOUL8b60d2q25oupw5dEljSy1dlhgnezLJXZiR1oO7JC9c/v09ucn/mcXCx2oeNXJ1LTWDs1rG0PrXApRXMWiMIyyI80+xYKAx6dm3DWYukW67TlzR3sw1txuvxlmuesfl9iVR+g157ATChE8/U0ZO5ChSOLrENjyu4w3Et9tA6yCyKNe4w14J1qu4pCnZbsvJ2I4jJgax8T5QSQ1b7fs/tXVDjm2sCVUhQSm63sKRDL6/+ML+n7mmuyL2dlX121doKSsr6uDAIURql8pm/XipyZV2kWzApfCk4dHLoNb14xXCf3ttjfVapyRx27awIvGIrSs452O065chYBq5QBW915J3iLiPpVD5q+Pngfnne8QIes1cCQA1Gk6hiVl4Ffhr4NEX02lzGpvCsIhi7OHMA46naIKJlUnL/4Gt+LqIY/ydzrNLRQoj9EDT+K4/MCZZFRKs32+PNdShvCwLsgwN9JQlF/eRlHnOEi9U2Erp8jWHlnFUloNppKpEbtYb2TmRULRvSnY3Uk1XwQbOooCDYJWVGQYqmIXtdtNaqfv30DNGgAGzzHFaQlK7SbN7s= 12 | template: 13 | metadata: 14 | creationTimestamp: null 15 | name: mosquitto-secrets 16 | namespace: home-automation 17 | type: Opaque 18 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/node-red/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: node-red 6 | namespace: home-automation 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: longhorn 13 | namespace: longhorn-system 14 | - name: home-assistant 15 | namespace: home-automation 16 | 17 | install: 18 | createNamespace: true 19 | remediation: 20 | retries: 3 21 | 22 | upgrade: 23 | cleanupOnFail: true 24 | remediation: 25 | retries: 3 26 | 27 | uninstall: 28 | keepHistory: false 29 | 30 | chart: 31 | spec: 32 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 33 | chart: app-template 34 | version: 1.5.1 35 | sourceRef: 36 | kind: HelmRepository 37 | name: bjw-s-charts 38 | namespace: flux-system 39 | 40 | values: 41 | image: 42 | repository: nodered/node-red 43 | tag: 4.0.9-18-minimal@sha256:8a23dc0c2ae19a9cc09df25196cc789af08e3b6d6620b25e78cc0304a138d9ab 44 | 45 | controller: 46 | type: deployment 47 | annotations: 48 | reloader.stakater.com/auto: "true" 49 | 50 | podSecurityContext: 51 | runAsUser: 1000 52 | runAsGroup: 1000 53 | fsGroup: 1000 54 | fsGroupChangePolicy: "OnRootMismatch" 55 | 56 | env: 57 | TZ: ${TIMEZONE} 58 | FLOWS: flows.json 59 | NODE_RED_ENABLE_PROJECTS: "true" 60 | NODE_RED_ENABLE_SAFE_MODE: "false" 61 | 62 | service: 63 | main: 64 | ports: 65 | http: 66 | port: 1880 67 | protocol: TCP 68 | 69 | ingress: 70 | main: 71 | enabled: true 72 | ingressClassName: traefik 73 | annotations: 74 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 75 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 76 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 77 | hajimari.io/enable: "true" 78 | hajimari.io/icon: simple-icons:nodered 79 | hajimari.io/group: "home automation" 80 | hajimari.io/appName: "node red" 81 | hosts: 82 | - host: &host nodered.${DOMAIN} 83 | paths: 84 | - path: / 85 | pathType: Prefix 86 | tls: 87 | - hosts: 88 | - *host 89 | - secretName: nathanpawelek-com-tls 90 | 91 | persistence: 92 | data: 93 | enabled: true 94 | existingClaim: node-red-data 95 | 96 | resources: 97 | limits: 98 | memory: 1000Mi 99 | requests: 100 | cpu: 100m 101 | memory: 500Mi 102 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/node-red/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/node-red/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: node-red-data 6 | namespace: home-automation 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/piper/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: piper 6 | namespace: home-automation 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: longhorn 13 | namespace: longhorn-system 14 | 15 | install: 16 | createNamespace: true 17 | remediation: 18 | retries: 3 19 | 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | 25 | uninstall: 26 | keepHistory: false 27 | 28 | chart: 29 | spec: 30 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 31 | chart: app-template 32 | version: 1.5.1 33 | sourceRef: 34 | kind: HelmRepository 35 | name: bjw-s-charts 36 | namespace: flux-system 37 | 38 | values: 39 | image: 40 | repository: rhasspy/wyoming-piper 41 | tag: latest@sha256:35938df89d0204661e5fc7c3a986e8d8b1ac5afe61969656cdaee0fa7ada8e20 42 | 43 | controller: 44 | type: statefulset 45 | annotations: 46 | reloader.stakater.com/auto: "true" 47 | 48 | args: 49 | - --voice 50 | - en-us-libritts-high 51 | 52 | podSecurityContext: 53 | runAsUser: 568 54 | runAsGroup: 568 55 | fsGroup: 568 56 | fsGroupChangePolicy: "OnRootMismatch" 57 | 58 | env: 59 | TZ: ${TIMEZONE} 60 | 61 | ingress: 62 | main: 63 | enabled: false 64 | primary: false 65 | 66 | service: 67 | main: 68 | ports: 69 | http: 70 | port: 10200 71 | protocol: TCP 72 | 73 | volumeClaimTemplates: 74 | - name: data 75 | mountPath: /data 76 | accessMode: ReadWriteOnce 77 | size: 5Gi 78 | storageClass: longhorn 79 | 80 | resources: 81 | requests: 82 | memory: 250Mi 83 | cpu: 500m 84 | limits: 85 | memory: 500Mi 86 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/piper/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/piper/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: data-piper-0 6 | namespace: home-automation 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/whisper/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: whisper 6 | namespace: home-automation 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: longhorn 13 | namespace: longhorn-system 14 | 15 | install: 16 | createNamespace: true 17 | remediation: 18 | retries: 3 19 | 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | 25 | uninstall: 26 | keepHistory: false 27 | 28 | chart: 29 | spec: 30 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 31 | chart: app-template 32 | version: 1.5.1 33 | sourceRef: 34 | kind: HelmRepository 35 | name: bjw-s-charts 36 | namespace: flux-system 37 | 38 | values: 39 | image: 40 | repository: rhasspy/wyoming-whisper 41 | tag: latest@sha256:f03456914affe8076fc7688c0890f4c708d93ebfac7340b0b2467f721412012d 42 | 43 | controller: 44 | type: statefulset 45 | annotations: 46 | reloader.stakater.com/auto: "true" 47 | 48 | args: 49 | - --model 50 | - small 51 | - --language 52 | - en 53 | 54 | podSecurityContext: 55 | runAsUser: 568 56 | runAsGroup: 568 57 | fsGroup: 568 58 | fsGroupChangePolicy: "OnRootMismatch" 59 | 60 | env: 61 | TZ: ${TIMEZONE} 62 | 63 | ingress: 64 | main: 65 | enabled: false 66 | primary: false 67 | 68 | service: 69 | main: 70 | ports: 71 | http: 72 | port: 10300 73 | protocol: TCP 74 | 75 | volumeClaimTemplates: 76 | - name: data 77 | mountPath: /data 78 | accessMode: ReadWriteOnce 79 | size: 5Gi 80 | storageClass: longhorn 81 | 82 | resources: 83 | requests: 84 | memory: 250Mi 85 | cpu: 500m 86 | limits: 87 | memory: 2500Mi 88 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/whisper/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/home-automation/whisper/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: data-whisper-0 6 | namespace: home-automation 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/jellyfin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: jellyfin 5 | resources: 6 | - ./pvc.yaml 7 | - ./helmrelease.yaml 8 | configMapGenerator: 9 | - name: scripts 10 | files: 11 | - post-process-wrapper.sh 12 | - post-process.sh 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | annotations: 16 | kustomize.toolkit.fluxcd.io/substitute: disabled 17 | -------------------------------------------------------------------------------- /cluster/apps/jellyfin/post-process-wrapper.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | exec > "/config/log/$(date +"%Y-%m-%d_%H-%M-%S")-post-process-wrapper-sh.log" 2>&1 3 | if [ -z "${1}" ]; then 4 | echo "No {path} value was passed in by Jellyfin" 5 | exit 1 6 | fi 7 | /usr/bin/bash /config/scripts/post-process.sh "${1}" 8 | -------------------------------------------------------------------------------- /cluster/apps/jellyfin/post-process.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | # set -o xtrace 7 | 8 | die () { 9 | echo >&2 "$@" 10 | cd "${PWD}" 11 | exit 1 12 | } 13 | 14 | __path="${1:-}" 15 | 16 | # verify a path was provided 17 | [ -n "$__path" ] || die "path is required" 18 | # verify the path exists 19 | [ -f "$__path" ] || die "path ($__path) is not a file" 20 | 21 | __dir="$(dirname "${__path}")" 22 | __file="$(basename "${__path}")" 23 | __dvr_dir="/data/Jellyfin Recordings" 24 | __show_structure="${__dir#${__dvr_dir}/incomplete/}" 25 | __dest_path="complete/${__show_structure}" 26 | 27 | # Debuging path variables 28 | printf "[post-process.sh] Debugging variables...\n" 29 | printf "path: ${__path}\n" 30 | printf "dir: ${__dir}\n" 31 | printf "dvr_dir: ${__dvr_dir}\n" 32 | printf "show_structure: ${__show_structure}\n" 33 | printf "dest_path: ${__dest_path}\n" 34 | 35 | # Create destination show path 36 | printf "\n[post-process.sh] Create destination show path...\n" 37 | mkdir -v -p "${__dvr_dir}/${__dest_path}" 38 | 39 | # Move recording to complete directory 40 | printf "\n[post-process.sh] Moving recording to complete directory...\n" 41 | mv -v "${__path}" "${__dvr_dir}/${__dest_path}/${__file}" 42 | 43 | # Cleanup miscellaneous metadata files in dvr directory 44 | printf "\n[post-process.sh] Deleting miscellaneous metadata files...\n" 45 | find "${__dvr_dir}" -name '._*' -exec rm -vf {} \; 46 | find "${__dvr_dir}" -name '*-thumb.bin' -exec rm -vf {} \; 47 | find "${__dvr_dir}" -name '*.nfo' -exec rm -vf {} \; 48 | -------------------------------------------------------------------------------- /cluster/apps/jellyfin/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: config-jellyfin-0 6 | namespace: jellyfin 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 30Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/jellyseerr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - adguard 6 | # - authentik 7 | - aws-ddns 8 | - autoscan 9 | - bazarr 10 | - galera 11 | - hajimari 12 | - home-automation 13 | - jellyfin 14 | - jellyseerr 15 | - metrics-server 16 | - nginx 17 | - ntpd 18 | - prowlarr 19 | - radarr 20 | - rclone 21 | - recyclarr 22 | - sabnzbd 23 | - sonarr 24 | - speedtest 25 | - traefik 26 | - traefik-forward-auth 27 | - unmanic 28 | - uptime 29 | - ytdl-sub 30 | -------------------------------------------------------------------------------- /cluster/apps/metrics-server/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | chart: metrics-server 12 | version: 3.12.2 13 | sourceRef: 14 | kind: HelmRepository 15 | name: kubernetes-sigs-metrics-server 16 | namespace: flux-system 17 | values: 18 | metrics: 19 | enabled: true 20 | args: 21 | - --kubelet-insecure-tls 22 | -------------------------------------------------------------------------------- /cluster/apps/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/nginx/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: nginx 6 | namespace: nginx 7 | spec: 8 | dependsOn: 9 | - name: traefik 10 | namespace: traefik 11 | maxHistory: 3 12 | interval: 1h 13 | suspend: false 14 | releaseName: nginx 15 | chart: 16 | spec: 17 | # renovate: registryUrl=https://charts.bitnami.com/bitnami 18 | chart: nginx 19 | version: 15.12.2 20 | sourceRef: 21 | kind: HelmRepository 22 | name: bitnami-charts 23 | namespace: flux-system 24 | values: 25 | image: 26 | registry: public.ecr.aws 27 | repository: bitnami/nginx 28 | tag: 1.25.4 29 | replicaCount: 1 30 | service: 31 | type: ClusterIP 32 | port: 8080 33 | ingress: 34 | enabled: true 35 | annotations: 36 | traefik.ingress.kubernetes.io/router.entrypoints: web 37 | traefik.ingress.kubernetes.io/router.middlewares: traefik-int-middlewares-chain@kubernetescrd 38 | hostname: int.${DOMAIN} 39 | path: / 40 | pathType: Prefix 41 | serviceAccount: 42 | create: false 43 | networkPolicy: 44 | enabled: false 45 | cloneStaticSiteFromGit: 46 | enabled: true 47 | repository: https://github.com/npawelek/firmware.git 48 | branch: main 49 | extraEnvVars: 50 | - name: HOME 51 | value: "/tmp" 52 | gitSync: 53 | command: 54 | - /bin/bash 55 | args: 56 | - -ec 57 | - | 58 | [[ -f "/opt/bitnami/scripts/git/entrypoint.sh" ]] && source "/opt/bitnami/scripts/git/entrypoint.sh" 59 | cd /app && git config --global --add safe.directory $(pwd) 60 | while true; do 61 | cd /app && git pull origin main 62 | sleep 60 63 | done 64 | serverBlock: |- 65 | server { 66 | server_name int.${DOMAIN}; 67 | listen 8080; 68 | root /opt/bitnami/nginx/html/; 69 | index no_index; 70 | 71 | location / { 72 | autoindex on; 73 | } 74 | 75 | location ~ /\.git { 76 | deny all; 77 | } 78 | 79 | location ~ /README.md { 80 | deny all; 81 | } 82 | 83 | location ~ /LICENSE { 84 | deny all; 85 | } 86 | } 87 | extraEnvVars: 88 | - name: TZ 89 | value: America/Chicago 90 | resources: 91 | requests: 92 | memory: 100Mi 93 | cpu: 100m 94 | limits: 95 | memory: 300Mi 96 | -------------------------------------------------------------------------------- /cluster/apps/nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/ntpd/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: ntpd 6 | namespace: ntpd 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: metallb 13 | namespace: metallb-system 14 | 15 | install: 16 | createNamespace: true 17 | remediation: 18 | retries: 3 19 | 20 | upgrade: 21 | cleanupOnFail: true 22 | remediation: 23 | retries: 3 24 | 25 | uninstall: 26 | keepHistory: false 27 | 28 | chart: 29 | spec: 30 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 31 | chart: app-template 32 | version: 1.5.1 33 | sourceRef: 34 | kind: HelmRepository 35 | name: bjw-s-charts 36 | namespace: flux-system 37 | 38 | values: 39 | image: 40 | repository: cturra/ntp 41 | tag: latest@sha256:8ee0cfcabfa3d0d77dde02cb2930da02da8c33a2b7393bb429010cbae0b9d509 42 | pullPolicy: Always 43 | 44 | controller: 45 | type: deployment 46 | annotations: 47 | reloader.stakater.com/auto: "true" 48 | 49 | env: 50 | TZ: ${TIMEZONE} 51 | 52 | service: 53 | main: 54 | enabled: false 55 | ntp: 56 | enabled: true 57 | type: LoadBalancer 58 | externalTrafficPolicy: Local 59 | annotations: 60 | metallb.universe.tf/loadBalancerIPs: ${NTPD_LB} 61 | ports: 62 | ntpd: 63 | enabled: true 64 | port: &ntp-port 123 65 | protocol: UDP 66 | targetPort: *ntp-port 67 | 68 | probes: 69 | liveness: &probes 70 | enabled: false 71 | readiness: *probes 72 | startup: *probes 73 | 74 | ingress: 75 | main: 76 | enabled: false 77 | 78 | resources: 79 | requests: 80 | cpu: 100m 81 | memory: 128M 82 | limits: 83 | memory: 256M 84 | -------------------------------------------------------------------------------- /cluster/apps/ntpd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/prowlarr/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: prowlarr 6 | namespace: prowlarr 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | dependsOn: 11 | - name: longhorn 12 | namespace: longhorn-system 13 | - name: traefik 14 | namespace: traefik 15 | 16 | install: 17 | createNamespace: true 18 | remediation: 19 | retries: 3 20 | 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | retries: 3 25 | 26 | uninstall: 27 | keepHistory: false 28 | 29 | chart: 30 | spec: 31 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 32 | chart: app-template 33 | version: 1.5.1 34 | sourceRef: 35 | kind: HelmRepository 36 | name: bjw-s-charts 37 | namespace: flux-system 38 | 39 | values: 40 | image: 41 | repository: ghcr.io/home-operations/prowlarr 42 | tag: 1.37.0.5076@sha256:aab0bfd4e96bdca19cca280a2bbf8ac60b9251dcae13459856b724a2dd3ae020 43 | 44 | controller: 45 | type: statefulset 46 | annotations: 47 | reloader.stakater.com/auto: "true" 48 | 49 | podSecurityContext: 50 | runAsUser: 568 51 | runAsGroup: 568 52 | fsGroup: 568 53 | fsGroupChangePolicy: "OnRootMismatch" 54 | 55 | env: 56 | TZ: ${TIMEZONE} 57 | http_proxy: ${HTTP_PROXY} 58 | https_proxy: ${HTTP_PROXY} 59 | no_proxy: ${NO_PROXY} 60 | 61 | service: 62 | main: 63 | ports: 64 | http: 65 | port: &port 9696 66 | protocol: TCP 67 | 68 | probes: 69 | liveness: &probes 70 | enabled: true 71 | custom: true 72 | spec: 73 | httpGet: 74 | path: /ping 75 | port: *port 76 | initialDelaySeconds: 0 77 | periodSeconds: 10 78 | timeoutSeconds: 1 79 | failureThreshold: 3 80 | readiness: *probes 81 | startup: 82 | enabled: false 83 | 84 | ingress: 85 | main: 86 | enabled: true 87 | ingressClassName: traefik 88 | annotations: 89 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 90 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 91 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 92 | hajimari.io/enable: "true" 93 | hajimari.io/icon: play-network 94 | hajimari.io/group: downloads 95 | hosts: 96 | - host: &host prowlarr.${DOMAIN} 97 | paths: 98 | - path: / 99 | pathType: Prefix 100 | tls: 101 | - hosts: 102 | - *host 103 | - secretName: nathanpawelek-com-tls 104 | 105 | volumeClaimTemplates: 106 | - name: config 107 | mountPath: /config 108 | accessMode: ReadWriteOnce 109 | size: 1Gi 110 | storageClass: longhorn 111 | 112 | resources: 113 | requests: 114 | cpu: 100m 115 | memory: 128Mi 116 | limits: 117 | memory: 1024Mi 118 | -------------------------------------------------------------------------------- /cluster/apps/prowlarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./secrets.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/radarr/README.md: -------------------------------------------------------------------------------- 1 | # Radarr 2 | 3 | ## radarr-trailers 4 | 5 | ### Overview 6 | 7 | A cronjob that runs at a defined interval to download trailers for your movie collection using [yt-dlp](https://github.com/yt-dlp/yt-dlp). This process assumes a standardized movie collection exists with the same remote file mapping as Radarr, because the absolute path of each movie will be assumed from the Radarr API. Each movie directory is checked for an existing trailer file before attempting to download. Any missing trailer(s) will be downloaded alongside existing movie files, utilizing the [standardized Jellyfin trailer file suffix](https://jellyfin.org/docs/general/server/media/movies/#file-suffix). The presence of a trailer matching the file suffix will automatically enable the trailer button in the Jellyfin client UI. 8 | 9 | This leverages an updated version of yt-dlp. The configuration of the yt-dlp command will concurrently download files into memory, then use ffmpeg to combine and output the trailer in an mkv container. 10 | 11 | If you experience any issues with missing or unavailable trailers, look at [TMDb](https://www.themoviedb.org/) and edit details accordingly. This will ensure that Radarr is populating the correct trailer URL from TMDb metadata. 12 | 13 | ### Manual Testing 14 | 15 | The cronjob can be manually executed for testing purposes using the below examples: 16 | 17 | Create: 18 | ``` 19 | kubectl create job -n radarr --from=cronjob/radarr-trailers manualrun 20 | ``` 21 | 22 | Logs: 23 | ``` 24 | kubectl logs -n radarr manualrun- -f 25 | ``` 26 | 27 | Delete: 28 | ``` 29 | k delete job -n radarr manualrun 30 | ``` 31 | -------------------------------------------------------------------------------- /cluster/apps/radarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - radarr 6 | - radarr-remux 7 | - radarr-anime 8 | - radarr-trailers 9 | -------------------------------------------------------------------------------- /cluster/apps/radarr/radarr-anime/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/radarr/radarr-remux/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/radarr/radarr-trailers/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: radarr-trailers 6 | namespace: radarr 7 | spec: 8 | dependsOn: 9 | - name: radarr 10 | namespace: radarr 11 | interval: 1h 12 | chart: 13 | spec: 14 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 15 | chart: app-template 16 | version: 1.5.1 17 | sourceRef: 18 | kind: HelmRepository 19 | name: bjw-s-charts 20 | namespace: flux-system 21 | 22 | values: 23 | controller: 24 | type: cronjob 25 | cronjob: 26 | schedule: "10 0,8,16 * * *" 27 | ttlSecondsAfterFinished: 86400 28 | 29 | restartPolicy: OnFailure 30 | 31 | image: 32 | repository: jauderho/yt-dlp 33 | tag: 2025.05.22@sha256:d1921b85efedc7b6149622ea5deaf89f60a21a76dfe8cd1984bedc002b719ffa 34 | 35 | command: 36 | - /bin/sh 37 | - /scripts/get_trailers.sh 38 | 39 | envFrom: 40 | - secretRef: 41 | name: radarr-trailers-secrets 42 | 43 | env: 44 | TZ: ${TIMEZONE} 45 | http_proxy: ${HTTP_PROXY} 46 | https_proxy: ${HTTP_PROXY} 47 | no_proxy: ${NO_PROXY} 48 | 49 | service: 50 | main: 51 | enabled: false 52 | 53 | persistence: 54 | cache: 55 | enabled: true 56 | type: emptyDir 57 | medium: Memory 58 | mountPath: /cache 59 | sizeLimit: 4G 60 | config: 61 | enabled: false 62 | movies: 63 | enabled: true 64 | path: /volume1/media/Movies 65 | mountPath: /library/Movies 66 | server: ${RACKNAS_ADDR} 67 | type: nfs 68 | movies-anime: 69 | enabled: true 70 | path: /volume1/media/Movies-Anime 71 | mountPath: /library/Movies-Anime 72 | server: ${RACKNAS_ADDR} 73 | type: nfs 74 | movies-remux: 75 | enabled: true 76 | path: /volume1/media/Movies-Remux 77 | mountPath: /library/Movies-Remux 78 | server: ${RACKNAS_ADDR} 79 | type: nfs 80 | scripts: 81 | enabled: true 82 | type: configMap 83 | name: trailers-configmap 84 | subPath: get_trailers.sh 85 | mountPath: /scripts/get_trailers.sh 86 | defaultMode: 0775 87 | readOnly: true 88 | 89 | resources: 90 | requests: 91 | cpu: 100m 92 | memory: 128Mi 93 | limits: 94 | memory: 1024Mi 95 | -------------------------------------------------------------------------------- /cluster/apps/radarr/radarr-trailers/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: radarr 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./secrets.yaml 8 | configMapGenerator: 9 | - name: trailers-configmap 10 | files: 11 | - ./get_trailers.sh 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /cluster/apps/radarr/radarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/rclone/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./rclone-secrets.yaml 6 | - ./rclone-cronjob.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/rclone/rclone-cronjob.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | name: rclone-backup 6 | namespace: rclone 7 | labels: 8 | app.kubernetes.io/name: rclone-backup 9 | app.kubernetes.io/instance: rclone-backup 10 | spec: 11 | schedule: "30 7 * * *" 12 | concurrencyPolicy: Forbid 13 | failedJobsHistoryLimit: 7 14 | successfulJobsHistoryLimit: 7 15 | jobTemplate: 16 | spec: 17 | activeDeadlineSeconds: 3600 18 | backoffLimit: 2 19 | template: 20 | metadata: 21 | labels: 22 | app.kubernetes.io/name: rclone-backup 23 | app.kubernetes.io/instance: rclone-backup 24 | spec: 25 | containers: 26 | - name: rclone 27 | image: rclone/rclone:1.69.0 28 | workingDir: /data 29 | command: 30 | - rclone 31 | args: 32 | - sync 33 | - /data 34 | - s3:npawelek-s3-backup-rclone 35 | - --transfers 36 | - "4" 37 | - --ignore-checksum 38 | - --fast-list 39 | - --update 40 | - --use-server-modtime 41 | - --progress 42 | - --exclude 43 | - /#recycle/** 44 | - --exclude 45 | - /Camera/.pending-* 46 | - --exclude 47 | - /Camera/.trashed-* 48 | - --delete-excluded 49 | volumeMounts: 50 | - mountPath: /data 51 | name: nfs-backup 52 | readOnly: true 53 | - name: rclone-config 54 | mountPath: /config/rclone/rclone.conf 55 | subPath: rclone.conf 56 | readOnly: true 57 | volumes: 58 | - name: nfs-backup 59 | nfs: 60 | path: /volume1/Backup 61 | server: ${DERPNAS_ADDR} 62 | - name: rclone-config 63 | secret: 64 | secretName: rclone-config 65 | restartPolicy: Never 66 | -------------------------------------------------------------------------------- /cluster/apps/rclone/rclone-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: rclone-config 7 | namespace: rclone 8 | spec: 9 | encryptedData: 10 | rclone.conf: AgBWW0714PpfDMQPbMNMxsBdrU3OewvLkrQP/Vwyx833gYVP1hccGSKZiksY6XD31lz9wl4ZOzqZsBlbcyGDGytGtIRQhKwCO24BARHDZXtUaDMyWRTpaZXw0WgH8bd7pFXFUgYTnDRkewsP7PYCqsUP5cpEngGqV2ZLlqbRXdyeGHsjtpq9dQYUuryPJ0xzGUBHqFiYo7nQRONF0sfCqidmhNipYEQSUHktoMlcMPownMTDuaJgVUbLhHjeJZ1nPTZxynJHk8mtPqTfaxTIpkMWYfz51CD3OOfNLtdV5Sahq429yWNnYbIJXFQ9cFNtghFkzjCbASIabWPvQEU+c9R/K3GEnn5JqA7kJ+A60WGehlLZxzPaG749pKNExbUQYfSElcPwAq9xPTosVqpezQTuaqvjbUccKWjN6yTBetxqpEOiFE8+OXBRoe4rBURyVfeHVWQlU4FzRvxk1gOdrknS4JanPLFO8zxMM2jxMv5k4vIkSb/Zu8RHA+TDv9Q2mz/sHvvbbS4YEk/YYYAfHV1id4N9sAg6bAPYYC/uTavfMLT4uNew6CJEHIuqSIuNHJlFXLQSEK0MnpVLu5cI1EMC6wfoVmzzZyHxfshWkRnEgIKHKdjVjDiU4w5WPOUp0OUwz2vDGav/wYDBdq8heca62d17pAsoFFm/MG0ufSDSHfP+N3v5tKG9ih/Fg2albR8h6XVD5qtulkMCGw5PmtdIfqbKZsMo9lCc9PZW7PY99fIHxki4AEr9ELum6yMYQsEkIg5Jv0wpob0ql1XUd2x/aOOPAjxXCb/m4m5kPvwoFy23K8zHE04tCUFIQl2NzZHW0NqR9eQbVRxJrfZNqrDRW9sWnfGr45G6+8B90bxPuRGXUxyKkUUL5oPmm/h6NHzmdpvS/pIeHxjihwZEPYZ4SVqXyzlzdEgHb8xZ97Sd9dVW4LHMLzeiG1tgsNP+1+sHr1IhSDXhaZ7kdw== 11 | template: 12 | data: null 13 | metadata: 14 | creationTimestamp: null 15 | name: rclone-config 16 | namespace: rclone 17 | -------------------------------------------------------------------------------- /cluster/apps/recyclarr/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: recyclarr 6 | namespace: recyclarr 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | dependsOn: 11 | - name: sonarr 12 | namespace: sonarr 13 | - name: radarr 14 | namespace: radarr 15 | 16 | install: 17 | createNamespace: true 18 | remediation: 19 | retries: 3 20 | 21 | upgrade: 22 | cleanupOnFail: true 23 | remediation: 24 | retries: 3 25 | 26 | uninstall: 27 | keepHistory: false 28 | 29 | chart: 30 | spec: 31 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 32 | chart: app-template 33 | version: 1.5.1 34 | sourceRef: 35 | kind: HelmRepository 36 | name: bjw-s-charts 37 | namespace: flux-system 38 | 39 | values: 40 | image: 41 | repository: ghcr.io/recyclarr/recyclarr 42 | tag: 7.4.1@sha256:759540877f95453eca8a26c1a93593e783a7a824c324fbd57523deffb67f48e1 43 | 44 | controller: 45 | type: statefulset 46 | annotations: 47 | reloader.stakater.com/auto: "true" 48 | 49 | initContainers: 50 | 01-init-config: 51 | image: docker.io/library/alpine:3.22.0@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715 52 | imagePullPolicy: IfNotPresent 53 | command: 54 | - /bin/sh 55 | - -c 56 | - cp /tmp/config/recyclarr.yml /config/recyclarr.yml 57 | volumeMounts: 58 | - name: config-file 59 | mountPath: /tmp/config 60 | - name: config 61 | mountPath: /config 62 | 63 | podSecurityContext: 64 | runAsUser: 568 65 | runAsGroup: 568 66 | fsGroup: 568 67 | fsGroupChangePolicy: "OnRootMismatch" 68 | 69 | env: 70 | TZ: ${TIMEZONE} 71 | http_proxy: ${HTTP_PROXY} 72 | https_proxy: ${HTTP_PROXY} 73 | no_proxy: ${NO_PROXY} 74 | 75 | envFrom: 76 | - secretRef: 77 | name: recyclarr-secrets 78 | 79 | service: 80 | main: 81 | enabled: false 82 | 83 | ingress: 84 | main: 85 | enabled: false 86 | 87 | persistence: 88 | config-file: 89 | enabled: true 90 | type: configMap 91 | name: recyclarr-configmap 92 | mountPath: "-" 93 | 94 | resources: 95 | requests: 96 | cpu: 100m 97 | memory: 128M 98 | limits: 99 | memory: 256M 100 | 101 | volumeClaimTemplates: 102 | - name: config 103 | mountPath: /config 104 | accessMode: ReadWriteOnce 105 | size: 1Gi 106 | storageClass: longhorn 107 | -------------------------------------------------------------------------------- /cluster/apps/recyclarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: recyclarr 5 | resources: 6 | - ./helmrelease.yaml 7 | - ./secrets.yaml 8 | configMapGenerator: 9 | - name: recyclarr-configmap 10 | files: 11 | - config/recyclarr.yml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /cluster/apps/sabnzbd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./secrets.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/sonarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - sonarr 6 | - sonarr-anime 7 | - sonarr-remux 8 | -------------------------------------------------------------------------------- /cluster/apps/sonarr/sonarr-anime/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/sonarr/sonarr-remux/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/sonarr/sonarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/speedtest/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: openspeedtest 6 | namespace: speedtest 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | dependsOn: 11 | - name: traefik 12 | namespace: traefik 13 | 14 | install: 15 | createNamespace: true 16 | remediation: 17 | retries: 3 18 | 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | 24 | uninstall: 25 | keepHistory: false 26 | 27 | chart: 28 | spec: 29 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 30 | chart: app-template 31 | version: 1.5.1 32 | sourceRef: 33 | kind: HelmRepository 34 | name: bjw-s-charts 35 | namespace: flux-system 36 | 37 | values: 38 | image: 39 | repository: openspeedtest/latest 40 | tag: v2.0.6@sha256:a6a7e3b3e9e93cfe7b9b2eb49c60b2a93644149a0a600845d4df57148b193ff6 41 | 42 | ingress: 43 | main: 44 | enabled: true 45 | ingressClassName: traefik 46 | annotations: 47 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 48 | traefik.ingress.kubernetes.io/router.middlewares: traefik-ext-speedtest-middlewares-chain@kubernetescrd 49 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 50 | hajimari.io/enable: "true" 51 | hajimari.io/icon: mdi:speedometer 52 | hajimari.io/group: network 53 | hosts: 54 | - host: &host speed.${DOMAIN} 55 | paths: 56 | - path: / 57 | pathType: Prefix 58 | tls: 59 | - hosts: 60 | - *host 61 | - secretName: nathanpawelek-com-tls 62 | ext: 63 | enabled: true 64 | ingressClassName: traefik 65 | annotations: 66 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 67 | traefik.ingress.kubernetes.io/router.middlewares: traefik-ext-speedtest-middlewares-chain@kubernetescrd 68 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 69 | hajimari.io/enable: "false" 70 | hosts: 71 | - host: &host ext-speed.${DOMAIN} 72 | paths: 73 | - path: / 74 | pathType: Prefix 75 | tls: 76 | - hosts: 77 | - *host 78 | - secretName: nathanpawelek-com-tls 79 | 80 | service: 81 | main: 82 | ports: 83 | http: 84 | port: 3000 85 | protocol: TCP 86 | -------------------------------------------------------------------------------- /cluster/apps/speedtest/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/apps/traefik-forward-auth/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: traefik-forward-auth 6 | namespace: traefik 7 | spec: 8 | dependsOn: 9 | - name: traefik 10 | maxHistory: 3 11 | interval: 1h 12 | suspend: false 13 | releaseName: traefik-forward-auth 14 | chart: 15 | spec: 16 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 17 | chart: traefik-forward-auth 18 | version: 2.2.2 19 | sourceRef: 20 | kind: HelmRepository 21 | name: k8s-at-home-charts 22 | namespace: flux-system 23 | values: 24 | fullnameOverride: traefik-forward-auth 25 | controller: 26 | enabled: true 27 | typ: deployment 28 | replicas: 3 29 | image: 30 | repository: thomseddon/traefik-forward-auth 31 | tag: 2.2.0 32 | pullPolicy: IfNotPresent 33 | podAnnotations: 34 | secret.reloader.stakater.com/reload: traefik-forward-auth-secrets 35 | middleware: 36 | enabled: false 37 | service: 38 | main: 39 | ports: 40 | http: 41 | port: 4181 42 | env: 43 | TZ: ${TIMEZONE} 44 | LOG_LEVEL: debug 45 | LOG_FORMAT: text 46 | DEFAULT_PROVIDER: google 47 | SECRET: 48 | valueFrom: 49 | secretKeyRef: 50 | name: traefik-forward-auth-secrets 51 | key: SECRET 52 | PROVIDERS_GOOGLE_CLIENT_ID: 53 | valueFrom: 54 | secretKeyRef: 55 | name: traefik-forward-auth-secrets 56 | key: CLIENT_ID 57 | PROVIDERS_GOOGLE_CLIENT_SECRET: 58 | valueFrom: 59 | secretKeyRef: 60 | name: traefik-forward-auth-secrets 61 | key: CLIENT_SECRET 62 | AUTH_HOST: 63 | valueFrom: 64 | secretKeyRef: 65 | name: traefik-forward-auth-secrets 66 | key: AUTH_HOST 67 | URL_PATH: 68 | valueFrom: 69 | secretKeyRef: 70 | name: traefik-forward-auth-secrets 71 | key: URL_PATH 72 | COOKIE_DOMAIN: 73 | valueFrom: 74 | secretKeyRef: 75 | name: traefik-forward-auth-secrets 76 | key: COOKIE_DOMAIN 77 | DOMAIN: 78 | valueFrom: 79 | secretKeyRef: 80 | name: traefik-forward-auth-secrets 81 | key: DOMAIN 82 | WHITELIST: 83 | valueFrom: 84 | secretKeyRef: 85 | name: traefik-forward-auth-secrets 86 | key: EMAIL 87 | affinity: 88 | podAntiAffinity: 89 | requiredDuringSchedulingIgnoredDuringExecution: 90 | - labelSelector: 91 | matchExpressions: 92 | - key: app.kubernetes.io/name 93 | operator: In 94 | values: 95 | - traefik-forward-auth 96 | topologyKey: kubernetes.io/hostname 97 | -------------------------------------------------------------------------------- /cluster/apps/traefik-forward-auth/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./secrets.yaml 6 | - ./helmrelease.yaml 7 | - ./middleware.yaml 8 | -------------------------------------------------------------------------------- /cluster/apps/traefik-forward-auth/middleware.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: Middleware 4 | metadata: 5 | name: traefik-sso 6 | namespace: traefik 7 | spec: 8 | forwardAuth: 9 | address: http://traefik-forward-auth:4181 10 | authResponseHeaders: 11 | - X-Forwarded-User 12 | -------------------------------------------------------------------------------- /cluster/apps/traefik/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: traefik 6 | namespace: traefik 7 | spec: 8 | dependsOn: 9 | - name: cert-manager 10 | namespace: cert-manager 11 | maxHistory: 3 12 | interval: 1h 13 | suspend: false 14 | releaseName: traefik 15 | chart: 16 | spec: 17 | # renovate: registryUrl=https://traefik.github.io/charts 18 | chart: traefik 19 | version: 26.1.0 20 | sourceRef: 21 | kind: HelmRepository 22 | name: traefik-charts 23 | namespace: flux-system 24 | values: 25 | image: 26 | registry: public.ecr.aws 27 | repository: docker/library/traefik 28 | tag: 2.11.0 29 | deployment: 30 | kind: Deployment 31 | replicas: 2 32 | env: 33 | - name: TZ 34 | value: America/Chicago 35 | ingressClass: 36 | enabled: true 37 | isDefaultClass: true 38 | fallbackApiVersion: v1 39 | ingressRoute: 40 | dashboard: 41 | enabled: false 42 | globalArguments: 43 | - --global.checknewversion=false 44 | - --global.sendanonymoususage=false 45 | additionalArguments: 46 | - --metrics.prometheus.entrypoint=web 47 | # - --experimental.plugins.fail2ban.modulename=github.com/tomMoulard/fail2ban 48 | # - --experimental.plugins.fail2ban.version=v0.6.6 49 | ports: 50 | traefik: 51 | expose: false 52 | port: 9000 53 | protocol: TCP 54 | web: 55 | expose: true 56 | exposedPort: 80 57 | port: 8000 58 | protocol: TCP 59 | websecure: 60 | expose: true 61 | exposedPort: 443 62 | port: 8443 63 | protocol: TCP 64 | service: 65 | enabled: true 66 | type: LoadBalancer 67 | spec: 68 | loadBalancerIP: "${TRAEFIK_LB}" 69 | externalTrafficPolicy: Local 70 | dnsPolicy: ClusterFirst 71 | logs: 72 | general: 73 | level: WARN 74 | access: 75 | enabled: true 76 | pilot: 77 | enabled: false 78 | affinity: 79 | podAntiAffinity: 80 | requiredDuringSchedulingIgnoredDuringExecution: 81 | - labelSelector: 82 | matchExpressions: 83 | - key: app.kubernetes.io/name 84 | operator: In 85 | values: 86 | - traefik 87 | topologyKey: kubernetes.io/hostname 88 | -------------------------------------------------------------------------------- /cluster/apps/traefik/ingressroute.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: IngressRoute 4 | metadata: 5 | name: web 6 | namespace: traefik 7 | spec: 8 | entryPoints: 9 | - web 10 | routes: 11 | - kind: Rule 12 | match: HostRegexp(`{any:.+}`) 13 | priority: 10 14 | services: 15 | - kind: TraefikService 16 | name: noop@internal 17 | middlewares: 18 | - name: redirect-https 19 | --- 20 | apiVersion: traefik.io/v1alpha1 21 | kind: IngressRoute 22 | metadata: 23 | name: websecure 24 | namespace: traefik 25 | spec: 26 | entryPoints: 27 | - websecure 28 | routes: 29 | - kind: Rule 30 | match: Host(`in.${DOMAIN}`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) 31 | services: 32 | - kind: TraefikService 33 | name: api@internal 34 | middlewares: 35 | - name: default-middlewares-chain 36 | - match: Host(`in.${DOMAIN}`) && PathPrefix(`/ping`) 37 | kind: Rule 38 | services: 39 | - name: ping@internal 40 | kind: TraefikService 41 | middlewares: 42 | - name: default-middlewares-chain 43 | tls: 44 | secretName: nathanpawelek-com-tls 45 | options: 46 | name: secure-tlsoptions 47 | --- 48 | apiVersion: traefik.io/v1alpha1 49 | kind: IngressRoute 50 | metadata: 51 | name: traefik-forward-auth 52 | namespace: traefik 53 | spec: 54 | entryPoints: 55 | - websecure 56 | routes: 57 | - match: Host(`auth.${DOMAIN}`) 58 | kind: Rule 59 | services: 60 | - name: traefik-forward-auth 61 | namespace: traefik 62 | port: 4181 63 | middlewares: 64 | - name: traefik-sso 65 | tls: 66 | secretName: auth-nathanpawelek-com-tls 67 | options: 68 | name: secure-tlsoptions 69 | -------------------------------------------------------------------------------- /cluster/apps/traefik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./ingressroute.yaml 7 | - ./middlewares.yaml 8 | - ./tlsoptions.yaml 9 | -------------------------------------------------------------------------------- /cluster/apps/traefik/tlsoptions.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: traefik.io/v1alpha1 3 | kind: TLSOption 4 | metadata: 5 | name: secure-tlsoptions 6 | namespace: traefik 7 | spec: 8 | sniStrict: true 9 | minVersion: VersionTLS12 10 | curvePreferences: 11 | - CurveP521 12 | - CurveP384 13 | -------------------------------------------------------------------------------- /cluster/apps/unmanic/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: unmanic 6 | namespace: unmanic 7 | spec: 8 | dependsOn: 9 | - name: longhorn 10 | namespace: longhorn-system 11 | - name: traefik 12 | namespace: traefik 13 | - name: intel-gpu-plugin 14 | namespace: kube-system 15 | chart: 16 | spec: 17 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 18 | chart: app-template 19 | version: 1.5.1 20 | sourceRef: 21 | kind: HelmRepository 22 | name: bjw-s-charts 23 | namespace: flux-system 24 | interval: 1h 25 | values: 26 | image: 27 | repository: josh5/unmanic 28 | tag: latest@sha256:d24fa03c1155e78c76ed5b24c46ec120aa1a58bde1c3f2a4a835c24ebd15a07d 29 | 30 | podSecurityContext: 31 | # Required for passthrough of /dev/dri devices from NFD 32 | # https://dgpu-docs.intel.com/installation-guides/ubuntu/ubuntu-jammy-legacy.html 33 | supplementalGroups: 34 | - 44 35 | - 104 36 | - 109 37 | 38 | env: 39 | TZ: ${TIMEZONE} 40 | PUID: 568 41 | PGID: 568 42 | 43 | service: 44 | main: 45 | ports: 46 | http: 47 | port: 8888 48 | protocol: TCP 49 | 50 | ingress: 51 | main: 52 | enabled: true 53 | ingressClassName: traefik 54 | annotations: 55 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 56 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 57 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 58 | hajimari.io/enable: "true" 59 | hajimari.io/icon: alpha-u-circle 60 | hajimari.io/group: media 61 | hosts: 62 | - host: &host unmanic.nathanpawelek.com 63 | paths: 64 | - path: / 65 | pathType: Prefix 66 | tls: 67 | - hosts: 68 | - *host 69 | - secretName: nathanpawelek-com-tls 70 | 71 | persistence: 72 | config: 73 | enabled: true 74 | existingClaim: unmanic-config 75 | library: 76 | enabled: true 77 | path: /volume1/media 78 | server: ${RACKNAS_ADDR} 79 | type: nfs 80 | cache: 81 | enabled: true 82 | type: emptyDir 83 | medium: Memory 84 | mountPath: /tmp/unmanic 85 | 86 | resources: 87 | requests: 88 | cpu: 100m 89 | gpu.intel.com/i915: 1 90 | memory: 2048M 91 | limits: 92 | cpu: 4 93 | gpu.intel.com/i915: 1 94 | memory: 16G 95 | 96 | affinity: 97 | nodeAffinity: 98 | requiredDuringSchedulingIgnoredDuringExecution: 99 | nodeSelectorTerms: 100 | - matchExpressions: 101 | - key: intel.feature.node.kubernetes.io/igpu 102 | operator: In 103 | values: 104 | - "true" 105 | - key: kubernetes.io/hostname 106 | operator: In 107 | values: 108 | - donnager 109 | - hammurabi 110 | -------------------------------------------------------------------------------- /cluster/apps/unmanic/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./pvc.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/unmanic/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: unmanic-config 6 | namespace: unmanic 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/uptime/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: uptime 6 | namespace: uptime 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | 11 | dependsOn: 12 | - name: longhorn 13 | namespace: longhorn-system 14 | - name: traefik 15 | namespace: traefik 16 | 17 | install: 18 | createNamespace: true 19 | remediation: 20 | retries: 3 21 | 22 | upgrade: 23 | cleanupOnFail: true 24 | remediation: 25 | retries: 3 26 | 27 | uninstall: 28 | keepHistory: false 29 | 30 | chart: 31 | spec: 32 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 33 | chart: app-template 34 | version: 1.5.1 35 | sourceRef: 36 | kind: HelmRepository 37 | name: bjw-s-charts 38 | namespace: flux-system 39 | 40 | values: 41 | fullnameOverride: uptime 42 | 43 | image: 44 | repository: louislam/uptime-kuma 45 | tag: 1.23.16-alpine 46 | 47 | controller: 48 | type: deployment 49 | annotations: 50 | reloader.stakater.com/auto: "true" 51 | 52 | env: 53 | TZ: ${TIMEZONE} 54 | UPTIME_KUMA_DISABLE_FRAME_SAMEORIGIN: 0 55 | 56 | service: 57 | main: 58 | ports: 59 | http: 60 | port: 3001 61 | protocol: TCP 62 | 63 | ingress: 64 | main: 65 | enabled: true 66 | ingressClassName: traefik 67 | annotations: 68 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 69 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 70 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 71 | hajimari.io/enable: "true" 72 | hajimari.io/icon: robot 73 | hajimari.io/group: services 74 | hosts: 75 | - host: &host uptime.${DOMAIN} 76 | paths: 77 | - path: / 78 | pathType: Prefix 79 | tls: 80 | - hosts: 81 | - *host 82 | - secretName: nathanpawelek-com-tls 83 | 84 | persistence: 85 | data: 86 | enabled: true 87 | existingClaim: uptime-data 88 | mountPath: /app/data 89 | 90 | resources: 91 | requests: 92 | memory: 100Mi 93 | cpu: 100m 94 | limits: 95 | memory: 250Mi 96 | -------------------------------------------------------------------------------- /cluster/apps/uptime/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./pvc.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /cluster/apps/uptime/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: uptime-data 6 | namespace: uptime 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: longhorn 14 | -------------------------------------------------------------------------------- /cluster/apps/ytdl-sub/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: ytdl-sub 6 | namespace: ytdl-sub 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 12 | chart: app-template 13 | version: 1.5.1 14 | sourceRef: 15 | kind: HelmRepository 16 | name: bjw-s-charts 17 | namespace: flux-system 18 | values: 19 | controller: 20 | type: cronjob 21 | cronjob: 22 | schedule: "22 18 * * *" 23 | # schedule: "@daily" # enable for testing 24 | ttlSecondsAfterFinished: 86400 25 | 26 | restartPolicy: OnFailure 27 | 28 | image: 29 | repository: ghcr.io/jmbannon/ytdl-sub 30 | tag: 2025.06.01@sha256:6cf97da47f4a87a83f28c19f9e16e70007629acc087311b2090452a2ca2aa37f 31 | 32 | command: 33 | - ytdl-sub 34 | - --log-level 35 | - debug 36 | - -c 37 | - /config/config.yaml 38 | - sub 39 | - /config/subscriptions.yaml 40 | 41 | env: 42 | # http_proxy: ${HTTP_PROXY} 43 | # https_proxy: ${HTTP_PROXY} 44 | TZ: ${TIMEZONE} 45 | PUID: 1024 46 | PGID: 100 47 | 48 | service: 49 | main: 50 | enabled: false 51 | 52 | ingress: 53 | main: 54 | enabled: false 55 | 56 | persistence: 57 | config: 58 | enabled: true 59 | type: configMap 60 | name: config 61 | mountPath: /config 62 | readOnly: true 63 | defaultMode: 0755 64 | library: 65 | enabled: true 66 | mountPath: /library/YouTube 67 | path: /volume1/media/YouTube 68 | server: ${RACKNAS_ADDR} 69 | type: nfs 70 | tmp: 71 | enabled: true 72 | type: emptyDir 73 | medium: Memory 74 | mountPath: /tmp/ytdl-sub 75 | 76 | resources: 77 | requests: 78 | cpu: 100m 79 | memory: 128M 80 | limits: 81 | memory: 32G 82 | -------------------------------------------------------------------------------- /cluster/apps/ytdl-sub/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cm.yaml 6 | - ./helmrelease.yaml 7 | -------------------------------------------------------------------------------- /cluster/base/apps.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: cluster-apps 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | dependsOn: 10 | - name: cluster-core 11 | path: ./cluster/apps 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | postBuild: 17 | substitute: {} 18 | substituteFrom: 19 | - kind: ConfigMap 20 | name: cluster-settings 21 | -------------------------------------------------------------------------------- /cluster/base/cluster-settings.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | namespace: flux-system 6 | name: cluster-settings 7 | data: 8 | DOMAIN: nathanpawelek.com 9 | AWS_REGION: us-east-1 10 | METALLB_ADDR_RANGE: 192.168.0.10-192.168.0.19 11 | ADGUARD_LB: 192.168.0.10 12 | NTPD_LB: 192.168.0.12 13 | HOME_ASSISTANT_LB: 192.168.0.13 14 | MOSQUITTO_LB: 192.168.0.14 15 | TRAEFIK_LB: 192.168.0.15 16 | EMQX_LB: 192.168.0.16 17 | PROXY_LB: 192.168.0.17 18 | DERPNAS_ADDR: 192.168.0.150 19 | RACKNAS_ADDR: 192.168.0.151 20 | TIMEZONE: America/Chicago 21 | HTTP_PROXY: http://sabnzbd-proxy.sabnzbd.svc.cluster.local:8888 22 | NO_PROXY: localhost,127.0.0.1,.cluster.local,.nathanpawelek.com 23 | -------------------------------------------------------------------------------- /cluster/base/core.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: cluster-core 6 | namespace: flux-system 7 | spec: 8 | dependsOn: 9 | - name: cluster-crds 10 | interval: 10m0s 11 | path: ./cluster/core 12 | prune: false 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | postBuild: 17 | substitute: {} 18 | substituteFrom: 19 | - kind: ConfigMap 20 | name: cluster-settings 21 | -------------------------------------------------------------------------------- /cluster/base/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: cluster-crds 6 | namespace: flux-system 7 | spec: 8 | dependsOn: 9 | - name: flux-system-helm-repositories 10 | interval: 10m0s 11 | path: ./cluster/crds 12 | prune: true 13 | sourceRef: 14 | kind: GitRepository 15 | name: flux-system 16 | postBuild: 17 | substitute: {} 18 | substituteFrom: 19 | - kind: ConfigMap 20 | name: cluster-settings 21 | -------------------------------------------------------------------------------- /cluster/base/flux-system/gotk-sources.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 3 | kind: Kustomization 4 | metadata: 5 | name: flux-system-helm-repositories 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | path: ./cluster/base/flux-system/helm-repositories 10 | prune: true 11 | sourceRef: 12 | kind: GitRepository 13 | name: flux-system 14 | -------------------------------------------------------------------------------- /cluster/base/flux-system/gotk-sync.yaml: -------------------------------------------------------------------------------- 1 | # This manifest was generated by flux. DO NOT EDIT. 2 | --- 3 | apiVersion: source.toolkit.fluxcd.io/v1beta2 4 | kind: GitRepository 5 | metadata: 6 | name: flux-system 7 | namespace: flux-system 8 | spec: 9 | interval: 1m0s 10 | ref: 11 | branch: master 12 | secretRef: 13 | name: flux-system 14 | url: ssh://git@github.com/npawelek/k8s-gitops 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 17 | kind: Kustomization 18 | metadata: 19 | name: flux-system 20 | namespace: flux-system 21 | spec: 22 | interval: 10m0s 23 | path: ./cluster/base 24 | prune: true 25 | sourceRef: 26 | kind: GitRepository 27 | name: flux-system 28 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/authentik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: authentik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.goauthentik.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/bitnami-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: bitnami-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://charts.bitnami.com/bitnami 10 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/bitnami-labs-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: bitnami-labs-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://bitnami-labs.github.io/sealed-secrets 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/bjw-s-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://bjw-s.github.io/helm-charts/ 10 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/emqx-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: emqx-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://repos.emqx.io/charts 10 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/hajimari-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: hajimari-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://hajimari.io 10 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/jetstack-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://charts.jetstack.io 10 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/k8s-at-home-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-at-home-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://k8s-at-home.com/charts/ 10 | timeout: 3m0s 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/kubernetes-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://charts.helm.sh/stable 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/kubernetes-sigs-metrics-server.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: kubernetes-sigs-metrics-server 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes-sigs.github.io/metrics-server/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/longhorn-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: longhorn-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://charts.longhorn.io 10 | timeout: 3m0s 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/node-feature-discovery.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1beta2 4 | kind: HelmRepository 5 | metadata: 6 | name: node-feature-discovery 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/stakater-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://stakater.github.io/stakater-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /cluster/base/flux-system/helm-repositories/traefik-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: HelmRepository 4 | metadata: 5 | name: traefik-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://traefik.github.io/charts 10 | -------------------------------------------------------------------------------- /cluster/base/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./gotk-components.yaml 6 | - ./gotk-sync.yaml 7 | - ./gotk-sources.yaml 8 | patches: 9 | - patch: |- 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | metadata: 13 | name: source-controller 14 | namespace: flux-system 15 | spec: 16 | template: 17 | spec: 18 | containers: 19 | - name: manager 20 | resources: 21 | limits: 22 | memory: 2Gi 23 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/certificates.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: nathanpawelek-com 6 | namespace: cert-manager 7 | spec: 8 | secretName: nathanpawelek-com-tls 9 | duration: 2160h 10 | renewBefore: 576h 11 | privateKey: 12 | rotationPolicy: Always 13 | size: 4096 14 | algorithm: RSA 15 | issuerRef: 16 | name: letsencrypt-prod 17 | kind: ClusterIssuer 18 | dnsNames: 19 | - "*.${DOMAIN}" 20 | --- 21 | apiVersion: cert-manager.io/v1 22 | kind: Certificate 23 | metadata: 24 | name: auth-nathanpawelek-com 25 | namespace: traefik 26 | spec: 27 | secretName: auth-nathanpawelek-com-tls 28 | duration: 2160h 29 | renewBefore: 576h 30 | privateKey: 31 | rotationPolicy: Always 32 | size: 384 33 | algorithm: ECDSA 34 | issuerRef: 35 | name: letsencrypt-prod 36 | kind: ClusterIssuer 37 | dnsNames: 38 | - "auth.${DOMAIN}" 39 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/cronjob/cronjob-cm.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: ssh-config 6 | namespace: cert-manager 7 | data: 8 | config: |- 9 | Host * 10 | StrictHostKeyChecking no 11 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/cronjob/cronjob-rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: letsencrypt-ansible 6 | namespace: cert-manager 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: Role 10 | metadata: 11 | name: letsencrypt-secret-role 12 | namespace: cert-manager 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["secrets"] 16 | verbs: ["get"] 17 | --- 18 | apiVersion: rbac.authorization.k8s.io/v1 19 | kind: RoleBinding 20 | metadata: 21 | name: letsencrypt-secret-binding 22 | namespace: cert-manager 23 | subjects: 24 | - kind: ServiceAccount 25 | name: letsencrypt-ansible 26 | apiGroup: "" 27 | namespace: cert-manager 28 | roleRef: 29 | kind: Role 30 | name: letsencrypt-secret-role 31 | apiGroup: rbac.authorization.k8s.io 32 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/cronjob/cronjob.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | name: distribute-letsencrypt-certs 6 | namespace: cert-manager 7 | spec: 8 | schedule: "0 0 * * 1" 9 | concurrencyPolicy: Forbid 10 | failedJobsHistoryLimit: 3 11 | successfulJobsHistoryLimit: 3 12 | jobTemplate: 13 | spec: 14 | activeDeadlineSeconds: 600 15 | backoffLimit: 2 16 | template: 17 | spec: 18 | initContainers: 19 | - name: clone-repo 20 | image: docker.io/library/alpine:3.22.0@sha256:8a1f59ffb675680d47db6337b49d22281a139e9d709335b492be023728e11715 21 | command: 22 | - sh 23 | - -c 24 | - | 25 | set -e 26 | apk add --update git openssh-client 27 | git clone git@github.com:npawelek/letsencrypt-distribute.git /repo 28 | volumeMounts: 29 | - name: repo-dir 30 | mountPath: /repo 31 | - name: ssh-key 32 | mountPath: /root/.ssh/id_rsa 33 | subPath: id_rsa 34 | readOnly: true 35 | - name: ssh-config 36 | mountPath: /root/.ssh/config 37 | subPath: config 38 | readOnly: true 39 | containers: 40 | - name: ansible 41 | image: npawelek/ansible-docker:latest 42 | workingDir: /repo/ansible 43 | command: 44 | - ansible-playbook 45 | args: 46 | - main.yml 47 | volumeMounts: 48 | - name: repo-dir 49 | mountPath: /repo 50 | - name: ssh-key 51 | mountPath: /root/.ssh/id_rsa 52 | subPath: id_rsa 53 | readOnly: true 54 | - name: ssh-config 55 | mountPath: /root/.ssh/config 56 | subPath: config 57 | readOnly: true 58 | volumes: 59 | - name: ssh-key 60 | secret: 61 | secretName: cronjob-ssh-secrets 62 | defaultMode: 0400 63 | - name: repo-dir 64 | emptyDir: {} 65 | - name: ssh-config 66 | configMap: 67 | name: ssh-config 68 | serviceAccountName: letsencrypt-ansible 69 | restartPolicy: OnFailure 70 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/cronjob/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./cronjob-email-secrets.yaml 6 | - ./cronjob-ssh-secrets.yaml 7 | - ./cronjob-cm.yaml 8 | - ./cronjob-rbac.yaml 9 | - ./cronjob.yaml 10 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | namespace: cert-manager 7 | spec: 8 | dependsOn: 9 | - name: sealed-secrets 10 | namespace: kube-system 11 | maxHistory: 3 12 | interval: 1h 13 | suspend: false 14 | releaseName: cert-manager 15 | chart: 16 | spec: 17 | # renovate: registryUrl=https://charts.jetstack.io 18 | chart: cert-manager 19 | version: v1.15.4 20 | sourceRef: 21 | kind: HelmRepository 22 | name: jetstack-charts 23 | namespace: flux-system 24 | values: 25 | installCRDs: false 26 | replicaCount: 3 27 | webhook: 28 | replicaCount: 3 29 | enabled: true 30 | cainjector: 31 | replicaCount: 3 32 | extraArgs: 33 | - --dns01-recursive-nameservers-only 34 | - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 35 | # This option will delete tls secrets upon deletion of certificate object 36 | # - --enable-certificate-owner-ref 37 | volumeMounts: 38 | - mountPath: /.aws 39 | name: creds 40 | readOnly: true 41 | volumes: 42 | - name: creds 43 | secret: 44 | secretName: aws-credentials 45 | # prometheus: 46 | # enabled: true 47 | # servicemonitor: 48 | # enabled: true 49 | # prometheusInstance: monitoring 50 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/issuers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | spec: 7 | acme: 8 | email: "domainadmin@${DOMAIN}" 9 | server: https://acme-staging-v02.api.letsencrypt.org/directory 10 | privateKeySecretRef: 11 | name: letsencrypt-staging 12 | solvers: 13 | - selector: 14 | dnsZones: 15 | - "${DOMAIN}" 16 | dns01: 17 | route53: 18 | region: "${AWS_REGION}" 19 | --- 20 | apiVersion: cert-manager.io/v1 21 | kind: ClusterIssuer 22 | metadata: 23 | name: letsencrypt-prod 24 | spec: 25 | acme: 26 | email: "domainadmin@${DOMAIN}" 27 | server: https://acme-v02.api.letsencrypt.org/directory 28 | privateKeySecretRef: 29 | name: letsencrypt-prod 30 | solvers: 31 | - selector: 32 | dnsZones: 33 | - "${DOMAIN}" 34 | dns01: 35 | route53: 36 | region: "${AWS_REGION}" 37 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./secrets.yaml 6 | - ./certificates.yaml 7 | - ./helmrelease.yaml 8 | - ./issuers.yaml 9 | - cronjob 10 | - reflector 11 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/reflector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./reflector-rbac.yaml 6 | - ./reflector.yaml 7 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/reflector/reflector-rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: cert-reflector 6 | namespace: cert-manager 7 | --- 8 | kind: ClusterRole 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | metadata: 11 | name: cert-reflector 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - secrets 17 | verbs: 18 | - create 19 | - watch 20 | - apiGroups: 21 | - "" 22 | resources: 23 | - secrets 24 | resourceNames: 25 | - nathanpawelek-com-tls 26 | verbs: 27 | - get 28 | - patch 29 | - apiGroups: 30 | - "" 31 | resources: 32 | - namespaces 33 | verbs: 34 | - list 35 | - watch 36 | --- 37 | kind: ClusterRoleBinding 38 | apiVersion: rbac.authorization.k8s.io/v1 39 | metadata: 40 | name: cert-reflector 41 | subjects: 42 | - kind: ServiceAccount 43 | name: cert-reflector 44 | namespace: cert-manager 45 | roleRef: 46 | kind: ClusterRole 47 | name: cert-reflector 48 | apiGroup: rbac.authorization.k8s.io 49 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/reflector/reflector.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: cert-reflector 6 | namespace: cert-manager 7 | spec: 8 | replicas: 1 9 | revisionHistoryLimit: 0 10 | selector: 11 | matchLabels: 12 | app: cert-reflector 13 | template: 14 | metadata: 15 | labels: 16 | app: cert-reflector 17 | spec: 18 | serviceAccountName: cert-reflector 19 | nodeSelector: 20 | kubernetes.io/arch: amd64 21 | containers: 22 | - name: ns-watch 23 | image: public.ecr.aws/bitnami/kubectl:1.25.9 24 | command: 25 | - sh 26 | - -c 27 | - | 28 | set -e 29 | while true; do 30 | echo "$(date '+%Y-%m-%d %H:%M:%S') starting watch loop" 31 | kubectl get ns -w --field-selector=status.phase==Active --no-headers -o custom-columns=:metadata.name | \ 32 | while read NS; do 33 | if echo "$EXCLUDED_NS" | grep -vw "$NS" > /dev/null; then 34 | echo "$(date '+%Y-%m-%d %H:%M:%S') namespace - $NS" 35 | kubectl -n cert-manager get secret nathanpawelek-com-tls -o json | \ 36 | jq 'del(.metadata.namespace, .metadata.managedFields, .metadata.uid, .metadata.selfLink, .metadata.resourceVersion, .metadata.creationTimestamp)' | kubectl -n "$NS" apply -f - 37 | fi 38 | done 39 | done 40 | env: 41 | - name: EXCLUDED_NS 42 | value: "cert-manager kube-system kube-node-lease kube-public default rclone metallb-system intel-gpu flux-system" 43 | resources: 44 | limits: 45 | memory: 128Mi 46 | cpu: 128m 47 | - name: secret-watch 48 | image: public.ecr.aws/bitnami/kubectl:1.25.9 49 | command: 50 | - sh 51 | - -c 52 | - | 53 | set -e 54 | sleep 10 55 | while true; do 56 | echo "$(date '+%Y-%m-%d %H:%M:%S') starting watch loop" 57 | kubectl -n cert-manager get secret nathanpawelek-com-tls -w --no-headers -o custom-columns=:metadata.name | \ 58 | while read SECRET; do 59 | EXPORT=$(kubectl -n cert-manager get secret $SECRET -o json | jq 'del(.metadata.namespace, .metadata.managedFields, .metadata.uid, .metadata.selfLink, .metadata.resourceVersion, .metadata.creationTimestamp)') 60 | for NS in $(kubectl get ns --field-selector=status.phase==Active --no-headers -o custom-columns=:metadata.name); do 61 | if echo "$EXCLUDED_NS" | grep -vw "$NS" > /dev/null; then 62 | echo "$(date '+%Y-%m-%d %H:%M:%S') namespace - $NS" 63 | echo "$EXPORT" | kubectl -n "$NS" apply -f - 64 | fi 65 | done 66 | done 67 | done 68 | env: 69 | - name: EXCLUDED_NS 70 | value: "cert-manager kube-system kube-node-lease kube-public default rclone metallb-system intel-gpu flux-system" 71 | resources: 72 | limits: 73 | memory: 128Mi 74 | cpu: 128m 75 | -------------------------------------------------------------------------------- /cluster/core/cert-manager/secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: aws-credentials 7 | namespace: cert-manager 8 | spec: 9 | encryptedData: 10 | config: AgCZlwMWSvhIQCrSfQU5Rv8XFuZ8Svmv49fGv0fhXnHQU4/j73SbdjGXSwBm3I7ArGex/S+F3WVMxp4mb0K8LSaJElE03fiagYampw4yJF2yC2H4ZJh1xKpXmHKSwEFO4yHobhWgmr16JoZQ8KBRS5LFQeJ+BM+YkNaaEEmqdOu+wkahNL86B7HWowUj6lePy6YXK5LJE0KiVn9MGtnm6zAXpMkyaA2/V95Am5NbwmYmSFku7/5zv7WLqL3x2nVuVMrfJ2nbR32mPXJcC8iyNUg+CSpYItDKFJE+ky7UcjZjWY3nU7fiYusQy0hOYuh4a49rnGjV7ClDr/xiywpscd57iaksBHqK9JfMX76L1jAXXkyioS9ybLpdo9sasYlkp+r+5woesKqik/gLX0TTrZ9CQQGadnwi0C4zAUXIye7npsCHAj4VRPRmjX0c4gwHa1Gw+3PVG968wkFKBHIyRybuC92DIXEQj11kjBgC1cSzRjqTRAckLPtZChGfWF1z0PPV/abUy8lXl7fPaaAKXdh04RvihZ0a9l8z2FLkPhxu+LyQAxxcqBdrlPIUGIvvUOrKl8/2hOrqosIu3kRHaWoF+oQnYjGo5PLyj5vnuzm3QDHXxCTEDtpMRX2f5xycNadYJFD68tQ4xRQzSbtcH4/MDzBPjFGJzD+RCS/L3aGy6DNGT99SprCGsw+q2X9r6a4XO3PRJksJhbjEKVTpJgssmhypeeo60IKKpXiNSQ== 11 | credentials: AgAwpqIpUbLc37IpUsf84tGAAabWCwuNHfvEQtLBRphcuH/cKajXm2LtgNDUCD6ra8Ga7cxJ0mUckKXthwpDNJA1VSGQN5LCVHej77bt4NLqKePh2R2xOMdaW2BIQSV0NRP1QE+xtCj9au0qzjzF2g3ayEAuU0Nmp1PErpq9Q8alehtx0ojuKYeKmXddJT4Ws1Rl4ScgrciU0R003IZXzpjh708UFs4wqq5owSdHmdavraFJtRIDRazg5GRghcajJ0YIFcxdpatEyov5JIcubwnizCUlRs3fHR2X0o3+rbhxdivpsJwThWEDpuQ89xvu9mNhjRPaGjhxivWij2WVim2DwC7ipok4vNQ8pgVfln4VwVotr38LLlrS4XwuAiQHbygJ/Wyx8r5lqtDBi7STwEWL/WOM8geK18kGhAs233dsjzQH7bJ5CsEADdHodoXSo9/1dvNn1lXAZN9VDGTMLesBTZuZkL63uTb1Dt5KTQMB7/WDxgjnqZA7mQtPf4qyT1gNyWS4trS38h5eKexoBZyUj1K3EC9WU3WfGY8uReAmCQDmox61vULVlrg5C03I+x46SVH8rsfxmnpsEynosKC3BX00uhBPYjtMENDICAb7q/lcnDS74Jme7hHm7RMlr8q9PPrqBIpIeCSwk8auAAHaawQn2nGtQkJwircfxSfiamv9eAcdvgSoRqGlzQn1S4/2jeGIPwc1jrkZ5E3CWo8nMPP3sXn2JAjvMjkID5qoZnzFrwrTOJYt6VboCxWcAVlOUPoFByye5M1XGkjWSE2+Ph2pmdFYEtQhjrhgYQ7HM2sNfGUC2jDN1evK5nAl0+TzEJ5kI0PfWExyQdfKDh6AUXaXZg== 12 | template: 13 | data: null 14 | metadata: 15 | creationTimestamp: null 16 | name: aws-credentials 17 | namespace: cert-manager 18 | -------------------------------------------------------------------------------- /cluster/core/flux/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - notifications 6 | -------------------------------------------------------------------------------- /cluster/core/flux/notifications/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - slack 6 | -------------------------------------------------------------------------------- /cluster/core/flux/notifications/slack/alerts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 3 | kind: Alert 4 | metadata: 5 | name: homelab-slack-git 6 | namespace: flux-system 7 | spec: 8 | providerRef: 9 | name: slack 10 | eventSeverity: info 11 | eventSources: 12 | - kind: GitRepository 13 | name: '*' 14 | suspend: false 15 | --- 16 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 17 | kind: Alert 18 | metadata: 19 | name: homelab-slack-kustomization 20 | namespace: flux-system 21 | spec: 22 | providerRef: 23 | name: slack 24 | eventSeverity: error 25 | eventSources: 26 | - kind: Kustomization 27 | name: '*' 28 | suspend: false 29 | --- 30 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 31 | kind: Alert 32 | metadata: 33 | name: homelab-slack-helmreleases 34 | namespace: flux-system 35 | spec: 36 | providerRef: 37 | name: slack 38 | eventSeverity: info 39 | eventSources: 40 | - kind: HelmRelease 41 | namespace: '*' 42 | name: '*' 43 | suspend: false 44 | -------------------------------------------------------------------------------- /cluster/core/flux/notifications/slack/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./alerts.yaml 6 | - ./provider.yaml 7 | - ./slack-url-secret.yaml 8 | -------------------------------------------------------------------------------- /cluster/core/flux/notifications/slack/provider.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta2 3 | kind: Provider 4 | metadata: 5 | name: slack 6 | namespace: flux-system 7 | spec: 8 | type: slack 9 | channel: notifications 10 | secretRef: 11 | name: slack-url-secret 12 | -------------------------------------------------------------------------------- /cluster/core/flux/notifications/slack/slack-url-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: bitnami.com/v1alpha1 3 | kind: SealedSecret 4 | metadata: 5 | creationTimestamp: null 6 | name: slack-url-secret 7 | namespace: flux-system 8 | spec: 9 | encryptedData: 10 | address: AgBjajPmC0BnbXBDvBcCXOvDyc3yGA2YJsg2GPw/0E+7gwEOICiCVOdxZHLjYRJcN/ZEExHk0CFbuN3IaAGKnI1E2LgAmpj3uzpprtTkE5inciZpsHDAfc5ZkDtVOQI4vbKkap2GDOTHMDQsTOHSopA+Bv2Gdx+R2Ru1CxXaz9YZY7aW7V/WqZpNJxerB2XRE+EXTY4m/VwsXvrRK4kVeJmUJmhOLpUdi2HMYGjJ0ISzxijNB5bsh533m6YVYF+WUFEd0NxfEnhxBNOfknjG/41UqOv7T31C10KpSN9KTWe8oeFzo/4WhxhIJEnK0+emJU95njnqAMlbFIEcdonW4YadE2xnIHaMGbSOXBqD8BQ4GdY22enu521c/66pN8nAub7dK8oJ6lr+o1qTk9WGq3Xb69bPeCeq2rc2a7VDiBe4Xc9mmYapYijp3lOZ3XumQlx7J5PaE3KZGmOZIUbhF1eQZfLUVNFop0hK2g8d1IWGedJSIJb2Un15shZKqvKM/CYU0dNmXZsmyb8B48aqujA/B360dFEWCQQe4exj656PF5FYBD2+41oIPdmkBnxoIqL3JJuab808qgNaFqr3H00RvUIXE3SdPFNQuTtJbF7EeCpNtv3F3H/Tn4pxYa2KC/61nPWFJPtH0ZBs77OIAoAgnPv+Cilo1kIrx53uoXM4Am1qqvld1vnsgyYMVuPALZigjvb6aHq+KoAP1YiWeEBEA0bHAgn2CPnHhjkK0rG2Hx7oXMA5POiDK/PzHkHDAAdhI1N0RQNWO6j60igmMix66Bb31ZtWt+AjXHbQ7MfQQb4= 11 | template: 12 | data: null 13 | metadata: 14 | creationTimestamp: null 15 | name: slack-url-secret 16 | namespace: flux-system 17 | -------------------------------------------------------------------------------- /cluster/core/intel-gpu-plugin/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: intel-gpu-plugin 6 | namespace: kube-system 7 | spec: 8 | interval: 1h 9 | maxHistory: 3 10 | dependsOn: 11 | - name: node-feature-discovery 12 | namespace: kube-system 13 | 14 | install: 15 | createNamespace: true 16 | remediation: 17 | retries: 3 18 | 19 | upgrade: 20 | cleanupOnFail: true 21 | remediation: 22 | retries: 3 23 | 24 | uninstall: 25 | keepHistory: false 26 | 27 | chart: 28 | spec: 29 | # renovate: registryUrl=https://bjw-s.github.io/helm-charts 30 | chart: app-template 31 | version: 1.5.1 32 | sourceRef: 33 | kind: HelmRepository 34 | name: bjw-s-charts 35 | namespace: flux-system 36 | 37 | values: 38 | image: 39 | repository: docker.io/intel/intel-gpu-plugin 40 | tag: 0.28.0@sha256:a5f4bd2ebd62a57d59907ef3fb8bf56066f3ee27f20d9f03f0dd060090ff90b1 41 | pullPolicy: IfNotPresent 42 | 43 | controller: 44 | type: daemonset 45 | strategy: RollingUpdate 46 | 47 | args: 48 | - -shared-dev-num 49 | - "2" 50 | 51 | affinity: 52 | nodeAffinity: 53 | requiredDuringSchedulingIgnoredDuringExecution: 54 | nodeSelectorTerms: 55 | - matchExpressions: 56 | - key: intel.feature.node.kubernetes.io/igpu 57 | operator: In 58 | values: 59 | - "true" 60 | - matchExpressions: 61 | - key: intel.feature.node.kubernetes.io/arc 62 | operator: In 63 | values: 64 | - "true" 65 | 66 | service: 67 | main: 68 | enabled: false 69 | 70 | ingress: 71 | main: 72 | enabled: false 73 | 74 | persistence: 75 | devfs: 76 | enabled: true 77 | type: hostPath 78 | hostPath: /dev/dri 79 | hostPathType: Directory 80 | readOnly: true 81 | sysfs: 82 | enabled: true 83 | type: hostPath 84 | hostPath: /sys/class/drm 85 | hostPathType: Directory 86 | readOnly: true 87 | kubeletsockets: 88 | enabled: true 89 | type: hostPath 90 | hostPathType: Directory 91 | hostPath: /var/lib/kubelet/device-plugins 92 | 93 | # TODO(intel-gpu-plugin): Add probes 94 | probes: 95 | liveness: 96 | enabled: false 97 | readiness: 98 | enabled: false 99 | startup: 100 | enabled: false 101 | 102 | resources: 103 | requests: 104 | cpu: 15m 105 | memory: 64M 106 | limits: 107 | memory: 64M 108 | -------------------------------------------------------------------------------- /cluster/core/intel-gpu-plugin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespaces 6 | - sealed-secrets 7 | - flux 8 | - cert-manager 9 | - metallb 10 | - netpol 11 | - node-feature-discovery 12 | - reloader 13 | - intel-gpu-plugin 14 | - longhorn-system 15 | -------------------------------------------------------------------------------- /cluster/core/longhorn-system/README.md: -------------------------------------------------------------------------------- 1 | # Longhorn 2 | 3 | ## Node Labeling 4 | 5 | Ansible playbooks to deploy nodes will setup all the necessary aspects of 6 | Longhorn particular to the nodes, except for the Longhorn label: 7 | 8 | ``` 9 | k label node node.longhorn.io/create-default-disk=true 10 | ``` 11 | 12 | ## Reclaiming a `Released` volume 13 | 14 | Released volumes by default won't allow attaching to the existing PV. In order to resolve this, you can delete the PVC and patch the PV to ensure it's `Available`. 15 | 16 | ``` 17 | k delete pvc -n 18 | k patch pv -p '{"spec":{"claimRef": null}}' 19 | ``` 20 | -------------------------------------------------------------------------------- /cluster/core/longhorn-system/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: longhorn 6 | namespace: longhorn-system 7 | spec: 8 | releaseName: longhorn 9 | interval: 1h 10 | chart: 11 | spec: 12 | # renovate: registryUrl=https://charts.longhorn.io 13 | chart: longhorn 14 | version: 1.6.0 15 | sourceRef: 16 | kind: HelmRepository 17 | name: longhorn-charts 18 | namespace: flux-system 19 | values: 20 | persistence: 21 | defaultClass: true 22 | defaultClassReplicaCount: 3 23 | reclaimPolicy: Retain 24 | defaultSettings: 25 | backupstorePollInterval: 300 26 | backupTarget: nfs://${RACKNAS_ADDR}:/volume1/LonghornBackupstore 27 | createDefaultDiskLabeledNodes: true 28 | defaultDataLocality: best-effort 29 | guaranteedInstanceManagerCPU: 6 30 | nodeDownPodDeletionPolicy: delete-both-statefulset-and-deployment-pod 31 | concurrentAutomaticEngineUpgradePerNodeLimit: 1 32 | defaultDataPath: /var/lib/longhorn 33 | defaultReplicaCount: 3 34 | replicaSoftAntiAffinity: false 35 | storageMinimalAvailablePercentage: 10 36 | longhornConversionWebhook: 37 | replicas: 0 38 | longhornAdmissionWebhook: 39 | replicas: 0 40 | longhornRecoveryBackend: 41 | replicas: 0 42 | ingress: 43 | enabled: true 44 | host: longhorn.nathanpawelek.com 45 | path: / 46 | tls: true 47 | tlsSecret: nathanpawelek-com-tls 48 | annotations: 49 | traefik.ingress.kubernetes.io/router.entrypoints: websecure 50 | traefik.ingress.kubernetes.io/router.middlewares: traefik-default-middlewares-chain@kubernetescrd 51 | traefik.ingress.kubernetes.io/router.tls.options: traefik-secure-tlsoptions@kubernetescrd 52 | hajimari.io/enable: "true" 53 | hajimari.io/icon: cow 54 | hajimari.io/group: services 55 | hajimari.io/appName: longhorn 56 | -------------------------------------------------------------------------------- /cluster/core/longhorn-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/metallb/config-advertisement.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: L2Advertisement 4 | metadata: 5 | name: default 6 | namespace: metallb-system 7 | spec: 8 | ipAddressPools: 9 | - default 10 | -------------------------------------------------------------------------------- /cluster/core/metallb/config-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: IPAddressPool 4 | metadata: 5 | name: default 6 | namespace: metallb-system 7 | spec: 8 | addresses: 9 | - 192.168.0.10-192.168.0.19 10 | -------------------------------------------------------------------------------- /cluster/core/metallb/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: metallb 6 | namespace: metallb-system 7 | spec: 8 | maxHistory: 3 9 | interval: 1h 10 | suspend: false 11 | releaseName: metallb 12 | chart: 13 | spec: 14 | # renovate: registryUrl=https://charts.bitnami.com/bitnami 15 | chart: metallb 16 | version: 4.14.2 17 | sourceRef: 18 | kind: HelmRepository 19 | name: bitnami-charts 20 | namespace: flux-system 21 | -------------------------------------------------------------------------------- /cluster/core/metallb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - ./config-advertisement.yaml 7 | - ./config-pool.yaml 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/adguard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: adguard 6 | labels: 7 | ns: adguard 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/autoscan.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: autoscan 6 | labels: 7 | ns: autoscan 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/aws-ddns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: aws-ddns 6 | labels: 7 | ns: aws-ddns 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/bazarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: bazarr 6 | labels: 7 | ns: bazarr 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: cert-manager 6 | labels: 7 | ns: cert-manager 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/galera.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: galera 6 | labels: 7 | ns: galera 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/hajimari.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: hajimari 6 | labels: 7 | ns: hajimari 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/home-automation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: home-automation 6 | labels: 7 | ns: home-automation 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/jellyfin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: jellyfin 6 | labels: 7 | ns: jellyfin 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/jellyseerr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: jellyseerr 6 | labels: 7 | ns: jellyseerr 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ./authentik.yaml 6 | - ./cert-manager.yaml 7 | - ./traefik.yaml 8 | - ./metallb.yaml 9 | - ./longhorn-system.yaml 10 | - ./adguard.yaml 11 | - ./hajimari.yaml 12 | - ./galera.yaml 13 | - ./sonarr.yaml 14 | - ./radarr.yaml 15 | - ./home-automation.yaml 16 | - ./rclone.yaml 17 | - ./nginx.yaml 18 | - ./uptime.yaml 19 | - ./jellyfin.yaml 20 | - ./jellyseerr.yaml 21 | - ./unmanic.yaml 22 | - ./autoscan.yaml 23 | - ./ytdl-sub.yaml 24 | - ./prowlarr.yaml 25 | - ./recyclarr.yaml 26 | - ./sabnzbd.yaml 27 | - ./ntpd.yaml 28 | - ./aws-ddns.yaml 29 | - ./speedtest.yaml 30 | - ./bazarr.yaml 31 | -------------------------------------------------------------------------------- /cluster/core/namespaces/longhorn-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: longhorn-system 6 | labels: 7 | ns: longhorn-system 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: metallb-system 6 | labels: 7 | ns: metallb-system 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: nginx 6 | labels: 7 | ns: nginx 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/ntpd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ntpd 6 | labels: 7 | ns: ntpd 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/prowlarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: prowlarr 6 | labels: 7 | ns: prowlarr 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/radarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: radarr 6 | labels: 7 | ns: radarr 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/rclone.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rclone 6 | labels: 7 | ns: rclone 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/recyclarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: recyclarr 6 | labels: 7 | ns: recyclarr 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/sabnzbd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: sabnzbd 6 | labels: 7 | ns: sabnzbd 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/sonarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: sonarr 6 | labels: 7 | ns: sonarr 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/speedtest.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: speedtest 6 | labels: 7 | ns: speedtest 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/traefik.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: traefik 6 | labels: 7 | ns: traefik 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/unmanic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: unmanic 6 | labels: 7 | ns: unmanic 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/uptime.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: uptime 6 | labels: 7 | ns: uptime 8 | -------------------------------------------------------------------------------- /cluster/core/namespaces/ytdl-sub.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: ytdl-sub 6 | labels: 7 | ns: ytdl-sub 8 | -------------------------------------------------------------------------------- /cluster/core/netpol/adguard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: adguard 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-adguard-ingress 17 | namespace: adguard 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: adguard-home 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - port: 3000 34 | protocol: TCP 35 | - from: 36 | - namespaceSelector: 37 | matchLabels: 38 | ns: uptime 39 | - podSelector: 40 | matchLabels: 41 | app.kubernetes.io/name: uptime 42 | ports: 43 | - protocol: TCP 44 | port: 3000 45 | - from: 46 | - ipBlock: 47 | cidr: 10.32.0.0/12 48 | - ipBlock: 49 | cidr: 10.96.0.0/12 50 | - ipBlock: 51 | cidr: 192.168.0.0/16 52 | ports: 53 | - port: 53 54 | protocol: UDP 55 | - port: 53 56 | protocol: TCP 57 | - from: 58 | - namespaceSelector: 59 | matchLabels: 60 | ns: home-automation 61 | podSelector: 62 | matchLabels: 63 | app.kubernetes.io/name: home-assistant 64 | ports: 65 | - port: 3000 66 | protocol: TCP 67 | --- 68 | apiVersion: networking.k8s.io/v1 69 | kind: NetworkPolicy 70 | metadata: 71 | name: allow-adguard-egress 72 | namespace: adguard 73 | spec: 74 | policyTypes: 75 | - Egress 76 | podSelector: 77 | matchLabels: 78 | app.kubernetes.io/name: adguard-home 79 | egress: 80 | - to: 81 | - namespaceSelector: 82 | matchLabels: 83 | kubernetes.io/metadata.name: kube-system 84 | podSelector: 85 | matchLabels: 86 | k8s-app: kube-dns 87 | ports: 88 | - port: 53 89 | protocol: UDP 90 | - port: 53 91 | protocol: TCP 92 | - to: 93 | - ipBlock: 94 | cidr: 0.0.0.0/0 95 | except: 96 | - 10.0.0.0/8 97 | - 172.16.0.0/12 98 | - 192.168.0.0/16 99 | ports: 100 | - port: 443 101 | protocol: TCP 102 | - port: 80 103 | protocol: TCP 104 | - port: 853 105 | protocol: TCP 106 | -------------------------------------------------------------------------------- /cluster/core/netpol/aws-ddns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: aws-ddns 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-aws-ddns-egress 17 | namespace: aws-ddns 18 | spec: 19 | policyTypes: 20 | - Egress 21 | podSelector: 22 | matchLabels: 23 | app.kubernetes.io/name: aws-ddns 24 | egress: 25 | - to: 26 | - namespaceSelector: 27 | matchLabels: 28 | kubernetes.io/metadata.name: kube-system 29 | podSelector: 30 | matchLabels: 31 | k8s-app: kube-dns 32 | ports: 33 | - port: 53 34 | protocol: UDP 35 | - port: 53 36 | protocol: TCP 37 | - to: 38 | - namespaceSelector: 39 | matchLabels: 40 | ns: adguard 41 | podSelector: 42 | matchLabels: 43 | app.kubernetes.io/name: adguard-home 44 | ports: 45 | - port: 53 46 | protocol: UDP 47 | - port: 53 48 | protocol: TCP 49 | - to: 50 | - ipBlock: 51 | cidr: 192.168.0.10/32 52 | ports: 53 | - port: 53 54 | protocol: UDP 55 | - port: 53 56 | protocol: TCP 57 | - to: 58 | - ipBlock: 59 | cidr: 0.0.0.0/0 60 | except: 61 | - 10.0.0.0/8 62 | - 172.16.0.0/12 63 | - 192.168.0.0/16 64 | ports: 65 | - port: 443 66 | protocol: TCP 67 | - port: 80 68 | protocol: TCP 69 | -------------------------------------------------------------------------------- /cluster/core/netpol/esphome.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-esphome-ingress 6 | namespace: home-automation 7 | spec: 8 | podSelector: 9 | matchLabels: 10 | app.kubernetes.io/name: esphome 11 | policyTypes: 12 | - Ingress 13 | ingress: 14 | - from: 15 | - namespaceSelector: 16 | matchLabels: 17 | ns: traefik 18 | - podSelector: 19 | matchLabels: 20 | app.kubernetes.io/name: traefik 21 | ports: 22 | - protocol: TCP 23 | port: 6052 24 | - from: 25 | - namespaceSelector: 26 | matchLabels: 27 | ns: uptime 28 | - podSelector: 29 | matchLabels: 30 | app.kubernetes.io/name: uptime 31 | ports: 32 | - protocol: TCP 33 | port: 6052 34 | --- 35 | apiVersion: networking.k8s.io/v1 36 | kind: NetworkPolicy 37 | metadata: 38 | name: allow-esphome-egress 39 | namespace: home-automation 40 | spec: 41 | policyTypes: 42 | - Egress 43 | podSelector: 44 | matchLabels: 45 | app.kubernetes.io/name: esphome 46 | egress: 47 | - to: 48 | - namespaceSelector: 49 | matchLabels: 50 | kubernetes.io/metadata.name: kube-system 51 | podSelector: 52 | matchLabels: 53 | k8s-app: kube-dns 54 | ports: 55 | - port: 53 56 | protocol: UDP 57 | - port: 53 58 | protocol: TCP 59 | - to: 60 | - namespaceSelector: 61 | matchLabels: 62 | ns: adguard 63 | podSelector: 64 | matchLabels: 65 | app.kubernetes.io/name: adguard-home 66 | ports: 67 | - port: 53 68 | protocol: UDP 69 | - port: 53 70 | protocol: TCP 71 | - to: 72 | - ipBlock: 73 | cidr: 192.168.0.10/32 74 | ports: 75 | - port: 53 76 | protocol: UDP 77 | - port: 53 78 | protocol: TCP 79 | - to: 80 | - ipBlock: 81 | cidr: 192.168.10.0/24 82 | ports: 83 | - port: 8266 84 | protocol: TCP 85 | - port: 6052 86 | protocol: TCP 87 | -------------------------------------------------------------------------------- /cluster/core/netpol/fireboard2mqtt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-fireboard2mqtt-egress 6 | namespace: home-automation 7 | spec: 8 | policyTypes: 9 | - Egress 10 | podSelector: 11 | matchLabels: 12 | app.kubernetes.io/name: fireboard2mqtt 13 | egress: 14 | - to: 15 | - namespaceSelector: 16 | matchLabels: 17 | kubernetes.io/metadata.name: kube-system 18 | podSelector: 19 | matchLabels: 20 | k8s-app: kube-dns 21 | ports: 22 | - port: 53 23 | protocol: UDP 24 | - port: 53 25 | protocol: TCP 26 | - to: 27 | - namespaceSelector: 28 | matchLabels: 29 | ns: adguard 30 | podSelector: 31 | matchLabels: 32 | app.kubernetes.io/name: adguard-home 33 | ports: 34 | - port: 53 35 | protocol: UDP 36 | - port: 53 37 | protocol: TCP 38 | - to: 39 | - ipBlock: 40 | cidr: 192.168.0.10/32 41 | ports: 42 | - port: 53 43 | protocol: UDP 44 | - port: 53 45 | protocol: TCP 46 | - to: 47 | - namespaceSelector: 48 | matchLabels: 49 | ns: home-automation 50 | - podSelector: 51 | matchLabels: 52 | app.kubernetes.io/name: mosquitto 53 | ports: 54 | - port: 1883 55 | protocol: TCP 56 | - port: 8883 57 | protocol: TCP 58 | - to: 59 | - ipBlock: 60 | cidr: 192.168.0.14/32 61 | ports: 62 | - port: 1883 63 | protocol: TCP 64 | - port: 8883 65 | protocol: TCP 66 | - to: 67 | - ipBlock: 68 | cidr: 0.0.0.0/0 69 | except: 70 | - 10.0.0.0/8 71 | - 172.16.0.0/12 72 | - 192.168.0.0/16 73 | ports: 74 | - port: 443 75 | protocol: TCP 76 | -------------------------------------------------------------------------------- /cluster/core/netpol/galera.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: galera 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-galera-ingress 17 | namespace: galera 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: mariadb-galera 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: galera 29 | - podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: mariadb-galera 32 | ports: 33 | - protocol: TCP 34 | port: 3306 35 | - protocol: TCP 36 | port: 4567 37 | - protocol: TCP 38 | port: 4568 39 | - protocol: TCP 40 | port: 4444 41 | - from: 42 | - namespaceSelector: 43 | matchLabels: 44 | ns: home-automation 45 | - podSelector: 46 | matchLabels: 47 | app.kubernetes.io/name: home-assistant 48 | ports: 49 | - protocol: TCP 50 | port: 3306 51 | - from: 52 | - namespaceSelector: 53 | matchLabels: 54 | ns: uptime 55 | - podSelector: 56 | matchLabels: 57 | app.kubernetes.io/name: uptime 58 | ports: 59 | - protocol: TCP 60 | port: 3306 61 | --- 62 | apiVersion: networking.k8s.io/v1 63 | kind: NetworkPolicy 64 | metadata: 65 | name: allow-galera-egress 66 | namespace: galera 67 | spec: 68 | policyTypes: 69 | - Egress 70 | podSelector: 71 | matchLabels: 72 | app.kubernetes.io/name: mariadb-galera 73 | egress: 74 | - to: 75 | - namespaceSelector: 76 | matchLabels: 77 | kubernetes.io/metadata.name: kube-system 78 | podSelector: 79 | matchLabels: 80 | k8s-app: kube-dns 81 | ports: 82 | - port: 53 83 | protocol: UDP 84 | - port: 53 85 | protocol: TCP 86 | - to: 87 | - namespaceSelector: 88 | matchLabels: 89 | ns: adguard 90 | podSelector: 91 | matchLabels: 92 | app.kubernetes.io/name: adguard-home 93 | ports: 94 | - port: 53 95 | protocol: UDP 96 | - port: 53 97 | protocol: TCP 98 | - to: 99 | - ipBlock: 100 | cidr: 192.168.0.10/32 101 | ports: 102 | - port: 53 103 | protocol: UDP 104 | - port: 53 105 | protocol: TCP 106 | - to: 107 | - namespaceSelector: 108 | matchLabels: 109 | ns: galera 110 | - podSelector: 111 | matchLabels: 112 | app.kubernetes.io/name: mariadb-galera 113 | ports: 114 | - protocol: TCP 115 | port: 3306 116 | - protocol: TCP 117 | port: 4567 118 | - protocol: TCP 119 | port: 4568 120 | - protocol: TCP 121 | port: 4444 122 | -------------------------------------------------------------------------------- /cluster/core/netpol/hajimari.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: hajimari 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-hajimari-ingress 17 | namespace: hajimari 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: hajimari 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | - podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - protocol: TCP 34 | port: 3000 35 | - from: 36 | - namespaceSelector: 37 | matchLabels: 38 | ns: uptime 39 | - podSelector: 40 | matchLabels: 41 | app.kubernetes.io/name: uptime 42 | ports: 43 | - protocol: TCP 44 | port: 3000 45 | --- 46 | apiVersion: networking.k8s.io/v1 47 | kind: NetworkPolicy 48 | metadata: 49 | name: allow-hajimari-egress 50 | namespace: hajimari 51 | spec: 52 | policyTypes: 53 | - Egress 54 | podSelector: 55 | matchLabels: 56 | app.kubernetes.io/name: hajimari 57 | egress: 58 | - to: 59 | - namespaceSelector: 60 | matchLabels: 61 | kubernetes.io/metadata.name: kube-system 62 | podSelector: 63 | matchLabels: 64 | k8s-app: kube-dns 65 | ports: 66 | - port: 53 67 | protocol: UDP 68 | - port: 53 69 | protocol: TCP 70 | - to: 71 | - namespaceSelector: 72 | matchLabels: 73 | ns: adguard 74 | podSelector: 75 | matchLabels: 76 | app.kubernetes.io/name: adguard-home 77 | ports: 78 | - port: 53 79 | protocol: UDP 80 | - port: 53 81 | protocol: TCP 82 | - to: 83 | - ipBlock: 84 | cidr: 192.168.0.10/32 85 | ports: 86 | - port: 53 87 | protocol: UDP 88 | - port: 53 89 | protocol: TCP 90 | - to: 91 | - ipBlock: 92 | cidr: 192.168.0.21/32 93 | - ipBlock: 94 | cidr: 192.168.0.22/32 95 | - ipBlock: 96 | cidr: 192.168.0.23/32 97 | ports: 98 | - port: 6443 99 | protocol: TCP 100 | -------------------------------------------------------------------------------- /cluster/core/netpol/home-automation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: home-automation 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | -------------------------------------------------------------------------------- /cluster/core/netpol/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # - ./authentik.yaml 6 | - ./traefik.yaml 7 | - ./traefik-forward-auth.yaml 8 | - ./adguard.yaml 9 | - ./hajimari.yaml 10 | - ./galera.yaml 11 | - ./sonarr.yaml 12 | - ./sonarr-anime.yaml 13 | - ./sonarr-remux.yaml 14 | - ./radarr.yaml 15 | - ./radarr-anime.yaml 16 | - ./radarr-remux.yaml 17 | - ./radarr-trailers.yaml 18 | - ./home-automation.yaml 19 | - ./mosquitto.yaml 20 | - ./home-assistant.yaml 21 | - ./esphome.yaml 22 | - ./node-red.yaml 23 | - ./rclone.yaml 24 | - ./nginx.yaml 25 | - ./uptime.yaml 26 | - ./emqx.yaml 27 | - ./jellyfin.yaml 28 | - ./jellyseerr.yaml 29 | - ./autoscan.yaml 30 | - ./ytdl-sub.yaml 31 | - ./prowlarr.yaml 32 | - ./recyclarr.yaml 33 | - ./sabnzbd.yaml 34 | - ./ntpd.yaml 35 | - ./aws-ddns.yaml 36 | - ./piper.yaml 37 | - ./whisper.yaml 38 | - ./speedtest.yaml 39 | - ./bazarr.yaml 40 | - ./fireboard2mqtt.yaml 41 | -------------------------------------------------------------------------------- /cluster/core/netpol/nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: nginx 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-nginx-ingress 17 | namespace: nginx 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: nginx 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | - podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - protocol: TCP 34 | port: 8080 35 | - from: 36 | - namespaceSelector: 37 | matchLabels: 38 | ns: uptime 39 | - podSelector: 40 | matchLabels: 41 | app.kubernetes.io/name: uptime 42 | ports: 43 | - protocol: TCP 44 | port: 8080 45 | --- 46 | apiVersion: networking.k8s.io/v1 47 | kind: NetworkPolicy 48 | metadata: 49 | name: allow-nginx-egress 50 | namespace: nginx 51 | spec: 52 | policyTypes: 53 | - Egress 54 | podSelector: 55 | matchLabels: 56 | app.kubernetes.io/name: nginx 57 | egress: 58 | - to: 59 | - namespaceSelector: 60 | matchLabels: 61 | kubernetes.io/metadata.name: kube-system 62 | podSelector: 63 | matchLabels: 64 | k8s-app: kube-dns 65 | ports: 66 | - port: 53 67 | protocol: UDP 68 | - port: 53 69 | protocol: TCP 70 | - to: 71 | - namespaceSelector: 72 | matchLabels: 73 | ns: adguard 74 | podSelector: 75 | matchLabels: 76 | app.kubernetes.io/name: adguard-home 77 | ports: 78 | - port: 53 79 | protocol: UDP 80 | - port: 53 81 | protocol: TCP 82 | - to: 83 | - ipBlock: 84 | cidr: 192.168.0.10/32 85 | ports: 86 | - port: 53 87 | protocol: UDP 88 | - port: 53 89 | protocol: TCP 90 | - to: 91 | - ipBlock: 92 | cidr: 192.168.0.0/24 93 | - ipBlock: 94 | cidr: 192.168.10.0/24 95 | - ipBlock: 96 | cidr: 192.168.20.0/24 97 | - to: 98 | - ipBlock: 99 | cidr: 0.0.0.0/0 100 | except: 101 | - 10.0.0.0/8 102 | - 172.16.0.0/12 103 | - 192.168.0.0/16 104 | ports: 105 | - port: 443 106 | protocol: TCP 107 | -------------------------------------------------------------------------------- /cluster/core/netpol/ntpd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: ntpd 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-ntpd-ingress 17 | namespace: ntpd 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: ntpd 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - ports: 26 | - protocol: UDP 27 | port: 123 28 | --- 29 | apiVersion: networking.k8s.io/v1 30 | kind: NetworkPolicy 31 | metadata: 32 | name: allow-ntpd-egress 33 | namespace: ntpd 34 | spec: 35 | policyTypes: 36 | - Egress 37 | podSelector: 38 | matchLabels: 39 | app.kubernetes.io/name: ntpd 40 | egress: 41 | - to: 42 | - namespaceSelector: 43 | matchLabels: 44 | kubernetes.io/metadata.name: kube-system 45 | podSelector: 46 | matchLabels: 47 | k8s-app: kube-dns 48 | ports: 49 | - port: 53 50 | protocol: UDP 51 | - port: 53 52 | protocol: TCP 53 | - to: 54 | - namespaceSelector: 55 | matchLabels: 56 | ns: adguard 57 | podSelector: 58 | matchLabels: 59 | app.kubernetes.io/name: adguard-home 60 | ports: 61 | - port: 53 62 | protocol: UDP 63 | - port: 53 64 | protocol: TCP 65 | - to: 66 | - ipBlock: 67 | cidr: 192.168.0.10/32 68 | ports: 69 | - port: 53 70 | protocol: UDP 71 | - port: 53 72 | protocol: TCP 73 | - to: 74 | - ipBlock: 75 | cidr: 0.0.0.0/0 76 | except: 77 | - 10.0.0.0/8 78 | - 172.16.0.0/12 79 | - 192.168.0.0/16 80 | ports: 81 | - port: 123 82 | protocol: UDP 83 | -------------------------------------------------------------------------------- /cluster/core/netpol/piper.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-piper-ingress 6 | namespace: home-automation 7 | spec: 8 | podSelector: 9 | matchLabels: 10 | app.kubernetes.io/name: piper 11 | policyTypes: 12 | - Ingress 13 | ingress: 14 | - from: 15 | - namespaceSelector: 16 | matchLabels: 17 | ns: home-automation 18 | - podSelector: 19 | matchLabels: 20 | app.kubernetes.io/name: home-assistant 21 | ports: 22 | - protocol: TCP 23 | port: 10200 24 | - from: 25 | - namespaceSelector: 26 | matchLabels: 27 | ns: uptime 28 | - podSelector: 29 | matchLabels: 30 | app.kubernetes.io/name: uptime 31 | ports: 32 | - protocol: TCP 33 | port: 10200 34 | --- 35 | apiVersion: networking.k8s.io/v1 36 | kind: NetworkPolicy 37 | metadata: 38 | name: allow-piper-egress 39 | namespace: home-automation 40 | spec: 41 | policyTypes: 42 | - Egress 43 | podSelector: 44 | matchLabels: 45 | app.kubernetes.io/name: piper 46 | egress: 47 | - to: 48 | - namespaceSelector: 49 | matchLabels: 50 | kubernetes.io/metadata.name: kube-system 51 | podSelector: 52 | matchLabels: 53 | k8s-app: kube-dns 54 | ports: 55 | - port: 53 56 | protocol: UDP 57 | - port: 53 58 | protocol: TCP 59 | - to: 60 | - namespaceSelector: 61 | matchLabels: 62 | ns: adguard 63 | podSelector: 64 | matchLabels: 65 | app.kubernetes.io/name: adguard-home 66 | ports: 67 | - port: 53 68 | protocol: UDP 69 | - port: 53 70 | protocol: TCP 71 | - to: 72 | - ipBlock: 73 | cidr: 192.168.0.10/32 74 | ports: 75 | - port: 53 76 | protocol: UDP 77 | - port: 53 78 | protocol: TCP 79 | - to: 80 | - ipBlock: 81 | cidr: 192.168.10.0/24 82 | ports: 83 | - port: 8266 84 | protocol: TCP 85 | - port: 6052 86 | protocol: TCP 87 | - to: 88 | - ipBlock: 89 | cidr: 0.0.0.0/0 90 | except: 91 | - 10.0.0.0/8 92 | - 172.16.0.0/12 93 | - 192.168.0.0/16 94 | ports: 95 | - port: 443 96 | protocol: TCP 97 | -------------------------------------------------------------------------------- /cluster/core/netpol/radarr-trailers.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-radarr-trailers-egress 6 | namespace: radarr 7 | spec: 8 | policyTypes: 9 | - Egress 10 | podSelector: 11 | matchLabels: 12 | app.kubernetes.io/name: radarr-trailers 13 | egress: 14 | - to: 15 | - namespaceSelector: 16 | matchLabels: 17 | kubernetes.io/metadata.name: kube-system 18 | podSelector: 19 | matchLabels: 20 | k8s-app: kube-dns 21 | ports: 22 | - port: 53 23 | protocol: UDP 24 | - port: 53 25 | protocol: TCP 26 | - to: 27 | - namespaceSelector: 28 | matchLabels: 29 | ns: adguard 30 | podSelector: 31 | matchLabels: 32 | app.kubernetes.io/name: adguard-home 33 | ports: 34 | - port: 53 35 | protocol: UDP 36 | - port: 53 37 | protocol: TCP 38 | - to: 39 | - ipBlock: 40 | cidr: 192.168.0.10/32 41 | ports: 42 | - port: 53 43 | protocol: UDP 44 | - port: 53 45 | protocol: TCP 46 | - to: 47 | - namespaceSelector: 48 | matchLabels: 49 | ns: radarr 50 | podSelector: 51 | matchLabels: 52 | app.kubernetes.io/name: radarr 53 | - namespaceSelector: 54 | matchLabels: 55 | ns: radarr 56 | podSelector: 57 | matchLabels: 58 | app.kubernetes.io/name: radarr-anime 59 | - namespaceSelector: 60 | matchLabels: 61 | ns: radarr 62 | podSelector: 63 | matchLabels: 64 | app.kubernetes.io/name: radarr-remux 65 | ports: 66 | - port: 7878 67 | protocol: TCP 68 | - to: 69 | - namespaceSelector: 70 | matchLabels: 71 | ns: sabnzbd 72 | podSelector: 73 | matchLabels: 74 | app.kubernetes.io/name: sabnzbd 75 | ports: 76 | - port: 8888 77 | protocol: TCP 78 | - to: 79 | - ipBlock: 80 | cidr: 0.0.0.0/0 81 | except: 82 | - 10.0.0.0/8 83 | - 172.16.0.0/12 84 | - 192.168.0.0/16 85 | ports: 86 | - port: 443 87 | protocol: TCP 88 | -------------------------------------------------------------------------------- /cluster/core/netpol/rclone.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: rclone 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-rclone-egress 17 | namespace: rclone 18 | spec: 19 | policyTypes: 20 | - Egress 21 | podSelector: 22 | matchLabels: 23 | app.kubernetes.io/name: rclone-backup 24 | egress: 25 | - to: 26 | - namespaceSelector: 27 | matchLabels: 28 | kubernetes.io/metadata.name: kube-system 29 | podSelector: 30 | matchLabels: 31 | k8s-app: kube-dns 32 | ports: 33 | - port: 53 34 | protocol: UDP 35 | - port: 53 36 | protocol: TCP 37 | - to: 38 | - namespaceSelector: 39 | matchLabels: 40 | ns: adguard 41 | podSelector: 42 | matchLabels: 43 | app.kubernetes.io/name: adguard-home 44 | ports: 45 | - port: 53 46 | protocol: UDP 47 | - port: 53 48 | protocol: TCP 49 | - to: 50 | - ipBlock: 51 | cidr: 192.168.0.10/32 52 | ports: 53 | - port: 53 54 | protocol: UDP 55 | - port: 53 56 | protocol: TCP 57 | - to: 58 | - ipBlock: 59 | cidr: 0.0.0.0/0 60 | except: 61 | - 10.0.0.0/8 62 | - 172.16.0.0/12 63 | - 192.168.0.0/16 64 | ports: 65 | - port: 443 66 | protocol: TCP 67 | -------------------------------------------------------------------------------- /cluster/core/netpol/recyclarr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: recyclarr 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-recyclarr-egress 17 | namespace: recyclarr 18 | spec: 19 | policyTypes: 20 | - Egress 21 | podSelector: 22 | matchLabels: 23 | app.kubernetes.io/name: recyclarr 24 | egress: 25 | - to: 26 | - namespaceSelector: 27 | matchLabels: 28 | kubernetes.io/metadata.name: kube-system 29 | podSelector: 30 | matchLabels: 31 | k8s-app: kube-dns 32 | ports: 33 | - port: 53 34 | protocol: UDP 35 | - port: 53 36 | protocol: TCP 37 | - to: 38 | - namespaceSelector: 39 | matchLabels: 40 | ns: adguard 41 | podSelector: 42 | matchLabels: 43 | app.kubernetes.io/name: adguard-home 44 | ports: 45 | - port: 53 46 | protocol: UDP 47 | - port: 53 48 | protocol: TCP 49 | - to: 50 | - ipBlock: 51 | cidr: 192.168.0.10/32 52 | ports: 53 | - port: 53 54 | protocol: UDP 55 | - port: 53 56 | protocol: TCP 57 | - to: 58 | - namespaceSelector: 59 | matchLabels: 60 | ns: sabnzbd 61 | podSelector: 62 | matchLabels: 63 | app.kubernetes.io/name: sabnzbd 64 | ports: 65 | - port: 8888 66 | protocol: TCP 67 | - to: 68 | - namespaceSelector: 69 | matchLabels: 70 | ns: sonarr 71 | podSelector: 72 | matchLabels: 73 | app.kubernetes.io/name: sonarr 74 | - namespaceSelector: 75 | matchLabels: 76 | ns: sonarr 77 | podSelector: 78 | matchLabels: 79 | app.kubernetes.io/name: sonarr-anime 80 | - namespaceSelector: 81 | matchLabels: 82 | ns: sonarr 83 | podSelector: 84 | matchLabels: 85 | app.kubernetes.io/name: sonarr-remux 86 | ports: 87 | - port: 8989 88 | protocol: TCP 89 | - to: 90 | - namespaceSelector: 91 | matchLabels: 92 | ns: radarr 93 | podSelector: 94 | matchLabels: 95 | app.kubernetes.io/name: radarr 96 | - namespaceSelector: 97 | matchLabels: 98 | ns: radarr 99 | podSelector: 100 | matchLabels: 101 | app.kubernetes.io/name: radarr-anime 102 | - namespaceSelector: 103 | matchLabels: 104 | ns: radarr 105 | podSelector: 106 | matchLabels: 107 | app.kubernetes.io/name: radarr-remux 108 | ports: 109 | - port: 7878 110 | protocol: TCP 111 | -------------------------------------------------------------------------------- /cluster/core/netpol/speedtest.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: speedtest 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-speedtest-ingress 17 | namespace: speedtest 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: openspeedtest 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - protocol: TCP 34 | port: 3000 35 | --- 36 | apiVersion: networking.k8s.io/v1 37 | kind: NetworkPolicy 38 | metadata: 39 | name: allow-speedtest-egress 40 | namespace: speedtest 41 | spec: 42 | policyTypes: 43 | - Egress 44 | podSelector: 45 | matchLabels: 46 | app.kubernetes.io/name: openspeedtest 47 | egress: 48 | - to: 49 | - namespaceSelector: 50 | matchLabels: 51 | kubernetes.io/metadata.name: kube-system 52 | podSelector: 53 | matchLabels: 54 | k8s-app: kube-dns 55 | ports: 56 | - port: 53 57 | protocol: UDP 58 | - port: 53 59 | protocol: TCP 60 | - to: 61 | - namespaceSelector: 62 | matchLabels: 63 | ns: adguard 64 | podSelector: 65 | matchLabels: 66 | app.kubernetes.io/name: adguard-home 67 | ports: 68 | - port: 53 69 | protocol: UDP 70 | - port: 53 71 | protocol: TCP 72 | - to: 73 | - ipBlock: 74 | cidr: 192.168.0.10/32 75 | ports: 76 | - port: 53 77 | protocol: UDP 78 | - port: 53 79 | protocol: TCP 80 | -------------------------------------------------------------------------------- /cluster/core/netpol/traefik-forward-auth.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-traefik-forward-auth-ingress 6 | namespace: traefik 7 | spec: 8 | podSelector: 9 | matchLabels: 10 | app.kubernetes.io/name: traefik-forward-auth 11 | policyTypes: 12 | - Ingress 13 | ingress: 14 | - from: 15 | - podSelector: 16 | matchLabels: 17 | app.kubernetes.io/name: traefik 18 | ports: 19 | - protocol: TCP 20 | port: 4181 21 | - from: 22 | - namespaceSelector: 23 | matchLabels: 24 | ns: uptime 25 | - podSelector: 26 | matchLabels: 27 | app.kubernetes.io/name: uptime 28 | ports: 29 | - protocol: TCP 30 | port: 4181 31 | --- 32 | apiVersion: networking.k8s.io/v1 33 | kind: NetworkPolicy 34 | metadata: 35 | name: allow-traefik-forward-auth-egress 36 | namespace: traefik 37 | spec: 38 | policyTypes: 39 | - Egress 40 | podSelector: 41 | matchLabels: 42 | app.kubernetes.io/name: traefik-forward-auth 43 | egress: 44 | - to: 45 | - namespaceSelector: 46 | matchLabels: 47 | kubernetes.io/metadata.name: kube-system 48 | podSelector: 49 | matchLabels: 50 | k8s-app: kube-dns 51 | ports: 52 | - port: 53 53 | protocol: UDP 54 | - port: 53 55 | protocol: TCP 56 | - to: 57 | - namespaceSelector: 58 | matchLabels: 59 | ns: adguard 60 | podSelector: 61 | matchLabels: 62 | app.kubernetes.io/name: adguard-home 63 | ports: 64 | - port: 53 65 | protocol: UDP 66 | - port: 53 67 | protocol: TCP 68 | - to: 69 | - ipBlock: 70 | cidr: 192.168.0.10/32 71 | ports: 72 | - port: 53 73 | protocol: UDP 74 | - to: 75 | - ipBlock: 76 | cidr: 0.0.0.0/0 77 | except: 78 | - 10.0.0.0/8 79 | - 172.16.0.0/12 80 | - 192.168.0.0/16 81 | ports: 82 | - port: 443 83 | protocol: TCP 84 | -------------------------------------------------------------------------------- /cluster/core/netpol/uptime.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: uptime 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-uptime-ingress 17 | namespace: uptime 18 | spec: 19 | podSelector: 20 | matchLabels: 21 | app.kubernetes.io/name: uptime 22 | policyTypes: 23 | - Ingress 24 | ingress: 25 | - from: 26 | - namespaceSelector: 27 | matchLabels: 28 | ns: traefik 29 | - podSelector: 30 | matchLabels: 31 | app.kubernetes.io/name: traefik 32 | ports: 33 | - protocol: TCP 34 | port: 3001 35 | --- 36 | apiVersion: networking.k8s.io/v1 37 | kind: NetworkPolicy 38 | metadata: 39 | name: allow-uptime-egress 40 | namespace: uptime 41 | spec: 42 | policyTypes: 43 | - Egress 44 | podSelector: 45 | matchLabels: 46 | app.kubernetes.io/name: uptime 47 | egress: 48 | - to: 49 | - namespaceSelector: 50 | matchLabels: 51 | kubernetes.io/metadata.name: kube-system 52 | podSelector: 53 | matchLabels: 54 | k8s-app: kube-dns 55 | ports: 56 | - port: 53 57 | protocol: UDP 58 | - port: 53 59 | protocol: TCP 60 | - to: 61 | - namespaceSelector: 62 | matchLabels: 63 | ns: adguard 64 | podSelector: 65 | matchLabels: 66 | app.kubernetes.io/name: adguard-home 67 | ports: 68 | - port: 53 69 | protocol: UDP 70 | - port: 53 71 | protocol: TCP 72 | - to: 73 | - ipBlock: 74 | cidr: 192.168.0.10/32 75 | ports: 76 | - port: 53 77 | protocol: UDP 78 | - port: 53 79 | protocol: TCP 80 | - to: 81 | - ipBlock: 82 | cidr: 0.0.0.0/0 83 | -------------------------------------------------------------------------------- /cluster/core/netpol/whisper.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: allow-whisper-ingress 6 | namespace: home-automation 7 | spec: 8 | podSelector: 9 | matchLabels: 10 | app.kubernetes.io/name: whisper 11 | policyTypes: 12 | - Ingress 13 | ingress: 14 | - from: 15 | - namespaceSelector: 16 | matchLabels: 17 | ns: home-automation 18 | - podSelector: 19 | matchLabels: 20 | app.kubernetes.io/name: home-assistant 21 | ports: 22 | - protocol: TCP 23 | port: 10300 24 | - from: 25 | - namespaceSelector: 26 | matchLabels: 27 | ns: uptime 28 | - podSelector: 29 | matchLabels: 30 | app.kubernetes.io/name: uptime 31 | ports: 32 | - protocol: TCP 33 | port: 10300 34 | --- 35 | apiVersion: networking.k8s.io/v1 36 | kind: NetworkPolicy 37 | metadata: 38 | name: allow-whisper-egress 39 | namespace: home-automation 40 | spec: 41 | policyTypes: 42 | - Egress 43 | podSelector: 44 | matchLabels: 45 | app.kubernetes.io/name: whisper 46 | egress: 47 | - to: 48 | - namespaceSelector: 49 | matchLabels: 50 | kubernetes.io/metadata.name: kube-system 51 | podSelector: 52 | matchLabels: 53 | k8s-app: kube-dns 54 | ports: 55 | - port: 53 56 | protocol: UDP 57 | - port: 53 58 | protocol: TCP 59 | - to: 60 | - namespaceSelector: 61 | matchLabels: 62 | ns: adguard 63 | podSelector: 64 | matchLabels: 65 | app.kubernetes.io/name: adguard-home 66 | ports: 67 | - port: 53 68 | protocol: UDP 69 | - port: 53 70 | protocol: TCP 71 | - to: 72 | - ipBlock: 73 | cidr: 192.168.0.10/32 74 | ports: 75 | - port: 53 76 | protocol: UDP 77 | - port: 53 78 | protocol: TCP 79 | - to: 80 | - ipBlock: 81 | cidr: 192.168.10.0/24 82 | ports: 83 | - port: 8266 84 | protocol: TCP 85 | - port: 6052 86 | protocol: TCP 87 | - to: 88 | - ipBlock: 89 | cidr: 0.0.0.0/0 90 | except: 91 | - 10.0.0.0/8 92 | - 172.16.0.0/12 93 | - 192.168.0.0/16 94 | ports: 95 | - port: 443 96 | protocol: TCP 97 | -------------------------------------------------------------------------------- /cluster/core/netpol/ytdl-sub.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-deny-all 6 | namespace: ytdl-sub 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | --- 13 | apiVersion: networking.k8s.io/v1 14 | kind: NetworkPolicy 15 | metadata: 16 | name: allow-ytdl-sub-egress 17 | namespace: ytdl-sub 18 | spec: 19 | policyTypes: 20 | - Egress 21 | podSelector: 22 | matchLabels: 23 | app.kubernetes.io/name: ytdl-sub 24 | egress: 25 | - to: 26 | - namespaceSelector: 27 | matchLabels: 28 | kubernetes.io/metadata.name: kube-system 29 | podSelector: 30 | matchLabels: 31 | k8s-app: kube-dns 32 | ports: 33 | - port: 53 34 | protocol: UDP 35 | - port: 53 36 | protocol: TCP 37 | - to: 38 | - namespaceSelector: 39 | matchLabels: 40 | ns: adguard 41 | podSelector: 42 | matchLabels: 43 | app.kubernetes.io/name: adguard-home 44 | ports: 45 | - port: 53 46 | protocol: UDP 47 | - port: 53 48 | protocol: TCP 49 | - to: 50 | - ipBlock: 51 | cidr: 192.168.0.10/32 52 | ports: 53 | - port: 53 54 | protocol: UDP 55 | - port: 53 56 | protocol: TCP 57 | - to: 58 | - namespaceSelector: 59 | matchLabels: 60 | ns: sabnzbd 61 | podSelector: 62 | matchLabels: 63 | app.kubernetes.io/name: sabnzbd 64 | ports: 65 | - port: 8888 66 | protocol: TCP 67 | - to: 68 | - ipBlock: 69 | cidr: 0.0.0.0/0 70 | except: 71 | - 10.0.0.0/8 72 | - 172.16.0.0/12 73 | - 192.168.0.0/16 74 | ports: 75 | - port: 443 76 | protocol: TCP 77 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/README.md: -------------------------------------------------------------------------------- 1 | # Gathering pciId values 2 | 3 | ```shell 4 | lspci -vmnn 5 | # ... snippet ... 6 | Device: 00:02.0 7 | Class: VGA compatible controller [0300] 8 | Vendor: Intel Corporation [8086] 9 | Device: Iris Graphics 540 [1926] 10 | SVendor: Intel Corporation [8086] 11 | SDevice: Iris Graphics 540 [2063] 12 | Rev: 0a 13 | # ... snippet ... 14 | ``` 15 | 16 | ```shell 17 | lspci -nn |grep -Ei 'VGA|DISPLAY' 18 | 00:02.0 VGA compatible controller [0300]: Intel Corporation TigerLake-LP GT2 [Iris Xe Graphics] [8086:9a49] (rev 01) 19 | 31:00.0 VGA compatible controller [0300]: Intel Corporation Device [8086:56a2] (rev 08) 20 | ``` 21 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: node-feature-discovery 6 | namespace: kube-system 7 | spec: 8 | maxHistory: 3 9 | interval: 1h 10 | suspend: false 11 | 12 | install: 13 | crds: CreateReplace 14 | remediation: 15 | retries: 3 16 | 17 | upgrade: 18 | cleanupOnFail: true 19 | crds: CreateReplace 20 | remediation: 21 | retries: 3 22 | 23 | uninstall: 24 | keepHistory: false 25 | 26 | chart: 27 | spec: 28 | # renovate: registryUrl=https://k8s-at-home.com/charts/ 29 | chart: node-feature-discovery 30 | version: 0.15.0 31 | sourceRef: 32 | kind: HelmRepository 33 | name: node-feature-discovery 34 | namespace: flux-system 35 | 36 | values: 37 | worker: 38 | config: 39 | core: 40 | sources: ["custom", "pci", "usb"] 41 | sources: 42 | usb: 43 | deviceClassWhitelist: ["02", "03", "0e", "ef", "fe", "ff"] 44 | deviceLabelFields: ["class", "vendor", "device"] 45 | master: 46 | replicaCount: 1 47 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | - rules 7 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/rules/amd-igpu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json 3 | apiVersion: nfd.k8s-sigs.io/v1alpha1 4 | kind: NodeFeatureRule 5 | metadata: 6 | name: amd-igpu 7 | spec: 8 | rules: 9 | - name: amd.igpu 10 | labels: 11 | amd.feature.node.kubernetes.io/igpu: "true" 12 | matchFeatures: 13 | - feature: pci.device 14 | matchExpressions: 15 | class: {op: In, value: ["0300"]} 16 | vendor: {op: In, value: ["1002"]} 17 | device: {op: In, value: ["1636"]} 18 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/rules/broadcom-ble.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: broadcom-ble 6 | spec: 7 | rules: 8 | - name: broadcom.ble 9 | labels: 10 | feature.node.kubernetes.io/broadcom-ble: "true" 11 | matchFeatures: 12 | - feature: usb.device 13 | matchExpressions: 14 | vendor: {op: In, value: ["0a5c"]} 15 | device: {op: In, value: ["21e8"]} 16 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/rules/intel-arc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json 3 | apiVersion: nfd.k8s-sigs.io/v1alpha1 4 | kind: NodeFeatureRule 5 | metadata: 6 | name: intel-arc 7 | spec: 8 | rules: 9 | - name: intel.arc 10 | labels: 11 | intel.feature.node.kubernetes.io/arc: "true" 12 | matchFeatures: 13 | - feature: pci.device 14 | matchExpressions: 15 | class: {op: In, value: ["0300"]} 16 | vendor: {op: In, value: ["8086"]} 17 | device: {op: In, value: ["56a2"]} 18 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/rules/intel-igpu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/nfd.k8s-sigs.io/nodefeaturerule_v1alpha1.json 3 | apiVersion: nfd.k8s-sigs.io/v1alpha1 4 | kind: NodeFeatureRule 5 | metadata: 6 | name: intel-igpu 7 | spec: 8 | rules: 9 | - name: intel.igpu 10 | labels: 11 | intel.feature.node.kubernetes.io/igpu: "true" 12 | matchFeatures: 13 | - feature: pci.device 14 | matchExpressions: 15 | class: {op: In, value: ["0300"]} 16 | vendor: {op: In, value: ["8086"]} 17 | device: {op: In, value: ["9a49"]} 18 | -------------------------------------------------------------------------------- /cluster/core/node-feature-discovery/rules/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./amd-igpu.yaml 6 | - ./intel-arc.yaml 7 | - ./intel-igpu.yaml 8 | - ./broadcom-ble.yaml 9 | -------------------------------------------------------------------------------- /cluster/core/reloader/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | namespace: kube-system 7 | spec: 8 | interval: 1h 9 | chart: 10 | spec: 11 | # renovate: registryUrl=https://stakater.github.io/stakater-charts 12 | chart: reloader 13 | version: 1.0.121 14 | sourceRef: 15 | kind: HelmRepository 16 | name: stakater-charts 17 | namespace: flux-system 18 | -------------------------------------------------------------------------------- /cluster/core/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/core/sealed-secrets/helmrelease.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2beta1 3 | kind: HelmRelease 4 | metadata: 5 | name: sealed-secrets 6 | namespace: kube-system 7 | spec: 8 | maxHistory: 3 9 | interval: 1h 10 | suspend: false 11 | releaseName: sealed-secrets 12 | chart: 13 | spec: 14 | # renovate: registryUrl=https://bitnami-labs.github.io/sealed-secrets 15 | chart: sealed-secrets 16 | version: 2.16.2 17 | sourceRef: 18 | kind: HelmRepository 19 | name: bitnami-labs-charts 20 | namespace: flux-system 21 | values: 22 | commandArgs: 23 | - --key-renew-period=0 24 | -------------------------------------------------------------------------------- /cluster/core/sealed-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./helmrelease.yaml 6 | -------------------------------------------------------------------------------- /cluster/crds/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | # renovate: registryUrl=https://charts.jetstack.io chart=cert-manager 6 | - https://github.com/jetstack/cert-manager/releases/download/v1.11.1/cert-manager.crds.yaml 7 | -------------------------------------------------------------------------------- /cluster/crds/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - sealed-secrets 6 | - cert-manager 7 | - traefik 8 | -------------------------------------------------------------------------------- /cluster/crds/sealed-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - crds.yaml 6 | -------------------------------------------------------------------------------- /cluster/crds/traefik/crds.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: GitRepository 4 | metadata: 5 | name: traefik-crd-source 6 | namespace: flux-system 7 | spec: 8 | interval: 1h 9 | url: https://github.com/traefik/traefik-helm-chart.git 10 | ref: 11 | # renovate: registryUrl=https://helm.traefik.io/traefik chart=traefik 12 | tag: v26.1.0 13 | ignore: | 14 | # exclude all 15 | /* 16 | # path to crds 17 | !/traefik/crds/ 18 | --- 19 | apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 20 | kind: Kustomization 21 | metadata: 22 | name: traefik-crds 23 | namespace: flux-system 24 | spec: 25 | interval: 15m 26 | prune: false 27 | sourceRef: 28 | kind: GitRepository 29 | name: traefik-crd-source 30 | healthChecks: 31 | - apiVersion: apiextensions.k8s.io/v1beta1 32 | kind: CustomResourceDefinition 33 | name: ingressroutes.traefik.io 34 | - apiVersion: apiextensions.k8s.io/v1beta1 35 | kind: CustomResourceDefinition 36 | name: ingressroutetcps.traefik.io 37 | - apiVersion: apiextensions.k8s.io/v1beta1 38 | kind: CustomResourceDefinition 39 | name: ingressrouteudps.traefik.io 40 | - apiVersion: apiextensions.k8s.io/v1beta1 41 | kind: CustomResourceDefinition 42 | name: middlewares.traefik.io 43 | - apiVersion: apiextensions.k8s.io/v1beta1 44 | kind: CustomResourceDefinition 45 | name: middlewaretcps.traefik.io 46 | - apiVersion: apiextensions.k8s.io/v1beta1 47 | kind: CustomResourceDefinition 48 | name: serverstransports.traefik.io 49 | - apiVersion: apiextensions.k8s.io/v1beta1 50 | kind: CustomResourceDefinition 51 | name: tlsoptions.traefik.io 52 | - apiVersion: apiextensions.k8s.io/v1beta1 53 | kind: CustomResourceDefinition 54 | name: tlsstores.traefik.io 55 | - apiVersion: apiextensions.k8s.io/v1beta1 56 | kind: CustomResourceDefinition 57 | name: traefikservices.traefik.io 58 | -------------------------------------------------------------------------------- /cluster/crds/traefik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ./crds.yaml 6 | -------------------------------------------------------------------------------- /hack/create-helmrelease-annotations.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | shopt -s globstar 3 | 4 | # shellcheck disable=SC2155 5 | REPO_ROOT=$(git rev-parse --show-toplevel) 6 | CLUSTER_ROOT="${REPO_ROOT}/cluster" 7 | HELM_REPOSITORIES="${CLUSTER_ROOT}/base/flux-system/helm-repositories" 8 | 9 | # Ensure yq exist 10 | command -v yq >/dev/null 2>&1 || { 11 | echo >&2 "yq is not installed. Aborting." 12 | exit 1 13 | } 14 | 15 | for helm_release in "${CLUSTER_ROOT}"/**/*.yaml; do 16 | # ignore flux-system namespace 17 | # ignore wrong apiVersion 18 | # ignore non HelmReleases 19 | if [[ "${helm_release}" =~ "flux-system" 20 | || $(yq eval '.apiVersion' "${helm_release}") != "helm.toolkit.fluxcd.io/v2beta1" 21 | || $(yq eval '.kind' "${helm_release}") != "HelmRelease" ]]; then 22 | continue 23 | fi 24 | 25 | for helm_repository in "${HELM_REPOSITORIES}"/*.yaml; do 26 | chart_name=$(yq eval '.metadata.name' "${helm_repository}") 27 | chart_url=$(yq eval '.spec.url' "${helm_repository}") 28 | 29 | # only helmreleases where helm_release is related to chart_url 30 | if [[ $(yq eval '.spec.chart.spec.sourceRef.name' "${helm_release}") == "${chart_name}" ]]; then 31 | # delete "renovate: registryUrl=" line 32 | sed -i "/renovate: registryUrl=/d" "${helm_release}" 33 | # insert "renovate: registryUrl=" line 34 | sed -i "/.*chart: .*/i \ \ \ \ \ \ # renovate: registryUrl=${chart_url}" "${helm_release}" 35 | echo "Annotated $(basename "${helm_release%.*}") with ${chart_name} for renovatebot..." 36 | break 37 | fi 38 | done 39 | done 40 | -------------------------------------------------------------------------------- /kubectl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/kubectl -------------------------------------------------------------------------------- /kubectl-amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/npawelek/k8s-gitops/d9ecea09800f7d292acb9c251d79dbaf1c1e80ae/kubectl-amd64 --------------------------------------------------------------------------------