├── apps ├── .argocd-allow-concurrency ├── Chart.yaml ├── values.yaml └── templates │ └── app.yaml ├── argocd ├── .argocd-allow-concurrency ├── Chart.yaml └── templates │ ├── argocd-notifications-secret.yml │ └── argocd-oidc-secret.yaml ├── main ├── .argocd-allow-concurrency ├── homelab │ ├── .argocd-allow-concurrency │ ├── emqx │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── secret-helm-values.yaml │ │ └── templates │ │ │ └── configmap.yaml │ ├── actual │ │ ├── .argocd-allow-concurrency │ │ └── Chart.yaml │ ├── airprint │ │ ├── .argocd-allow-concurrency │ │ ├── .helmignore │ │ └── Chart.yaml │ ├── cyberchef │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── frigate │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── secret-helm-values.yaml │ │ └── templates │ │ │ └── noauth-ingress.yaml │ ├── kanboard │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── kanboard-secret.yaml │ ├── mealie │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── mealie-secret.yaml │ ├── minio │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── secret-helm-values.yaml │ │ └── templates │ │ │ └── minio-secret.yaml │ ├── node-red │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── openttd │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── oscar │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── templates │ │ │ └── cronjob.yaml │ │ └── values.yaml │ ├── planka │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── planka-secret.yaml │ ├── teslamate │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── teslamate-secret.yaml │ ├── webtrees │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── webtrees-secret.yaml │ ├── external-route │ │ ├── .argocd-allow-concurrency │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── external-route.yaml │ ├── gethomepage │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── http-route.yaml │ ├── home-assistant │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── secret-helm-values.yaml │ │ └── templates │ │ │ ├── home-assistant-gcp-secret.yaml │ │ │ └── home-assistant-secret.yaml │ ├── tesla-dashcam │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── wyze-bridge │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── wyze-bridge-secret.yaml │ ├── zigbee2mqtt │ │ ├── .argocd-allow-concurrency │ │ └── Chart.yaml │ ├── zwavejs2mqtt │ │ ├── .argocd-allow-concurrency │ │ └── Chart.yaml │ ├── cloudflare-ddns │ │ ├── .argocd-allow-concurrency │ │ ├── values.yaml │ │ ├── templates │ │ │ ├── configmap.yaml │ │ │ ├── cloudflare-ddns-secret.yaml │ │ │ └── cronjob.yaml │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ └── script │ │ │ └── cloudflare-ddns.sh │ ├── external-ingress │ │ ├── .argocd-allow-concurrency │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── external-ingress.yaml │ ├── Chart.yaml │ ├── echo-server │ │ └── Chart.yaml │ ├── nomie │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── matter-server │ │ └── Chart.yaml │ └── templates │ │ ├── argo-helm-secrets.yaml │ │ └── app.yaml ├── logs │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── fluent-bit │ │ └── Chart.yaml │ ├── victoria-logs │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── values.yaml │ └── templates │ │ ├── argo-helm-secrets.yaml │ │ └── app.yaml ├── monitoring │ ├── .argocd-allow-concurrency │ ├── karma │ │ ├── .argocd-allow-concurrency │ │ └── Chart.yaml │ ├── trivy │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── grafana │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── grafana-secret.yaml │ ├── influxdb │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── pushgateway │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── uptime-kuma │ │ ├── .argocd-allow-concurrency │ │ └── Chart.yaml │ ├── unifi-poller │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── templates │ │ │ ├── prometheusrules.yaml │ │ │ └── unifi-poller-secret.yaml │ │ └── values.yaml │ ├── victoria-metrics │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── secret-helm-values.yaml │ │ └── templates │ │ │ ├── dockerhub.yaml │ │ │ ├── ingress-nginx.yaml │ │ │ ├── oom.yaml │ │ │ ├── kured.yaml │ │ │ ├── victoria-metrics-secret.yaml │ │ │ └── server-tracker.yaml │ ├── alertmanager-discord │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ ├── .helmignore │ │ ├── templates │ │ │ └── alertmanager-discord-secret.yaml │ │ └── values.yaml │ ├── blackbox-exporter │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── templates │ │ │ └── http-route.yaml │ ├── speedtest-exporter │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ ├── Chart.yaml │ └── templates │ │ └── argo-helm-secrets.yaml ├── Chart.yaml ├── values.yaml └── templates │ └── app.yaml ├── archive ├── vpa │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── dashy │ ├── .argocd-allow-concurrency │ └── Chart.yaml ├── firefly │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── grocy │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── heimdall │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── mariadb │ ├── .argocd-allow-concurrency │ ├── mariadb-secret.txt │ ├── Chart.yaml │ ├── templates │ │ └── mariadb-secret.yaml │ └── values.yaml ├── scrypted │ ├── .argocd-allow-concurrency │ └── Chart.yaml ├── traccar │ ├── .argocd-allow-concurrency │ ├── traccar-helm-values.yaml │ ├── traccar-secret.txt │ ├── Chart.yaml │ ├── templates │ │ └── traccar-secret.yaml │ └── values.yaml ├── goldilocks │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── vault │ ├── vault │ │ ├── .argocd-allow-concurrency │ │ ├── Chart.yaml │ │ └── values.yaml │ └── cert-manager-vault.yaml ├── vault-secrets-operator │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── change-detection │ ├── Chart.yaml │ └── values.yaml ├── mariadb.yaml ├── firefly.yaml ├── vpa.yaml └── goldilocks.yaml ├── infrastructure ├── reloader │ ├── values.yaml │ ├── .argocd-allow-concurrency │ └── Chart.yaml ├── .argocd-allow-concurrency ├── argocd-patch │ ├── values.yaml │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── secret-helm-values.yaml │ └── templates │ │ ├── webhook-httproute.yaml │ │ └── webhook-ingress.yaml ├── kured │ ├── .argocd-allow-concurrency │ ├── secret-helm-values.yaml │ ├── Chart.yaml │ └── values.yaml ├── metallb │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── templates │ │ └── bgp-pool.yaml │ └── values.yaml ├── spegel │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── cert-manager │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── templates │ │ ├── referencegrant.yaml │ │ ├── cert-manager-cloudflare-api-key.yaml │ │ └── cert-manager-letsencrypt.yaml │ └── values.yaml ├── descheduler │ ├── .argocd-allow-concurrency │ └── Chart.yaml ├── longhorn │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── templates │ │ ├── nfs-storageclass.yaml │ │ ├── servicemonitor.yaml │ │ └── longhorn-backup-secret.yaml │ └── values.yaml ├── oauth2-proxy │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── templates │ │ └── oauth2-proxy-secret.yaml │ └── values.yaml ├── cloudnative-pg │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── templates │ │ ├── service.yaml │ │ ├── postgres-minio-secret.yaml │ │ ├── scheduled-backup.yaml │ │ ├── postgres-superuser-secret.yaml │ │ └── custom-backup-cron.yaml │ └── values.yaml ├── envoy-gateway │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── templates │ │ ├── gateway-classes │ │ │ └── gateway-class-standard.yaml │ │ ├── monitoring │ │ │ ├── servicemonitor-envoy-gateway.yaml │ │ │ └── podmonitor-envoy-proxy.yaml │ │ ├── routes │ │ │ ├── https-redirect.yaml │ │ │ ├── wildcard-internal.yaml │ │ │ └── wildcard-public.yaml │ │ ├── policies │ │ │ ├── backend-traffic-policy.yaml │ │ │ └── client-traffic-policy.yaml │ │ ├── envoy-proxies │ │ │ └── envoy-proxy-standard.yaml │ │ └── gateways │ │ │ ├── gateway-public.yaml │ │ │ └── gateway-internal.yaml │ └── values.yaml ├── ingress-nginx │ ├── .argocd-allow-concurrency │ └── Chart.yaml ├── intel-gpu-plugins │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── kube-cleanup-operator │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── node-feature-discovery │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ ├── templates │ │ ├── coral-device.yaml │ │ ├── gpu-device.yaml │ │ ├── radeon-device.yaml │ │ ├── geforce-device.yaml │ │ ├── zwave-device.yaml │ │ └── zigbee-device.yaml │ └── values.yaml ├── node-problem-detector │ ├── .argocd-allow-concurrency │ ├── Chart.yaml │ └── values.yaml ├── Chart.yaml ├── couchdb │ ├── Chart.yaml │ └── templates │ │ ├── couchdb-secret.yaml │ │ └── configmap.yaml ├── tailscale-gateway │ ├── Chart.yaml │ ├── templates │ │ ├── external-secret.yaml │ │ └── roles.yaml │ └── values.yaml ├── onepassword │ ├── values.yaml │ ├── Chart.yaml │ └── templates │ │ └── clustersecretstore.yaml ├── registry-creds │ ├── dockerhub.yaml │ └── dockerhub-registrycreds.yaml ├── step-issuer │ ├── Chart.yaml │ ├── secret-helm-values.yaml │ ├── templates │ │ └── step-wildcard-cert.yaml │ └── values.yaml ├── external-secrets │ ├── Chart.yaml │ └── values.yaml ├── step-certificates │ ├── Chart.yaml │ ├── values.yaml │ └── templates │ │ └── external-secret.yaml └── templates │ ├── argo-helm-secrets.yaml │ └── app.yaml ├── .gitignore ├── system-upgrade ├── kustomization.yaml └── README.md ├── .github ├── renovate │ ├── disabledDatasources.json5 │ ├── automerge-github-actions.json │ ├── commit-message.json │ ├── allowedVersions.json5 │ ├── pr-labels.json │ ├── grafanaDashboards.json5 │ ├── semantic-commits.json │ ├── autoMerge.json5 │ ├── versioning.json5 │ ├── groups.json5 │ └── custom-managers.json5 ├── lint │ ├── .yamllint.yaml │ └── .markdownlint.yaml ├── workflows │ └── publish-docs.yaml └── renovate.json5 ├── .pre-commit-config.yaml ├── setup └── bootstrap-objects.sh ├── docs ├── _snippets │ └── links.jinja2 └── installation │ ├── installing-kubernetes.md │ └── preparing-nodes.md └── README.md /apps/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /argocd/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/vpa/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/reloader/values.yaml: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/logs/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/dashy/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/firefly/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/grocy/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/heimdall/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/mariadb/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/scrypted/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/traccar/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/emqx/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/goldilocks/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/vault/vault/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/argocd-patch/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /infrastructure/kured/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/metallb/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/spegel/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/actual/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/airprint/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/cyberchef/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/frigate/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/kanboard/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/mealie/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/minio/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/node-red/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/openttd/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/oscar/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/planka/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/teslamate/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/webtrees/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/karma/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/trivy/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/argocd-patch/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/descheduler/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/longhorn/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/oauth2-proxy/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/reloader/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/external-route/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/gethomepage/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/home-assistant/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/tesla-dashcam/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/wyze-bridge/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/zigbee2mqtt/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/zwavejs2mqtt/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/grafana/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/influxdb/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/pushgateway/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/uptime-kuma/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /archive/vault-secrets-operator/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/ingress-nginx/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/intel-gpu-plugins/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/homelab/external-ingress/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/unifi-poller/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/kube-cleanup-operator/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /infrastructure/node-problem-detector/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/alertmanager-discord/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/blackbox-exporter/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /main/monitoring/speedtest-exporter/.argocd-allow-concurrency: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /apps/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: root 3 | version: 1.0.0 4 | -------------------------------------------------------------------------------- /main/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: main 3 | version: 1.0.0 4 | -------------------------------------------------------------------------------- /main/logs/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: logs 3 | version: 1.0.0 4 | -------------------------------------------------------------------------------- /main/homelab/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: homelab 3 | version: 1.0.0 4 | -------------------------------------------------------------------------------- /infrastructure/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: infrastructure 3 | version: 1.0.0 4 | -------------------------------------------------------------------------------- /main/monitoring/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: monitoring 3 | version: 1.0.0 4 | -------------------------------------------------------------------------------- /infrastructure/argocd-patch/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: argocd-patch 2 | apiVersion: v2 3 | version: 1.0.0 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | .idea 3 | *.lock 4 | **/charts/ 5 | /setup/.env 6 | -------------------------------------------------------------------------------- /archive/traccar/traccar-helm-values.yaml: -------------------------------------------------------------------------------- 1 | traccar: 2 | database: 3 | password: "$TRACCAR_POSTGRES_PASSWORD" 4 | -------------------------------------------------------------------------------- /infrastructure/argocd-patch/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | 2 | externalHostName: '{{ .webhook_external_host }}' 3 | 4 | -------------------------------------------------------------------------------- /archive/traccar/traccar-secret.txt: -------------------------------------------------------------------------------- 1 | DATABASE_PASSWORD="$TRACCAR_POSTGRES_PASSWORD" 2 | LOCATION_ID_TOKEN="$LOCATION_ID_TOKEN" 3 | -------------------------------------------------------------------------------- /infrastructure/kured/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | kured: 2 | configuration: 3 | notifyUrl: "{{ .kured_discord_webhook }}" 4 | -------------------------------------------------------------------------------- /archive/mariadb/mariadb-secret.txt: -------------------------------------------------------------------------------- 1 | mariadb-root-password="$MARIADB_DB_PASSWORD" 2 | mariadb-replication-password="$MARIADB_DB_REPLICATION_PASSWORD" 3 | -------------------------------------------------------------------------------- /main/homelab/minio/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: minio 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: minio 6 | version: 5.0.14 7 | repository: https://charts.min.io/ 8 | -------------------------------------------------------------------------------- /archive/vpa/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: vpa 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: vpa 6 | version: 4.4.5 7 | repository: https://charts.fairwinds.com/stable 8 | -------------------------------------------------------------------------------- /main/homelab/emqx/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: emqx 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: emqx 6 | version: 5.8.7 7 | repository: https://repos.emqx.io/charts 8 | 9 | -------------------------------------------------------------------------------- /archive/firefly/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: firefly 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: firefly-iii 6 | version: 0.2.2 7 | repository: https://k8s-at-home.com/charts/ 8 | -------------------------------------------------------------------------------- /infrastructure/kured/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: kured 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: kured 6 | version: 5.10.0 7 | repository: https://kubereboot.github.io/charts 8 | -------------------------------------------------------------------------------- /main/homelab/actual/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: actual 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /archive/dashy/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: dashy 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 2.5.0 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /archive/grocy/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: grocy 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /archive/mariadb/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: mariadb 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: mariadb 6 | version: 18.0.2 7 | repository: https://charts.bitnami.com/bitnami 8 | 9 | -------------------------------------------------------------------------------- /archive/traccar/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: traccar 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: traccar 6 | version: 1.8.0 7 | repository: https://traccar.github.io/traccar-helm/ 8 | -------------------------------------------------------------------------------- /archive/vault/vault/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: vault 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: vault 6 | version: "0.28.0" 7 | repository: https://helm.releases.hashicorp.com 8 | -------------------------------------------------------------------------------- /infrastructure/longhorn/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: longhorn 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: longhorn 6 | version: "1.10.0" 7 | repository: https://charts.longhorn.io 8 | -------------------------------------------------------------------------------- /main/monitoring/influxdb/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: influxdb 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: influxdb 6 | version: 4.12.5 7 | repository: https://helm.influxdata.com/ 8 | -------------------------------------------------------------------------------- /main/monitoring/karma/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: karma 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /archive/goldilocks/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: goldilocks 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: goldilocks 6 | version: 8.0.1 7 | repository: https://charts.fairwinds.com/stable 8 | -------------------------------------------------------------------------------- /argocd/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: argocd 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: argo-cd 6 | version: 9.1.9 7 | repository: https://argoproj.github.io/argo-helm 8 | 9 | 10 | -------------------------------------------------------------------------------- /infrastructure/spegel/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: spegel 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: spegel 6 | version: "v0.0.30" 7 | repository: oci://ghcr.io/spegel-org/helm-charts 8 | -------------------------------------------------------------------------------- /main/homelab/cyberchef/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: cyberchef 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /main/homelab/echo-server/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: echo-server 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /main/homelab/nomie/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: nomie 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 3.3.2 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/oscar/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: oscar 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /archive/heimdall/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: heimdall 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /archive/scrypted/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: scrypted 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 2.5.0 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: cert-manager 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: cert-manager 6 | version: "v1.18.2" 7 | repository: https://charts.jetstack.io 8 | -------------------------------------------------------------------------------- /infrastructure/metallb/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: metallb 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: metallb 6 | version: "0.15.2" 7 | repository: https://metallb.github.io/metallb 8 | 9 | -------------------------------------------------------------------------------- /main/homelab/frigate/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: frigate 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 2.5.0 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/mealie/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: mealie 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/openttd/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: openttd 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/planka/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: planka 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 3.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/zwavejs2mqtt/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: zwavejs2mqtt 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /main/monitoring/uptime-kuma/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: uptime-kuma 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /infrastructure/couchdb/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: couchdb 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 3.3.2 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /infrastructure/reloader/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: reloader 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: reloader 6 | version: "2.2.7" 7 | repository: https://stakater.github.io/stakater-charts 8 | -------------------------------------------------------------------------------- /main/homelab/gethomepage/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: gethomepage 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: homepage 6 | version: 2.1.0 7 | repository: https://jameswynn.github.io/helm-charts 8 | -------------------------------------------------------------------------------- /main/homelab/kanboard/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: kanboard 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/matter-server/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: matter-server 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | 9 | -------------------------------------------------------------------------------- /main/homelab/node-red/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: node-red 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/teslamate/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: teslamate 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/webtrees/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: webtrees 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/monitoring/trivy/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: trivy 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: trivy-operator 6 | version: 0.31.0 7 | repository: https://aquasecurity.github.io/helm-charts 8 | -------------------------------------------------------------------------------- /infrastructure/tailscale-gateway/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: tailscale-gateway 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /main/homelab/wyze-bridge/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: wyze-bridge 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 2.3.0 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/zigbee2mqtt/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: zigbee2mqtt 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 2.0.3 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /archive/change-detection/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: change-detection 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /infrastructure/descheduler/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: descheduler 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: descheduler 6 | version: "0.34.0" 7 | repository: https://kubernetes-sigs.github.io/descheduler 8 | -------------------------------------------------------------------------------- /infrastructure/oauth2-proxy/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: oauth2-proxy 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: oauth2-proxy 6 | version: 10.0.0 7 | repository: https://oauth2-proxy.github.io/manifests 8 | -------------------------------------------------------------------------------- /infrastructure/onepassword/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | connect: 3 | connect: 4 | credentialsName: op-credentials 5 | credentialsKey: 1password-credentials.json 6 | operator: 7 | create: false 8 | serviceType: ClusterIP 9 | -------------------------------------------------------------------------------- /infrastructure/registry-creds/dockerhub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: ops.alexellis.io/v1 2 | kind: ClusterPullSecret 3 | metadata: 4 | name: dockerhub 5 | spec: 6 | secretRef: 7 | name: registry-creds-secret 8 | namespace: kube-system -------------------------------------------------------------------------------- /infrastructure/step-issuer/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: step-issuer 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: step-issuer 6 | version: 1.9.11 7 | repository: https://smallstep.github.io/helm-charts 8 | 9 | -------------------------------------------------------------------------------- /main/homelab/home-assistant/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: home-assistant 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/homelab/tesla-dashcam/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: tesla-dashcam 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 3.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/monitoring/grafana/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: grafana 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: grafana 6 | version: 9.4.5 7 | repository: https://grafana.github.io/helm-charts 8 | 9 | 10 | -------------------------------------------------------------------------------- /main/monitoring/speedtest-exporter/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: speedtest-exporter 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 4.5.0 7 | repository: oci://ghcr.io/bjw-s-labs/helm 8 | -------------------------------------------------------------------------------- /main/monitoring/unifi-poller/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: unifi-poller 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /system-upgrade/kustomization.yaml: -------------------------------------------------------------------------------- 1 | #namePrefix: kustomize- 2 | 3 | resources: 4 | - system-upgrade-controller.yaml 5 | - k3s-plan.yaml 6 | 7 | #apiVersion: kustomize.config.k8s.io/v1beta1 8 | 9 | #kind: Kustomization 10 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: cloudnative-pg 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: cloudnative-pg 6 | version: 0.27.0 7 | repository: https://cloudnative-pg.github.io/charts 8 | -------------------------------------------------------------------------------- /infrastructure/ingress-nginx/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: ingress-nginx 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: ingress-nginx 6 | version: "4.14.0" 7 | repository: https://kubernetes.github.io/ingress-nginx 8 | -------------------------------------------------------------------------------- /infrastructure/onepassword/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: onepassword 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: connect 6 | version: 2.1.1 7 | repository: https://1password.github.io/connect-helm-charts 8 | 9 | -------------------------------------------------------------------------------- /main/logs/fluent-bit/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: fluent-bit 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: fluent-bit 6 | version: 0.54.0 7 | repository: https://fluent.github.io/helm-charts/ 8 | 9 | 10 | -------------------------------------------------------------------------------- /infrastructure/external-secrets/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: external-secrets 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: external-secrets 6 | version: 0.19.2 7 | repository: https://charts.external-secrets.io 8 | 9 | -------------------------------------------------------------------------------- /infrastructure/kube-cleanup-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: kube-cleanup-operator 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: kube-cleanup-operator 6 | version: 1.0.4 7 | repository: https://charts.lwolf.org 8 | -------------------------------------------------------------------------------- /infrastructure/longhorn/templates/nfs-storageclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: storage.k8s.io/v1 3 | kind: StorageClass 4 | metadata: 5 | name: nfs 6 | provisioner: kubernetes.io/no-provisioner 7 | volumeBindingMode: WaitForFirstConsumer 8 | -------------------------------------------------------------------------------- /infrastructure/node-problem-detector/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: node-problem-detector 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: node-problem-detector 6 | version: 2.3.14 7 | repository: https://charts.deliveryhero.io/ 8 | -------------------------------------------------------------------------------- /infrastructure/step-certificates/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: step-certificates 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: step-certificates 6 | version: 1.29.0 7 | repository: https://smallstep.github.io/helm-charts 8 | 9 | -------------------------------------------------------------------------------- /main/monitoring/alertmanager-discord/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: alertmanager-discord 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | -------------------------------------------------------------------------------- /main/monitoring/pushgateway/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: pushgateway 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: prometheus-pushgateway 6 | version: 3.6.0 7 | repository: https://prometheus-community.github.io/helm-charts 8 | -------------------------------------------------------------------------------- /archive/vault-secrets-operator/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: vault-secrets-operator 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: vault-secrets-operator 6 | version: 2.5.6 7 | repository: https://ricoberger.github.io/helm-charts 8 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: victoria-metrics 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: victoria-metrics-k8s-stack 6 | version: 0.66.0 7 | repository: oci://ghcr.io/victoriametrics/helm-charts 8 | -------------------------------------------------------------------------------- /archive/traccar/templates/traccar-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: ricoberger.de/v1alpha1 2 | kind: VaultSecret 3 | metadata: 4 | name: traccar-secret 5 | namespace: default 6 | spec: 7 | path: secrets/main/homelab/traccar/traccar-secret 8 | type: Opaque 9 | -------------------------------------------------------------------------------- /main/logs/victoria-logs/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: victoria-logs 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: victoria-logs-single 6 | version: 0.11.20 7 | repository: oci://ghcr.io/victoriametrics/helm-charts 8 | 9 | 10 | -------------------------------------------------------------------------------- /archive/mariadb/templates/mariadb-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: ricoberger.de/v1alpha1 2 | kind: VaultSecret 3 | metadata: 4 | name: mariadb-secret 5 | namespace: kube-system 6 | spec: 7 | path: secrets/infrastructure/mariadb/mariadb-secret 8 | type: Opaque 9 | -------------------------------------------------------------------------------- /infrastructure/registry-creds/dockerhub-registrycreds.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: ops.alexellis.io/v1 2 | kind: ClusterPullSecret 3 | metadata: 4 | name: dockerhub-registrycreds 5 | spec: 6 | secretRef: 7 | name: registry-creds-secret 8 | namespace: kube-system 9 | -------------------------------------------------------------------------------- /main/monitoring/blackbox-exporter/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: blackbox-exporter 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: prometheus-blackbox-exporter 6 | version: 11.6.1 7 | repository: https://prometheus-community.github.io/helm-charts 8 | -------------------------------------------------------------------------------- /.github/renovate/disabledDatasources.json5: -------------------------------------------------------------------------------- 1 | { 2 | packageRules: [ 3 | { 4 | description: "Disable kubernetes-api", 5 | matchManagers: ["kubernetes"], 6 | matchDatasources: ["kubernetes-api"], 7 | enabled: false, 8 | }, 9 | ], 10 | } -------------------------------------------------------------------------------- /archive/vpa/values.yaml: -------------------------------------------------------------------------------- 1 | vpa: 2 | recommender: 3 | extraArgs: 4 | prometheus-address: | 5 | http://thanos-query:9090/ 6 | storage: prometheus 7 | updater: 8 | enabled: false 9 | admissionController: 10 | enabled: false 11 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | victoria-metrics-k8s-stack: 2 | alertmanager: 3 | templateFiles: 4 | pagerduty-custom-keys.tmpl: |- 5 | {{ `{{- define "pagerduty.custom.routing.key" -}}` }}{{ .pagerduty_key }}{{ `{{- end -}}` }} 6 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: node-feature-discovery 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: node-feature-discovery 6 | version: "0.18.3" 7 | repository: https://kubernetes-sigs.github.io/node-feature-discovery/charts 8 | -------------------------------------------------------------------------------- /infrastructure/external-secrets/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | external-secrets: 3 | installCRDs: true 4 | replicaCount: 1 5 | serviceMonitor: 6 | enabled: true 7 | webhook: 8 | serviceMonitor: 9 | enabled: true 10 | certController: 11 | serviceMonitor: 12 | enabled: true 13 | -------------------------------------------------------------------------------- /infrastructure/node-problem-detector/values.yaml: -------------------------------------------------------------------------------- 1 | node-problem-detector: 2 | metrics: 3 | enabled: true 4 | serviceMonitor: 5 | enabled: true 6 | prometheusRule: 7 | enabled: true 8 | 9 | # tolerations: 10 | # - key: arm 11 | # operator: Exists 12 | # - key: arm64 13 | # operator: Exists 14 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/values.yaml: -------------------------------------------------------------------------------- 1 | namespace: default 2 | 3 | schedule: "*/5 * * * *" 4 | concurrencyPolicy: "Forbid" 5 | successfulJobsHistoryLimit: 3 6 | failedJobsHistoryLimit: 5 7 | 8 | restartPolicy: Never 9 | 10 | image: 11 | repository: ghcr.io/k8s-at-home/kubectl 12 | tag: v1.25.4 13 | pullPolicy: IfNotPresent 14 | -------------------------------------------------------------------------------- /archive/vault-secrets-operator/values.yaml: -------------------------------------------------------------------------------- 1 | vault-secrets-operator: 2 | replicaCount: 1 3 | deploymentStrategy: 4 | type: Recreate 5 | vault: 6 | address: "http://vault:8200" 7 | authMethod: kubernetes 8 | kubernetesPath: auth/kubernetes 9 | kubernetesRole: vault-secrets-operator 10 | reconciliationTime: "300" 11 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: envoy-gateway 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: gateway-helm 6 | version: v1.6.1 7 | repository: oci://docker.io/envoyproxy 8 | - name: app-template 9 | version: 4.5.0 10 | repository: oci://ghcr.io/bjw-s-labs/helm 11 | alias: error-pages 12 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "cloudflare-ddns.fullname" . }}-config 5 | namespace: {{ .Values.namespace }} 6 | labels: 7 | {{- include "cloudflare-ddns.labels" . | nindent 4 }} 8 | data: 9 | {{ (.Files.Glob "script/*").AsConfig | indent 2 }} 10 | -------------------------------------------------------------------------------- /infrastructure/kube-cleanup-operator/values.yaml: -------------------------------------------------------------------------------- 1 | kube-cleanup-operator: 2 | rbac: 3 | create: true 4 | global: true 5 | args: 6 | - --delete-failed-after=60m 7 | - --delete-successful-after=60m 8 | - --delete-pending-pods-after=10m 9 | - --delete-evicted-pods-after=10m 10 | - --delete-orphaned-pods-after=10m 11 | - --legacy-mode=false 12 | -------------------------------------------------------------------------------- /.github/renovate/automerge-github-actions.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "matchManagers": ["github-actions"], 6 | "automerge": true, 7 | "automergeType": "branch", 8 | "matchUpdateTypes": ["minor", "patch", "digest"], 9 | "ignoreTests": true 10 | } 11 | ] 12 | } -------------------------------------------------------------------------------- /infrastructure/step-issuer/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | step-issuer: 2 | stepIssuer: 3 | create: true 4 | caBundle: {{ .caBundle | b64enc }} 5 | provisioner: 6 | name: {{ .provisioner }} 7 | kid: {{ .kid }} 8 | 9 | stepClusterIssuer: 10 | create: true 11 | caBundle: {{ .caBundle | b64enc }} 12 | provisioner: 13 | name: {{ .provisioner }} 14 | kid: {{ .kid }} 15 | -------------------------------------------------------------------------------- /archive/mariadb/values.yaml: -------------------------------------------------------------------------------- 1 | mariadb: 2 | #image: 3 | # repository: bitnami/mariadb 4 | # tag: 10.6.5-debian-10-r18 5 | 6 | auth: 7 | existingSecret: mariadb-secret 8 | 9 | architecture: replication 10 | 11 | primary: 12 | persistence: 13 | storageClass: "longhorn" 14 | 15 | secondary: 16 | persistence: 17 | storageClass: "longhorn" 18 | 19 | diagnosticMode: 20 | enabled: true 21 | -------------------------------------------------------------------------------- /.github/lint/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ignore: | 3 | .private/ 4 | .vscode/ 5 | *.enc.yaml 6 | *.sops.yml 7 | extends: default 8 | rules: 9 | truthy: 10 | allowed-values: ["true", "false", "on"] 11 | comments: 12 | min-spaces-from-content: 1 13 | line-length: disable 14 | braces: 15 | min-spaces-inside: 0 16 | max-spaces-inside: 1 17 | brackets: 18 | min-spaces-inside: 0 19 | max-spaces-inside: 0 20 | indentation: enable 21 | -------------------------------------------------------------------------------- /main/homelab/home-assistant/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | 3 | ingress: 4 | main: 5 | hosts: 6 | - host: {{ .external_url }} 7 | paths: 8 | - path: / 9 | pathType: Prefix 10 | tls: 11 | - hosts: 12 | - "{{ .external_url }}" 13 | addons: 14 | codeserver: 15 | env: 16 | HASS_SERVER: http://localhost:8123 17 | HASS_TOKEN: {{ .hass_codeserver_token }} 18 | -------------------------------------------------------------------------------- /infrastructure/kured/values.yaml: -------------------------------------------------------------------------------- 1 | kured: 2 | configuration: 3 | startTime: "2:30" 4 | endTime: "6:30" 5 | timeZone: "America/Chicago" 6 | lockTtl: 30m 7 | drainTimeout: 90m 8 | tolerations: 9 | - key: "arm" 10 | operator: "Exists" 11 | - key: "arm64" 12 | operator: "Exists" 13 | - key: "node-role.kubernetes.io/master" 14 | operator: "Exists" 15 | metrics: 16 | create: true 17 | service: 18 | create: true 19 | 20 | -------------------------------------------------------------------------------- /infrastructure/longhorn/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: longhorn-prometheus-servicemonitor 6 | namespace: longhorn-system 7 | labels: 8 | name: longhorn-prometheus-servicemonitor 9 | spec: 10 | selector: 11 | matchLabels: 12 | app: longhorn-manager 13 | namespaceSelector: 14 | matchNames: 15 | - longhorn-system 16 | endpoints: 17 | - port: manager 18 | -------------------------------------------------------------------------------- /infrastructure/step-certificates/values.yaml: -------------------------------------------------------------------------------- 1 | step-certificates: 2 | existingSecrets: 3 | enabled: true 4 | ca: true 5 | issuer: false 6 | configAsSecret: false 7 | sshHostCa: false 8 | sshUserCa: false 9 | 10 | bootstrap: 11 | secrets: false 12 | enabled: false 13 | configmaps: false 14 | 15 | inject: 16 | enabled: false 17 | 18 | service: 19 | targetPort: 9000 20 | 21 | ca: 22 | db: 23 | storageClass: "longhorn" 24 | -------------------------------------------------------------------------------- /main/homelab/airprint/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/templates/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: postgres-lb 6 | annotations: 7 | metallb.universe.tf/loadBalancerIPs: 192.168.100.70 8 | spec: 9 | ports: 10 | - name: postgres 11 | port: 5432 12 | protocol: TCP 13 | targetPort: 5432 14 | selector: 15 | cnpg.io/cluster: {{ .Values.cluster.name }} 16 | role: primary 17 | type: LoadBalancer 18 | externalTrafficPolicy: Local 19 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /main/homelab/external-ingress/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /main/homelab/external-route/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /main/monitoring/alertmanager-discord/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/templates/coral-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: google-coral-device 6 | spec: 7 | rules: 8 | - # Google Coral USB Accelerator 9 | name: google.coral 10 | labels: 11 | google.feature.node.kubernetes.io/coral: "true" 12 | matchFeatures: 13 | - feature: usb.device 14 | matchExpressions: 15 | vendor: { op: In, value: ["1a6e", "18d1"] } 16 | -------------------------------------------------------------------------------- /infrastructure/step-issuer/templates/step-wildcard-cert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: rsr-crt 6 | namespace: cert-manager 7 | spec: 8 | secretName: rsr-crt-secret 9 | duration: 2160h # 90 days 10 | renewBefore: 720h # 30 days 11 | revisionHistoryLimit: 3 12 | issuerRef: 13 | name: step-issuer 14 | kind: StepClusterIssuer 15 | group: certmanager.step.sm 16 | dnsNames: 17 | - "*.rsr.net" 18 | - "rsr.net" 19 | -------------------------------------------------------------------------------- /infrastructure/intel-gpu-plugins/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: intel-gpu-plugins 2 | apiVersion: v2 3 | version: 1.0.0 4 | dependencies: 5 | - name: app-template 6 | version: 1.5.1 7 | repository: https://bjw-s-labs.github.io/helm-charts/ 8 | alias: intel-gpu-exporter 9 | - name: intel-device-plugins-gpu 10 | version: 0.34.1 11 | repository: https://intel.github.io/helm-charts 12 | - name: intel-device-plugins-operator 13 | version: 0.34.1 14 | repository: https://intel.github.io/helm-charts 15 | -------------------------------------------------------------------------------- /infrastructure/spegel/values.yaml: -------------------------------------------------------------------------------- 1 | spegel: 2 | spegel: 3 | containerdSock: /run/k3s/containerd/containerd.sock 4 | containerdRegistryConfigPath: /var/lib/rancher/k3s/agent/etc/containerd/certs.d 5 | containerdContentPath: /var/lib/rancher/k3s/agent/containerd/io.containerd.content.v1.content 6 | serviceMonitor: 7 | enabled: true 8 | grafanaDashboard: 9 | enabled: true 10 | resources: 11 | requests: 12 | cpu: 50m 13 | memory: 128Mi 14 | limits: 15 | memory: 1Gi 16 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/templates/referencegrant.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/referencegrant_v1beta1.json 3 | apiVersion: gateway.networking.k8s.io/v1beta1 4 | kind: ReferenceGrant 5 | metadata: 6 | name: allow-gateway-cert-refs 7 | namespace: cert-manager 8 | spec: 9 | from: 10 | - group: gateway.networking.k8s.io 11 | kind: Gateway 12 | namespace: kube-system 13 | to: 14 | - group: "" 15 | kind: Secret 16 | -------------------------------------------------------------------------------- /.github/renovate/commit-message.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "commitMessageTopic": "{{depName}}", 4 | "commitMessageExtra": "to {{newVersion}}", 5 | "commitMessageSuffix": "", 6 | "packageRules": [ 7 | { 8 | "matchDatasources": ["helm"], 9 | "commitMessageTopic": "chart {{depName}}" 10 | }, 11 | { 12 | "matchDatasources": ["docker"], 13 | "commitMessageTopic": "image {{depName}}" 14 | } 15 | ] 16 | } -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/templates/gpu-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: intel-gpu-device 6 | spec: 7 | rules: 8 | - # intel-gpu 9 | name: intel.gpu 10 | labels: 11 | intel.feature.node.kubernetes.io/gpu: "true" 12 | matchFeatures: 13 | - feature: pci.device 14 | matchExpressions: 15 | class: { op: In, value: [ "0300" ] } 16 | vendor: { op: In, value: [ "8086" ] } 17 | -------------------------------------------------------------------------------- /main/homelab/gethomepage/templates/http-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kube-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: gethomepage 7 | spec: 8 | hostnames: 9 | - home.rsr.net 10 | parentRefs: 11 | - name: internal 12 | namespace: kube-system 13 | rules: 14 | - backendRefs: 15 | - name: gethomepage 16 | namespace: default 17 | port: 3000 18 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/templates/radeon-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: ati-radeon-device 6 | spec: 7 | rules: 8 | - # ATI Radeon 9 | name: ati.radeon 10 | labels: 11 | ati.feature.node.kubernetes.io/radeon: "true" 12 | matchFeatures: 13 | - feature: pci.device 14 | matchExpressions: 15 | class: { op: In, value: [ "0300" ] } 16 | vendor: { op: In, value: [ "1002" ] } 17 | -------------------------------------------------------------------------------- /infrastructure/step-issuer/values.yaml: -------------------------------------------------------------------------------- 1 | step-issuer: 2 | stepIssuer: 3 | caUrl: https://step-certificates.kube-system.svc.cluster.local 4 | provisioner: 5 | passwordRef: 6 | name: step-certificates-provisioner-password 7 | key: password 8 | 9 | stepClusterIssuer: 10 | caUrl: https://step-certificates.kube-system.svc.cluster.local 11 | provisioner: 12 | passwordRef: 13 | name: step-certificates-provisioner-password 14 | namespace: kube-system 15 | key: password 16 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/gateway-classes/gateway-class-standard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gatewayclass_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: GatewayClass 5 | metadata: 6 | name: eg-standard 7 | spec: 8 | controllerName: gateway.envoyproxy.io/gatewayclass-controller 9 | parametersRef: 10 | group: gateway.envoyproxy.io 11 | kind: EnvoyProxy 12 | name: standard-proxy-config 13 | namespace: kube-system 14 | -------------------------------------------------------------------------------- /infrastructure/onepassword/templates/clustersecretstore.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ClusterSecretStore 4 | metadata: 5 | name: onepassword-connect 6 | namespace: kube-system 7 | spec: 8 | provider: 9 | onepassword: 10 | connectHost: http://onepassword-connect:8080 11 | vaults: 12 | kubernetes: 1 13 | auth: 14 | secretRef: 15 | connectTokenSecretRef: 16 | name: onepassword-token 17 | key: token 18 | namespace: kube-system 19 | -------------------------------------------------------------------------------- /infrastructure/tailscale-gateway/templates/external-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: tailscale-auth 5 | spec: 6 | secretStoreRef: 7 | kind: ClusterSecretStore 8 | name: onepassword-connect 9 | target: 10 | name: tailscale-auth 11 | creationPolicy: Owner 12 | template: 13 | engineVersion: v2 14 | data: 15 | TS_AUTH_KEY: '{{ printf "{{ .tailscale_auth }}" }}' 16 | dataFrom: 17 | - extract: 18 | key: tailscale-config 19 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/templates/geforce-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: nvidia-geforce-device 6 | spec: 7 | rules: 8 | - # nvidia-geforce 9 | name: nvidia.geforce 10 | labels: 11 | nvidia.feature.node.kubernetes.io/geforce: "true" 12 | matchFeatures: 13 | - feature: pci.device 14 | matchExpressions: 15 | class: { op: In, value: [ "0300" ] } 16 | vendor: { op: In, value: [ "10de" ] } 17 | -------------------------------------------------------------------------------- /main/homelab/minio/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | minio: 2 | users: 3 | - accessKey: {{ .THANOS_ACCESS_KEY }} 4 | secretKey: {{ .THANOS_SECRET_KEY }} 5 | policy: readwrite 6 | - accessKey: {{ .LONGHORN_ACCESS_KEY }} 7 | secretKey: {{ .LONGHORN_SECRET_KEY }} 8 | policy: readwrite 9 | - accessKey: {{ .LOKI_ACCESS_KEY }} 10 | secretKey: {{ .LOKI_SECRET_KEY }} 11 | policy: readwrite 12 | - accessKey: {{ .POSTGRES_ACCESS_KEY }} 13 | secretKey: {{ .POSTGRES_SECRET_KEY }} 14 | policy: readwrite 15 | -------------------------------------------------------------------------------- /archive/goldilocks/values.yaml: -------------------------------------------------------------------------------- 1 | goldilocks: 2 | dashboard: 3 | enabled: true 4 | replicaCount: 1 5 | ingress: 6 | enabled: true 7 | annotations: 8 | kubernetes.io/ingress.class: nginx 9 | cert-manager.io/cluster-issuer: vault-issuer 10 | cert-manager.io/common-name: goldilocks.rsr.net 11 | hosts: 12 | - host: goldilocks.rsr.net 13 | paths: 14 | - / 15 | tls: 16 | - hosts: 17 | - goldilocks.rsr.net 18 | secretName: goldilocks-cert-tls 19 | -------------------------------------------------------------------------------- /main/homelab/kanboard/templates/kanboard-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: kanboard-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: kanboard-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | DB_PASSWORD: '{{ printf "{{ .kanboard_password }}" }}' 17 | dataFrom: 18 | - extract: 19 | key: postgres-config 20 | -------------------------------------------------------------------------------- /main/homelab/mealie/templates/mealie-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: mealie-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: mealie-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | POSTGRES_PASSWORD: '{{ printf "{{ .mealie_password }}" }}' 17 | dataFrom: 18 | - extract: 19 | key: postgres-config 20 | -------------------------------------------------------------------------------- /system-upgrade/README.md: -------------------------------------------------------------------------------- 1 | # System Upgrade Controller 2 | 3 | This handles the automatic upgrade of the k3s kubernetes cluster. See [system-upgrade-controller](https://github.com/rancher/system-upgrade-controller) for more details on the operation of this component. 4 | 5 | * [system-upgrade-controller.yaml](system-upgrade-controller.yaml) - This is the foundational YAML to deploy the controller and CRDs to make this capability work 6 | * [k3s-plan.yaml](k3s-plan.yaml) - This Plan will automatically upgrade to the latest k3s kubernetes version as they are released. 7 | -------------------------------------------------------------------------------- /main/homelab/emqx/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | emqx: 2 | emqxConfig: 3 | EMQX_DASHBOARD__DEFAULT_PASSWORD: {{ .admin_password }} 4 | EMQX_AUTH__MNESIA__PASSWORD_HASH: plain 5 | EMQX_AUTH__USER__1__USERNAME: {{ .emqx_mqtt_user }} 6 | EMQX_AUTH__USER__1__PASSWORD: {{ .emqx_mqtt_password }} 7 | EMQX_AUTH__USER__2__USERNAME: {{ .emqx_nodered_user }} 8 | EMQX_AUTH__USER__2__PASSWORD: {{ .emqx_nodered_password }} 9 | EMQX_AUTH__USER__3__USERNAME: {{ .emqx_teslamate_user }} 10 | EMQX_AUTH__USER__3__PASSWORD: {{ .emqx_teslamate_password }} 11 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/templates/dockerhub.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: dockerhub-rules 6 | namespace: monitoring 7 | spec: 8 | groups: 9 | - name: dockerhub 10 | rules: 11 | - alert: DockerhubRateLimitRisk 12 | annotations: 13 | summary: Kubernetes cluster Dockerhub rate limit risk 14 | expr: count(time() - container_last_seen{image=~"(docker.io).*",container!=""} < 30) > 100 15 | labels: 16 | severity: warning 17 | -------------------------------------------------------------------------------- /argocd/templates/argocd-notifications-secret.yml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: argocd-notifications-secret 5 | namespace: argocd 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: argocd-notifications-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | discord-webhook: '{{ printf "{{ .argocd_discord_webhook }}" }}' 17 | dataFrom: 18 | - extract: 19 | key: discord-config 20 | -------------------------------------------------------------------------------- /main/homelab/home-assistant/templates/home-assistant-gcp-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: home-assistant-gcp-sa 6 | namespace: default 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: onepassword-connect 11 | target: 12 | name: home-assistant-gcp-sa-secret 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: home-assistant-0ed67c5e16f3.json 16 | remoteRef: 17 | key: home-assistant-gcp-sa 18 | property: home-assistant-0ed67c5e16f3.json 19 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/templates/cert-manager-cloudflare-api-key.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: cloudflare-api-key 5 | namespace: cert-manager 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: cloudflare-api-key 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | api-key: '{{ printf "{{ .cloudflare_api_key }}" }}' 17 | dataFrom: 18 | - extract: 19 | key: cloudflare-config 20 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/templates/zwave-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: nortek-zwave-device 6 | spec: 7 | rules: 8 | - # HUSBZB-1 USB Hub 9 | name: nortek.zwave 10 | labels: 11 | nortek.feature.node.kubernetes.io/zwave: "true" 12 | matchFeatures: 13 | - feature: usb.device 14 | matchExpressions: 15 | class: { op: In, value: ["ff"] } 16 | vendor: { op: In, value: ["10c4"] } 17 | device: { op: In, value: ["8a2a"] } 18 | -------------------------------------------------------------------------------- /main/homelab/airprint/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 1.0.0 3 | description: CUPS instance that is meant as an AirPrint relay for printers 4 | name: airprint 5 | version: 0.0.1 6 | keywords: 7 | - airprint 8 | - print 9 | icon: https://raw.githubusercontent.com/rogerrum/icons/main/images/airprint.png 10 | sources: 11 | - https://github.com/quadportnick/docker-cups-airprint 12 | maintainers: 13 | - name: rogerrum 14 | email: rogerrum@gmail.com 15 | dependencies: 16 | - name: app-template 17 | version: 4.5.0 18 | repository: oci://ghcr.io/bjw-s-labs/helm 19 | -------------------------------------------------------------------------------- /main/homelab/minio/templates/minio-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: minio-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: minio-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | rootUser: '{{ printf "{{ .username }}" }}' 17 | rootPassword: '{{ printf "{{ .password }}" }}' 18 | dataFrom: 19 | - extract: 20 | key: minio-root 21 | -------------------------------------------------------------------------------- /main/monitoring/unifi-poller/templates/prometheusrules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: monitoring.coreos.com/v1 2 | kind: PrometheusRule 3 | metadata: 4 | name: unifi-poller 5 | spec: 6 | groups: 7 | - name: unifi-poller 8 | rules: 9 | - alert: UnifiPollerAbsent 10 | annotations: 11 | description: Unifi Poller has disappeared from Prometheus service discovery. 12 | summary: Unifi Poller is down. 13 | expr: | 14 | absent(up{job=~".*unifi-poller.*"} == 1) 15 | for: 5m 16 | labels: 17 | severity: critical 18 | -------------------------------------------------------------------------------- /.github/lint/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default: true 3 | 4 | # MD013/line-length - Line length 5 | MD013: 6 | # Number of characters 7 | line_length: 120 8 | # Number of characters for headings 9 | heading_line_length: 80 10 | # Number of characters for code blocks 11 | code_block_line_length: 80 12 | # Include code blocks 13 | code_blocks: true 14 | # Include tables 15 | tables: true 16 | # Include headings 17 | headings: true 18 | # Include headings 19 | headers: true 20 | # Strict length checking 21 | strict: false 22 | # Stern length checking 23 | stern: false 24 | -------------------------------------------------------------------------------- /infrastructure/couchdb/templates/couchdb-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: couchdb-secret 5 | namespace: kube-system 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: couchdb-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | couchdb-user: '{{ printf "{{ .username }}" }}' 17 | couchdb-password: '{{ printf "{{ .password }}" }}' 18 | dataFrom: 19 | - extract: 20 | key: couchdb-config 21 | -------------------------------------------------------------------------------- /main/monitoring/alertmanager-discord/templates/alertmanager-discord-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: alertmanager-discord-secret 5 | namespace: monitoring 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: alertmanager-discord-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | DISCORD_WEBHOOK: '{{ printf "{{ .alertmanager_discord_webhook }}" }}' 17 | dataFrom: 18 | - extract: 19 | key: discord-config 20 | -------------------------------------------------------------------------------- /main/homelab/home-assistant/templates/home-assistant-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: home-assistant-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: home-assistant-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | POSTGRES_PASSWORD: '{{ printf "{{ .ha_password }}" }}' 17 | POSTGRES_USERNAME: '{{ printf "{{ .ha_username }}" }}' 18 | dataFrom: 19 | - extract: 20 | key: postgres-config 21 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/templates/postgres-minio-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: postgres-minio-secret 5 | namespace: kube-system 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: postgres-minio-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | MINIO_ACCESS_KEY: '{{ printf "{{ .POSTGRES_ACCESS_KEY }}" }}' 17 | MINIO_SECRET_KEY: '{{ printf "{{ .POSTGRES_SECRET_KEY }}" }}' 18 | dataFrom: 19 | - extract: 20 | key: minio-config 21 | -------------------------------------------------------------------------------- /main/logs/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | repo: 5 | url: https://github.com/rogerrum/k8s-gitops.git 6 | revision: main 7 | 8 | 9 | applications: 10 | 11 | - name: fluent-bit 12 | namespace: logs 13 | path: main/logs/fluent-bit 14 | manifest-paths: /main/logs/fluent-bit 15 | sync-wave: "0" 16 | helm: 17 | enabled: true 18 | syncOptions: 19 | - CreateNamespace=true 20 | 21 | - name: victoria-logs 22 | namespace: logs 23 | path: main/logs/victoria-logs 24 | manifest-paths: /main/logs/victoria-logs 25 | sync-wave: "0" 26 | helm: 27 | enabled: true 28 | syncOptions: 29 | - CreateNamespace=true 30 | -------------------------------------------------------------------------------- /main/monitoring/unifi-poller/templates/unifi-poller-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: unifi-poller-secret 5 | namespace: monitoring 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: unifi-poller-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | UNIFI_URL: '{{ printf "{{ .poller_url }}" }}' 17 | UNIFI_USER: '{{ printf "{{ .username }}" }}' 18 | UNIFI_PASSWORD: '{{ printf "{{ .password }}" }}' 19 | dataFrom: 20 | - extract: 21 | key: unifi-config 22 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/monitoring/servicemonitor-envoy-gateway.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/servicemonitor_v1.json 3 | # ServiceMonitor for Envoy Gateway control plane metrics 4 | apiVersion: monitoring.coreos.com/v1 5 | kind: ServiceMonitor 6 | metadata: 7 | name: envoy-gateway 8 | namespace: kube-system 9 | spec: 10 | endpoints: 11 | - port: metrics 12 | path: /metrics 13 | honorLabels: true 14 | jobLabel: envoy-gateway 15 | namespaceSelector: 16 | matchNames: 17 | - kube-system 18 | selector: 19 | matchLabels: 20 | control-plane: envoy-gateway 21 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/monitoring/podmonitor-envoy-proxy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json 3 | # PodMonitor for Envoy Proxy data plane metrics 4 | apiVersion: monitoring.coreos.com/v1 5 | kind: PodMonitor 6 | metadata: 7 | name: envoy-proxy 8 | namespace: kube-system 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - kube-system 13 | podMetricsEndpoints: 14 | - port: metrics 15 | path: /stats/prometheus 16 | honorLabels: true 17 | selector: 18 | matchLabels: 19 | app.kubernetes.io/component: proxy 20 | app.kubernetes.io/name: envoy 21 | -------------------------------------------------------------------------------- /infrastructure/oauth2-proxy/templates/oauth2-proxy-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: oauth2-proxy-secret 5 | namespace: kube-system 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: oauth2-proxy-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | cookie-secret: '{{ printf "{{ .cookie_secret }}" }}' 17 | client-secret: '{{ printf "{{ .client_secret }}" }}' 18 | client-id: '{{ printf "{{ .client_id }}" }}' 19 | dataFrom: 20 | - extract: 21 | key: auth0-config 22 | -------------------------------------------------------------------------------- /infrastructure/metallb/templates/bgp-pool.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: BGPAdvertisement 4 | metadata: 5 | name: bgp-lb 6 | namespace: kube-system 7 | spec: 8 | ipAddressPools: 9 | - bgp-pool 10 | peers: 11 | - gateway 12 | --- 13 | apiVersion: metallb.io/v1beta2 14 | kind: BGPPeer 15 | metadata: 16 | name: gateway 17 | namespace: kube-system 18 | spec: 19 | peerAddress: 192.168.1.1 20 | peerASN: 64501 21 | myASN: 64500 22 | --- 23 | apiVersion: metallb.io/v1beta1 24 | kind: IPAddressPool 25 | metadata: 26 | name: bgp-pool 27 | namespace: kube-system 28 | spec: 29 | addresses: 30 | - 192.168.100.2-192.168.100.254 31 | avoidBuggyIPs: true 32 | -------------------------------------------------------------------------------- /main/homelab/emqx/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "emqx.fullname" . }}-acl 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/name: {{ include "emqx.name" . }} 9 | helm.sh/chart: {{ include "emqx.chart" . }} 10 | app.kubernetes.io/instance: {{ .Release.Name }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service }} 12 | data: 13 | "acl.conf": | 14 | {allow, all}. 15 | {allow, {username, {re, "^dashboard$"}}, subscribe, ["$SYS/#"]}. 16 | {allow, {ipaddr, "127.0.0.1"}, all, ["$SYS/#", "#"]}. 17 | {allow, all, subscribe, ["$SYS/#", {eq, "#"}]}. 18 | {allow, all}. 19 | -------------------------------------------------------------------------------- /infrastructure/metallb/values.yaml: -------------------------------------------------------------------------------- 1 | metallb: 2 | crds: 3 | enabled: true 4 | prometheus: 5 | namespace: monitoring 6 | serviceAccount: kube-prometheus-stack-prometheus 7 | podMonitor: 8 | enabled: true 9 | prometheusRule: 10 | enabled: true 11 | controller: 12 | tolerations: 13 | - key: "arm" 14 | operator: "Exists" 15 | - key: "arm64" 16 | operator: "Exists" 17 | speaker: 18 | frr: 19 | enabled: false 20 | tolerations: 21 | - key: "arm" 22 | operator: "Exists" 23 | - key: "arm64" 24 | operator: "Exists" 25 | - key: "node-role.kubernetes.io/master" 26 | operator: "Exists" 27 | 28 | 29 | -------------------------------------------------------------------------------- /infrastructure/longhorn/templates/longhorn-backup-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: longhorn-backup-secret 5 | namespace: longhorn-system 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: longhorn-backup-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | AWS_ACCESS_KEY_ID: "{{ printf "{{ .LONGHORN_ACCESS_KEY }}" }}" 17 | AWS_SECRET_ACCESS_KEY: "{{ printf "{{ .LONGHORN_SECRET_KEY }}" }}" 18 | AWS_ENDPOINTS: http://minio.default.svc:9000 19 | dataFrom: 20 | - extract: 21 | key: minio-config 22 | -------------------------------------------------------------------------------- /main/monitoring/blackbox-exporter/templates/http-route.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kube-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: blackbox-exporter 7 | annotations: 8 | gethomepage.dev/enabled: "true" 9 | gethomepage.dev/group: Monitoring 10 | gethomepage.dev/icon: prometheus 11 | gethomepage.dev/name: Blackbox 12 | spec: 13 | hostnames: 14 | - blackbox.rsr.net 15 | parentRefs: 16 | - name: internal 17 | namespace: kube-system 18 | rules: 19 | - backendRefs: 20 | - name: blackbox-exporter 21 | namespace: monitoring 22 | port: 9115 23 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/templates/ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: ingress-nginx-rules 6 | namespace: monitoring 7 | spec: 8 | groups: 9 | - name: ingress-nginx.rules 10 | rules: 11 | - alert: NginxLatencyHigh 12 | expr: histogram_quantile(0.99, sum(rate(nginx_http_request_duration_seconds_bucket[2m])) by (host, node)) > 3 13 | for: 2m 14 | labels: 15 | severity: warning 16 | annotations: 17 | summary: Nginx latency high (instance {{`{{$labels.instance}}`}} ) 18 | description: "Nginx p99 latency is higher than 3 seconds\n VALUE = {{`{{$value}}`}}" 19 | -------------------------------------------------------------------------------- /infrastructure/argocd-patch/templates/webhook-httproute.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: gateway.networking.k8s.io/v1 2 | kind: HTTPRoute 3 | metadata: 4 | name: argocd-webhook-custom-httproute 5 | namespace: argocd 6 | labels: 7 | app.kubernetes.io/instance: argocd-patch 8 | app.kubernetes.io/name: argocd-patch 9 | spec: 10 | parentRefs: 11 | - group: gateway.networking.k8s.io 12 | name: public 13 | namespace: kube-system 14 | sectionName: https 15 | hostnames: 16 | - {{ .Values.externalHostName }} 17 | rules: 18 | - matches: 19 | - path: 20 | type: PathPrefix 21 | value: /api/webhook 22 | backendRefs: 23 | - name: argocd-server 24 | port: 80 25 | 26 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/routes/https-redirect.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json 3 | # HTTPRoute to redirect HTTP to HTTPS for all gateways 4 | apiVersion: gateway.networking.k8s.io/v1 5 | kind: HTTPRoute 6 | metadata: 7 | name: https-redirect 8 | namespace: kube-system 9 | spec: 10 | parentRefs: 11 | - name: public 12 | namespace: kube-system 13 | sectionName: http 14 | - name: internal 15 | namespace: kube-system 16 | sectionName: http 17 | rules: 18 | - filters: 19 | - type: RequestRedirect 20 | requestRedirect: 21 | scheme: https 22 | statusCode: 301 23 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/routes/wildcard-internal.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: wildcard-internal 7 | namespace: kube-system 8 | spec: 9 | parentRefs: 10 | - name: internal 11 | namespace: kube-system 12 | sectionName: https 13 | hostnames: 14 | - "*.rsr.net" 15 | rules: 16 | - backendRefs: 17 | - name: envoy-gateway-error-pages 18 | port: 8080 19 | kind: Service 20 | group: "" 21 | matches: 22 | - path: 23 | type: PathPrefix 24 | value: / 25 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/policies/backend-traffic-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.envoyproxy.io/backendtrafficpolicy_v1alpha1.json 3 | # BackendTrafficPolicy for backend connection settings - applies to all Gateways 4 | apiVersion: gateway.envoyproxy.io/v1alpha1 5 | kind: BackendTrafficPolicy 6 | metadata: 7 | name: default 8 | namespace: kube-system 9 | spec: 10 | targetSelectors: 11 | - group: gateway.networking.k8s.io 12 | kind: Gateway 13 | compression: 14 | - type: Zstd 15 | - type: Brotli 16 | - type: Gzip 17 | connection: 18 | bufferLimit: 16Mi 19 | tcpKeepalive: {} 20 | timeout: 21 | http: 22 | requestTimeout: 0s 23 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/routes/wildcard-public.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json 3 | apiVersion: gateway.networking.k8s.io/v1 4 | kind: HTTPRoute 5 | metadata: 6 | name: wildcard-public 7 | namespace: kube-system 8 | spec: 9 | parentRefs: 10 | - name: public 11 | namespace: kube-system 12 | sectionName: https 13 | hostnames: 14 | - "*.techbuzzworld.com" 15 | rules: 16 | - backendRefs: 17 | - name: envoy-gateway-error-pages 18 | port: 8080 19 | kind: Service 20 | group: "" 21 | matches: 22 | - path: 23 | type: PathPrefix 24 | value: / 25 | -------------------------------------------------------------------------------- /argocd/templates/argocd-oidc-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: argocd-oidc-secret 5 | namespace: argocd 6 | labels: 7 | app.kubernetes.io/part-of: argocd 8 | spec: 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: onepassword-connect 12 | target: 13 | name: argocd-oidc-secret 14 | creationPolicy: Owner 15 | template: 16 | engineVersion: v2 17 | metadata: 18 | labels: 19 | app.kubernetes.io/part-of: argocd 20 | data: 21 | client-secret: '{{ printf "{{ .oidc_client_secret }}" }}' 22 | client-id: '{{ printf "{{ .oidc_client_id }}" }}' 23 | dataFrom: 24 | - extract: 25 | key: argocd-config 26 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/values.yaml: -------------------------------------------------------------------------------- 1 | cert-manager: 2 | crds: 3 | enabled: true 4 | webhook: 5 | tolerations: 6 | - key: "arm" 7 | operator: "Exists" 8 | - key: "arm64" 9 | operator: "Exists" 10 | extraArgs: 11 | - --dns01-recursive-nameservers=1.1.1.1:53 12 | - --dns01-recursive-nameservers-only 13 | tolerations: 14 | - key: "arm" 15 | operator: "Exists" 16 | - key: "arm64" 17 | operator: "Exists" 18 | cainjector: 19 | replicaCount: 1 20 | tolerations: 21 | - key: "arm" 22 | operator: "Exists" 23 | - key: "arm64" 24 | operator: "Exists" 25 | prometheus: 26 | enabled: true 27 | servicemonitor: 28 | enabled: true 29 | prometheusInstance: monitoring 30 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/templates/oom.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: oom-rules 6 | namespace: monitoring 7 | spec: 8 | groups: 9 | - name: oom 10 | rules: 11 | - alert: OomKilled 12 | annotations: 13 | summary: Container {{`{{$labels.container}}`}} in pod {{`{{$labels.namespace}}`}}/{{`{{$labels.pod}}`}} has been OOMKilled {{ `{{ $value }} `}} times in the last 10 minutes. 14 | expr: (kube_pod_container_status_restarts_total - kube_pod_container_status_restarts_total offset 10m >= 1) and ignoring (reason) min_over_time(kube_pod_container_status_last_terminated_reason{reason="OOMKilled"}[10m]) == 1 15 | labels: 16 | severity: warning 17 | -------------------------------------------------------------------------------- /infrastructure/tailscale-gateway/templates/roles.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: tailscale 6 | rules: 7 | - apiGroups: [""] # "" indicates the core API group 8 | resources: ["secrets"] 9 | # Create can not be restricted to a resource name. 10 | verbs: ["create"] 11 | - apiGroups: [""] # "" indicates the core API group 12 | resourceNames: ["tailscale-auth"] 13 | resources: ["secrets"] 14 | verbs: ["get", "update", "patch"] 15 | --- 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | kind: RoleBinding 18 | metadata: 19 | name: tailscale 20 | subjects: 21 | - kind: ServiceAccount 22 | name: "tailscale" 23 | roleRef: 24 | kind: Role 25 | name: tailscale 26 | apiGroup: rbac.authorization.k8s.io 27 | -------------------------------------------------------------------------------- /archive/mariadb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: mariadb 5 | annotations: 6 | argocd.argoproj.io/sync-wave: "-1" 7 | argocd.argoproj.io/manifest-generate-paths: /infrastructure/mariadb 8 | finalizers: 9 | - resources-finalizer.argocd.argoproj.io 10 | spec: 11 | destination: 12 | namespace: kube-system 13 | server: https://kubernetes.default.svc 14 | project: default 15 | source: 16 | path: infrastructure/mariadb 17 | repoURL: {{ .Values.repo.url }} 18 | targetRevision: {{ .Values.repo.revision }} 19 | helm: 20 | valueFiles: 21 | - values.yaml 22 | syncPolicy: 23 | automated: 24 | prune: true 25 | selfHeal: true 26 | syncOptions: 27 | - ApplyOutOfSyncOnly=true 28 | -------------------------------------------------------------------------------- /main/homelab/webtrees/templates/webtrees-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: webtrees-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: webtrees-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | WEBTREE_MARIADB_PASS: '{{ printf "{{ .webtree_password }}" }}' 17 | WEBTREE_ADMIN_PASS: '{{ printf "{{ .password }}" }}' 18 | WEBTREE_ADMIN_USER: '{{ printf "{{ .admin }}" }}' 19 | WEBTREE_ADMIN_EMAIL: '{{ printf "{{ .email }}" }}' 20 | dataFrom: 21 | - extract: 22 | key: postgres-config 23 | - extract: 24 | key: webtree-config 25 | -------------------------------------------------------------------------------- /main/monitoring/alertmanager-discord/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | image: 3 | repository: ghcr.io/rogerrum/alertmanager-discord 4 | #tag: "1.0.6" 5 | tag: "main" 6 | pullPolicy: IfNotPresent 7 | 8 | service: 9 | main: 10 | enabled: true 11 | ports: 12 | http: 13 | port: &port 9094 14 | 15 | env: 16 | DISCORD_AVATAR_URL: "https://avatars3.githubusercontent.com/u/3380462" 17 | VERBOSE: "ON" 18 | DISCORD_USERNAME: Alertmanager 19 | DISCORD_WEBHOOK: 20 | valueFrom: 21 | secretKeyRef: 22 | name: alertmanager-discord-secret 23 | key: DISCORD_WEBHOOK 24 | 25 | probes: 26 | liveness: 27 | enabled: false 28 | readiness: 29 | enabled: false 30 | startup: 31 | enabled: false 32 | -------------------------------------------------------------------------------- /infrastructure/argocd-patch/templates/webhook-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | annotations: 5 | kubernetes.io/ingress.class: "nginx" 6 | nginx.ingress.kubernetes.io/use-regex: "true" 7 | labels: 8 | app.kubernetes.io/instance: argocd-patch 9 | app.kubernetes.io/name: argocd-patch 10 | name: argocd-webhook-custom-ingress 11 | namespace: argocd 12 | spec: 13 | rules: 14 | - host: {{ .Values.externalHostName }} 15 | http: 16 | paths: 17 | - path: /api/webhook 18 | pathType: Prefix 19 | backend: 20 | service: 21 | name: argocd-server 22 | port: 23 | number: 80 24 | tls: 25 | - hosts: 26 | - {{ .Values.externalHostName }} 27 | -------------------------------------------------------------------------------- /archive/firefly.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: Application 3 | metadata: 4 | name: firefly 5 | annotations: 6 | argocd.argoproj.io/sync-wave: "-1" 7 | argocd.argoproj.io/manifest-generate-paths: /main/homelab/firefly 8 | finalizers: 9 | - resources-finalizer.argocd.argoproj.io 10 | spec: 11 | destination: 12 | namespace: default 13 | server: https://kubernetes.default.svc 14 | project: default 15 | source: 16 | path: main/homelab/firefly 17 | repoURL: {{ .Values.repo.url }} 18 | targetRevision: {{ .Values.repo.revision }} 19 | helm: 20 | valueFiles: 21 | - values.yaml 22 | syncPolicy: 23 | automated: 24 | prune: true 25 | selfHeal: true 26 | syncOptions: 27 | - CreateNamespace=true 28 | - ApplyOutOfSyncOnly=true 29 | -------------------------------------------------------------------------------- /.github/renovate/allowedVersions.json5: -------------------------------------------------------------------------------- 1 | { 2 | packageRules: [ 3 | // pin package versions 4 | // { 5 | // "matchDatasources": ["docker"], 6 | // "allowedVersions": "<13", 7 | // "matchPackageNames": [ 8 | // "postgres", 9 | // "docker.io/library/postgres" 10 | // ] 11 | // }, 12 | { 13 | "matchDatasources": ["docker"], 14 | "allowedVersions": "<2", 15 | "matchPackageNames": [ 16 | "influxdb" 17 | ] 18 | }, 19 | { 20 | "matchDatasources": ["docker"], 21 | "allowedVersions": "!/2021.11.28$/", 22 | "matchPackageNames": [ 23 | "heimdall" 24 | ] 25 | }, 26 | { 27 | "matchDatasources": ["helm"], 28 | "allowedVersions": "<2", 29 | "matchPackageNames": ["app-template"] 30 | }, 31 | ], 32 | } 33 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/templates/scheduled-backup.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: postgresql.cnpg.io/v1 2 | kind: ScheduledBackup 3 | metadata: 4 | name: {{ .Values.cluster.name }} 5 | namespace: kube-system 6 | spec: 7 | #schedule: "@weekly" 8 | # daily, 2am UCT 9 | schedule: "0 0 2 * * *" 10 | immediate: true 11 | backupOwnerReference: self 12 | cluster: 13 | name: {{ .Values.cluster.name }} 14 | --- 15 | {{- if .Values.previousCluster.enabled }} 16 | apiVersion: postgresql.cnpg.io/v1 17 | kind: ScheduledBackup 18 | metadata: 19 | name: {{ .Values.previousCluster.name }} 20 | namespace: kube-system 21 | spec: 22 | #schedule: "@weekly" 23 | # daily, 2am UCT 24 | schedule: "0 0 2 * * *" 25 | immediate: true 26 | backupOwnerReference: self 27 | cluster: 28 | name: {{ .Values.previousCluster.name }} 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /infrastructure/couchdb/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ .Release.Name }}-configmap 5 | data: 6 | config.ini: | 7 | [couchdb] 8 | single_node = true 9 | max_document_size = 50000000 10 | 11 | [chttpd] 12 | require_valid_user = true 13 | bind_address = any 14 | max_http_request_size = 4294967296 15 | 16 | [chttpd_auth] 17 | require_valid_user = true 18 | authentication_redirect = /_utils/session.html 19 | 20 | [httpd] 21 | WWW-Authenticate = Basic realm="couchdb" 22 | enable_cors = true 23 | 24 | [cors] 25 | origins = app://obsidian.md,capacitor://localhost,http://localhost,https://nomie.rsr.net 26 | credentials = true 27 | headers = accept, authorization, content-type, origin, referer 28 | methods = GET, PUT, POST, HEAD, DELETE 29 | max_age = 3600 30 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/templates/cloudflare-ddns-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: cloudflare-ddns-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: cloudflare-ddns-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | CLOUDFLARE_EMAIL: '{{ printf "{{ .email }}" }}' 17 | CLOUDFLARE_APIKEY: '{{ printf "{{ .cloudflare_api_key }}" }}' 18 | CLOUDFLARE_ZONEID: '{{ printf "{{ .zone_id }}" }}' 19 | CLOUDFLARE_RECORD_NAME_1: '{{ printf "{{ .record1 }}" }}' 20 | CLOUDFLARE_RECORD_NAME_2: '{{ printf "{{ .record2 }}" }}' 21 | CLOUDFLARE_RECORD_NAME_3: '{{ printf "{{ .record3 }}" }}' 22 | dataFrom: 23 | - extract: 24 | key: cloudflare-config 25 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/envoy-proxies/envoy-proxy-standard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.envoyproxy.io/envoyproxy_v1alpha1.json 3 | apiVersion: gateway.envoyproxy.io/v1alpha1 4 | kind: EnvoyProxy 5 | metadata: 6 | name: standard-proxy-config 7 | namespace: kube-system 8 | spec: 9 | logging: 10 | level: 11 | default: info 12 | provider: 13 | type: Kubernetes 14 | kubernetes: 15 | envoyDeployment: 16 | replicas: 2 17 | container: 18 | resources: 19 | requests: 20 | cpu: 100m 21 | memory: 256Mi 22 | limits: 23 | memory: 1Gi 24 | envoyService: 25 | externalTrafficPolicy: Local 26 | shutdown: 27 | drainTimeout: 180s 28 | telemetry: 29 | metrics: 30 | prometheus: 31 | compression: 32 | type: Gzip 33 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/templates/kured.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | labels: 6 | prometheus: k8s 7 | role: alert-rules 8 | name: kured-rules 9 | namespace: monitoring 10 | spec: 11 | groups: 12 | - name: kured.rules 13 | rules: 14 | - alert: RebootRequired 15 | annotations: 16 | description: Node require a manual reboot 17 | summary: Reboot daemon has failed to do reboot node {{`{{$labels.node}}`}} for 24 hours 18 | expr: kured_reboot_required > 0 19 | for: 24h 20 | labels: 21 | severity: warning 22 | - alert: RebootScheduled 23 | annotations: 24 | description: Node Reboot Scheduled 25 | summary: Node {{`{{$labels.node}}`}} has been scheduled to reboot 26 | expr: kured_reboot_required > 0 27 | for: 5m 28 | labels: 29 | severity: warning 30 | -------------------------------------------------------------------------------- /main/homelab/wyze-bridge/templates/wyze-bridge-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: wyze-bridge-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: wyze-bridge-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | WYZE_EMAIL: '{{ printf "{{ .username }}" }}' 17 | WYZE_PASSWORD: '{{ printf "{{ .password }}" }}' 18 | API_ID: '{{ printf "{{ .key_id }}" }}' 19 | API_KEY: '{{ printf "{{ .api_key }}" }}' 20 | # Mosquitto 21 | MQTT_AUTH: '{{ printf "{{ .emqx_mqtt_user }}" }}:{{ printf "{{ .emqx_mqtt_password }}" }}' 22 | FILTER_NAMES: '{{ printf "{{ .cam_exclude }}" }}' 23 | dataFrom: 24 | - extract: 25 | key: wyze-config 26 | - extract: 27 | key: emqx-config 28 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/templates/victoria-metrics-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: victoria-metrics-secret 5 | namespace: monitoring 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: victoria-metrics-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | #multiline string 17 | additionalScrapeConfigs: | 18 | - job_name: 'home-assistant' 19 | scrape_interval: 60s 20 | metrics_path: '/api/prometheus' 21 | authorization: 22 | credentials: "{{ printf "{{.prom_ha_token }}" }}" 23 | scheme: http 24 | static_configs: 25 | - targets: 26 | - home-assistant.default.svc:8123 27 | dataFrom: 28 | - extract: 29 | key: prom-config 30 | -------------------------------------------------------------------------------- /main/homelab/frigate/secret-helm-values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | controllers: 3 | main: 4 | containers: 5 | main: 6 | env: 7 | FRIGATE_LOREX_HOST: "{{ .lorex_rtsp_host }}" 8 | FRIGATE_MQTT_PASSWORD: "{{ .emqx_mqtt_password }}" 9 | FRIGATE_WYZE_AUTH: "{{ .wyze_auth }}" 10 | FRIGATE_TAPO_AUTH: "{{ .tapo_auth }}" 11 | FRIGATE_TAPO_CLOUD_AUTH: "{{ .tapo_cloud }}" 12 | FRIGATE_NEST_OAUTH_CLIENT_ID: "{{ .frigate_nest_oauth_client_id }}" 13 | FRIGATE_NEST_OAUTH_CLIENT_SECRET: "{{ .frigate_nest_oauth_client_secret }}" 14 | FRIGATE_NEST_DEVICE_REFRESH_TOKEN: "{{ .frigate_nest_device_refresh_token }}" 15 | FRIGATE_NEST_DEVICE_ACCESS_PROJECT_ID: "{{ .frigate_nest_device_access_project_id }}" 16 | FRIGATE_NEST_CAMERA_ID_FRONT_DOOR: "{{ .frigate_nest_camera_id_front_door }}" 17 | 18 | 19 | externalHostName: "{{ .frigate_ext_host }}" 20 | -------------------------------------------------------------------------------- /main/homelab/teslamate/templates/teslamate-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: teslamate-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: teslamate-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | # Teslamate 17 | MQTT_USERNAME: '{{ printf "{{ .emqx_teslamate_user }}" }}' 18 | MQTT_PASSWORD: '{{ printf "{{ .emqx_teslamate_password }}" }}' 19 | ENCRYPTION_KEY: '{{ printf "{{ .teslamate_encryption_key }}" }}' 20 | DATABASE_PASS: '{{ printf "{{ .teslamate_password }}" }}' 21 | DATABASE_USER: '{{ printf "{{ .teslamate_username }}" }}' 22 | dataFrom: 23 | - extract: 24 | key: postgres-config 25 | - extract: 26 | key: teslamate-config 27 | - extract: 28 | key: emqx-config 29 | -------------------------------------------------------------------------------- /main/logs/templates/argo-helm-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- $files := .Files }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if and $app.helm $app.helm.secrets $app.helm.secrets.enabled }} 4 | {{ $filePath := printf "%s/%s" $app.name "secret-helm-values.yaml" }} 5 | --- 6 | apiVersion: external-secrets.io/v1 7 | kind: ExternalSecret 8 | metadata: 9 | name: {{ $app.name }}-helm-values 10 | namespace: argocd 11 | spec: 12 | secretStoreRef: 13 | kind: ClusterSecretStore 14 | name: onepassword-connect 15 | target: 16 | name: {{ $app.name }}-helm-values 17 | creationPolicy: Owner 18 | deletionPolicy: Merge 19 | template: 20 | engineVersion: v2 21 | data: 22 | # multiline string 23 | {{ $app.name }}.yml: |- 24 | {{ $files.Get $filePath | indent 10 }} 25 | dataFrom: 26 | {{- range $adIndx, $key := $app.helm.secrets.keys }} 27 | - extract: 28 | key: {{$key}} 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /archive/vpa.yaml: -------------------------------------------------------------------------------- 1 | {{/*apiVersion: argoproj.io/v1alpha1*/}} 2 | {{/*kind: Application*/}} 3 | {{/*metadata:*/}} 4 | {{/* name: vpa*/}} 5 | {{/* annotations:*/}} 6 | {{/* argocd.argoproj.io/sync-wave: "-1"*/}} 7 | {{/* finalizers:*/}} 8 | {{/* - resources-finalizer.argocd.argoproj.io*/}} 9 | {{/*spec:*/}} 10 | {{/* destination:*/}} 11 | {{/* namespace: monitoring*/}} 12 | {{/* server: https://kubernetes.default.svc*/}} 13 | {{/* project: default*/}} 14 | {{/* source:*/}} 15 | {{/* path: main/monitoring/vpa*/}} 16 | {{/* repoURL: {{ .Values.repo.url }}*/}} 17 | {{/* targetRevision: {{ .Values.repo.revision }}*/}} 18 | {{/* helm:*/}} 19 | {{/* valueFiles:*/}} 20 | {{/* - values.yaml*/}} 21 | {{/* syncPolicy:*/}} 22 | {{/* automated:*/}} 23 | {{/* prune: true*/}} 24 | {{/* selfHeal: true*/}} 25 | {{/* syncOptions:*/}} 26 | {{/* - CreateNamespace=true*/}} 27 | {{/*syncOptions:*/}} 28 | {{/* - ApplyOutOfSyncOnly=true*/}} 29 | -------------------------------------------------------------------------------- /infrastructure/templates/argo-helm-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- $files := .Files }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if and $app.helm $app.helm.secrets $app.helm.secrets.enabled }} 4 | {{ $filePath := printf "%s/%s" $app.name "secret-helm-values.yaml" }} 5 | --- 6 | apiVersion: external-secrets.io/v1 7 | kind: ExternalSecret 8 | metadata: 9 | name: {{ $app.name }}-helm-values 10 | namespace: argocd 11 | spec: 12 | secretStoreRef: 13 | kind: ClusterSecretStore 14 | name: onepassword-connect 15 | target: 16 | name: {{ $app.name }}-helm-values 17 | creationPolicy: Owner 18 | deletionPolicy: Merge 19 | template: 20 | engineVersion: v2 21 | data: 22 | # multiline string 23 | {{ $app.name }}.yml: |- 24 | {{ $files.Get $filePath | indent 10 }} 25 | dataFrom: 26 | {{- range $adIndx, $key := $app.helm.secrets.keys }} 27 | - extract: 28 | key: {{$key}} 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /main/homelab/templates/argo-helm-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- $files := .Files }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if and $app.helm $app.helm.secrets $app.helm.secrets.enabled }} 4 | {{ $filePath := printf "%s/%s" $app.name "secret-helm-values.yaml" }} 5 | --- 6 | apiVersion: external-secrets.io/v1 7 | kind: ExternalSecret 8 | metadata: 9 | name: {{ $app.name }}-helm-values 10 | namespace: argocd 11 | spec: 12 | secretStoreRef: 13 | kind: ClusterSecretStore 14 | name: onepassword-connect 15 | target: 16 | name: {{ $app.name }}-helm-values 17 | creationPolicy: Owner 18 | deletionPolicy: Merge 19 | template: 20 | engineVersion: v2 21 | data: 22 | # multiline string 23 | {{ $app.name }}.yml: |- 24 | {{ $files.Get $filePath | indent 10 }} 25 | dataFrom: 26 | {{- range $adIndx, $key := $app.helm.secrets.keys }} 27 | - extract: 28 | key: {{$key}} 29 | {{- end }} 30 | {{- end }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /main/monitoring/speedtest-exporter/values.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/app-template-4.5.0/charts/other/app-template/values.schema.json 2 | app-template: 3 | controllers: 4 | main: 5 | pod: 6 | tolerations: 7 | # - key: "arm" 8 | # operator: "Exists" 9 | - key: "arm64" 10 | operator: "Exists" 11 | containers: 12 | main: 13 | image: 14 | repository: ghcr.io/lpicanco/prometheus-speedtest-exporter 15 | tag: 0.2.2@sha256:0c12ce9315bcb4e26071caa3236a2c2dab8612301a892fdec8911a41058da8e9 16 | resources: 17 | requests: 18 | cpu: 10m 19 | memory: 15Mi 20 | limits: 21 | memory: 100Mi 22 | service: 23 | app: 24 | controller: main 25 | ipFamilyPolicy: PreferDualStack 26 | ports: 27 | metrics: 28 | port: 9516 29 | 30 | 31 | -------------------------------------------------------------------------------- /archive/goldilocks.yaml: -------------------------------------------------------------------------------- 1 | {{/*apiVersion: argoproj.io/v1alpha1*/}} 2 | {{/*kind: Application*/}} 3 | {{/*metadata:*/}} 4 | {{/* name: goldilocks*/}} 5 | {{/* annotations:*/}} 6 | {{/* argocd.argoproj.io/sync-wave: "-1"*/}} 7 | {{/* finalizers:*/}} 8 | {{/* - resources-finalizer.argocd.argoproj.io*/}} 9 | {{/*spec:*/}} 10 | {{/* destination:*/}} 11 | {{/* namespace: monitoring*/}} 12 | {{/* server: https://kubernetes.default.svc*/}} 13 | {{/* project: default*/}} 14 | {{/* source:*/}} 15 | {{/* path: main/monitoring/goldilocks*/}} 16 | {{/* repoURL: {{ .Values.repo.url }}*/}} 17 | {{/* targetRevision: {{ .Values.repo.revision }}*/}} 18 | {{/* helm:*/}} 19 | {{/* valueFiles:*/}} 20 | {{/* - values.yaml*/}} 21 | {{/* syncPolicy:*/}} 22 | {{/* automated:*/}} 23 | {{/* prune: true*/}} 24 | {{/* selfHeal: true*/}} 25 | {{/* syncOptions:*/}} 26 | {{/* - CreateNamespace=true*/}} 27 | {{/*syncOptions:*/}} 28 | {{/* - ApplyOutOfSyncOnly=true*/}} 29 | -------------------------------------------------------------------------------- /main/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | 3 | repo: 4 | url: https://github.com/rogerrum/k8s-gitops.git 5 | revision: main 6 | 7 | 8 | 9 | applications: 10 | - name: homelab 11 | namespace: argocd 12 | path: main/homelab 13 | manifest-paths: /main/homelab/templates;/main/homelab/Chart.yaml;/main/homelab/values.yaml 14 | sync-wave: "-1" 15 | helm: 16 | enabled: true 17 | 18 | - name: logs 19 | namespace: logs 20 | create-namespace: true 21 | namespace-sync-wave: "-2" 22 | path: main/logs 23 | manifest-paths: /main/logs/templates;/main/logs/Chart.yaml;/main/logs/values.yaml 24 | sync-wave: "-1" 25 | helm: 26 | enabled: true 27 | 28 | - name: monitoring 29 | namespace: monitoring 30 | create-namespace: true 31 | namespace-sync-wave: "-3" 32 | path: main/monitoring 33 | manifest-paths: /main/monitoring/templates;/main/monitoring/Chart.yaml;/main/monitoring/values.yaml 34 | sync-wave: "-2" 35 | helm: 36 | enabled: true 37 | -------------------------------------------------------------------------------- /archive/vault/cert-manager-vault.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: cert-manager-token-for-vault 5 | annotations: 6 | kubernetes.io/service-account.name: cert-manager 7 | type: kubernetes.io/service-account-token 8 | --- 9 | apiVersion: cert-manager.io/v1 10 | kind: ClusterIssuer 11 | metadata: 12 | name: vault-issuer 13 | spec: 14 | vault: 15 | path: pki/sign/rsr-dot-net 16 | server: http://vault.kube-system.svc:8200 17 | auth: 18 | kubernetes: 19 | role: vault-cert-issuer 20 | mountPath: /v1/auth/kubernetes 21 | secretRef: 22 | name: cert-manager-token-for-vault 23 | key: token 24 | --- 25 | apiVersion: cert-manager.io/v1 26 | kind: Certificate 27 | metadata: 28 | name: acme-crt-int 29 | namespace: cert-manager 30 | spec: 31 | secretName: acme-crt-int-secret 32 | issuerRef: 33 | name: vault-issuer 34 | kind: ClusterIssuer 35 | commonName: '*.rsr.net' 36 | dnsNames: 37 | - '*.rsr.net' 38 | -------------------------------------------------------------------------------- /apps/values.yaml: -------------------------------------------------------------------------------- 1 | repo: 2 | url: https://github.com/rogerrum/k8s-gitops.git 3 | revision: main 4 | 5 | 6 | applications: 7 | - name: argocd 8 | app-namespace: argocd 9 | namespace: argocd 10 | path: argocd 11 | manifest-paths: /argocd 12 | sync-wave: "-5" 13 | 14 | - name: infrastructure 15 | namespace: argocd 16 | path: infrastructure/ 17 | manifest-paths: /infrastructure/templates;/infrastructure/Chart.yaml;/infrastructure/values.yaml 18 | sync-wave: "-4" 19 | 20 | - name: main 21 | namespace: argocd 22 | path: main/ 23 | manifest-paths: /main/templates;/main/Chart.yaml;/main/values.yaml 24 | sync-wave: "-3" 25 | 26 | - name: root 27 | app-namespace: argocd 28 | namespace: argocd 29 | path: apps 30 | manifest-paths: /apps 31 | 32 | - name: system-upgrade 33 | namespace: system-upgrade 34 | path: system-upgrade/ 35 | manifest-paths: /system-upgrade 36 | sync-wave: "-4" 37 | syncOptions: 38 | - CreateNamespace=true 39 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/policies/client-traffic-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.envoyproxy.io/clienttrafficpolicy_v1alpha1.json 3 | # ClientTrafficPolicy for TLS and connection settings - applies to all Gateways 4 | apiVersion: gateway.envoyproxy.io/v1alpha1 5 | kind: ClientTrafficPolicy 6 | metadata: 7 | name: default 8 | namespace: kube-system 9 | spec: 10 | clientIPDetection: 11 | xForwardedFor: 12 | numTrustedHops: 1 13 | connection: 14 | bufferLimit: 8Mi 15 | maxAcceptPerSocketEvent: 0 16 | http2: 17 | initialStreamWindowSize: 2Mi 18 | initialConnectionWindowSize: 32Mi 19 | onInvalidMessage: TerminateStream 20 | http3: {} 21 | targetSelectors: 22 | - group: gateway.networking.k8s.io 23 | kind: Gateway 24 | tcpKeepalive: {} 25 | timeout: 26 | http: 27 | requestReceivedTimeout: 0s 28 | tls: 29 | minVersion: "1.2" 30 | alpnProtocols: 31 | - h2 32 | - http/1.1 33 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: cloudflare-ddns 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | version: 0.1.0 18 | 19 | # This is the version number of the application being deployed. This version number should be 20 | # incremented each time you make changes to the application. 21 | appVersion: 1.16.0 22 | -------------------------------------------------------------------------------- /.github/renovate/pr-labels.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "matchUpdateTypes": ["major"], 6 | "labels": ["type/major"] 7 | }, 8 | { 9 | "matchUpdateTypes": ["minor"], 10 | "labels": ["type/minor"] 11 | }, 12 | { 13 | "matchUpdateTypes": ["patch"], 14 | "labels": ["type/patch"] 15 | }, 16 | { 17 | "matchUpdateTypes": ["digest"], 18 | "labels": ["type/digest"] 19 | }, 20 | { 21 | "matchDatasources": ["helm"], 22 | "addLabels": ["renovate/helm"] 23 | }, 24 | { 25 | "matchDatasources": ["docker"], 26 | "addLabels": ["renovate/container"] 27 | }, 28 | { 29 | "matchDatasources": ["github-releases", "github-tags"], 30 | "addLabels": ["renovate/github-release"] 31 | }, 32 | { 33 | "matchManagers": ["github-actions"], 34 | "addLabels": ["renovate/github-action"] 35 | } 36 | ] 37 | } -------------------------------------------------------------------------------- /main/monitoring/trivy/values.yaml: -------------------------------------------------------------------------------- 1 | trivy-operator: 2 | operator: 3 | replicas: 1 4 | scanJobsConcurrentLimit: 4 5 | scanJobTTL: 10s 6 | builtInTrivyServer: true 7 | vulnerabilityScannerScanOnlyCurrentRevisions: true 8 | configAuditScannerScanOnlyCurrentRevisions: true 9 | metricsVulnIdEnabled: true 10 | 11 | trivyOperator: 12 | scanJobTolerations: 13 | - key: "node-role.kubernetes.io/master" 14 | operator: "Exists" 15 | 16 | trivy: 17 | ignoreUnfixed: true 18 | mode: ClientServer 19 | storageClassName: "longhorn" 20 | 21 | slow: true 22 | resources: 23 | requests: 24 | cpu: 100m 25 | memory: 100M 26 | limits: 27 | memory: 2Gi 28 | 29 | serviceMonitor: 30 | enabled: true 31 | namespace: "monitoring" 32 | 33 | nodeCollector: 34 | excludeNodes: kubernetes.io/arch=arm 35 | tolerations: 36 | # - key: arm 37 | # operator: Exists 38 | - key: arm64 39 | operator: Exists 40 | - effect: "NoSchedule" 41 | operator: "Exists" 42 | -------------------------------------------------------------------------------- /archive/firefly/values.yaml: -------------------------------------------------------------------------------- 1 | firefly-iii: 2 | env: 3 | TZ: "America/Chicago" 4 | APP_ENV: local 5 | APP_DEBUG: false 6 | SITE_OWNER: mail@example.com 7 | APP_KEY: SomeRandomStringOf32CharsExactly 8 | # DB_CONNECTION: mysql 9 | # DB_HOST: db 10 | # DB_PORT: 3306 11 | # DB_DATABASE: firefly 12 | # DB_USERNAME: firefly 13 | # DB_PASSWORD: secret_firefly_password 14 | MAP_DEFAULT_LAT: 51.983333 15 | MAP_DEFAULT_LONG: 5.916667 16 | MAP_DEFAULT_ZOOM: 6 17 | AUTHENTICATION_GUARD: web 18 | 19 | image: 20 | repository: fireflyiii/core 21 | tag: version-5.6.14 22 | 23 | ingress: 24 | main: 25 | enabled: true 26 | annotations: 27 | kubernetes.io/ingress.class: nginx 28 | cert-manager.io/cluster-issuer: vault-issuer 29 | cert-manager.io/common-name: fire.rsr.net 30 | hosts: 31 | - host: fire.rsr.net 32 | paths: 33 | - path: / 34 | pathType: Prefix 35 | tls: 36 | - hosts: 37 | - fire.rsr.net 38 | secretName: fire-cert-tls 39 | -------------------------------------------------------------------------------- /main/monitoring/influxdb/values.yaml: -------------------------------------------------------------------------------- 1 | influxdb: 2 | image: 3 | repository: "influxdb" 4 | tag: "1.8.10" 5 | service: 6 | type: LoadBalancer 7 | persistence: 8 | enabled: true 9 | size: 50Gi 10 | storageClass: longhorn 11 | resources: 12 | requests: 13 | memory: 2000Mi 14 | cpu: 100m 15 | limits: 16 | memory: 4000Mi 17 | livenessProbe: 18 | timeoutSeconds: 30 19 | readinessProbe: 20 | timeoutSeconds: 30 21 | startupProbe: 22 | enabled: true 23 | failureThreshold: 30 24 | periodSeconds: 30 25 | config: 26 | opentsdb: 27 | enabled: true 28 | bind-address: ":4242" 29 | graphite: 30 | enabled: true 31 | database: graphitedb 32 | retention-policy: "" 33 | bind-address: ":2003" 34 | protocol: tcp 35 | consistency-lvel: one 36 | templates: 37 | - "*.app env.service.resource.measurement" 38 | - "servers.* .host.resource.measurement.field*" 39 | tolerations: 40 | - key: "arm" 41 | operator: "Exists" 42 | - key: "arm64" 43 | operator: "Exists" 44 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/templates/zigbee-device.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: nfd.k8s-sigs.io/v1alpha1 3 | kind: NodeFeatureRule 4 | metadata: 5 | name: nortek-zigbee-device 6 | spec: 7 | rules: 8 | - # HUSBZB-1 USB Hub 9 | name: nortek.zigbee 10 | labels: 11 | nortek.feature.node.kubernetes.io/zigbee: "true" 12 | matchFeatures: 13 | - feature: usb.device 14 | matchExpressions: 15 | class: { op: In, value: ["ff"] } 16 | vendor: { op: In, value: ["10c4"] } 17 | device: { op: In, value: ["8a2a"] } 18 | --- 19 | apiVersion: nfd.k8s-sigs.io/v1alpha1 20 | kind: NodeFeatureRule 21 | metadata: 22 | name: sonoff-zigbee-device 23 | spec: 24 | rules: 25 | - # sonoff USB Hub 26 | name: sonoff.zigbee 27 | labels: 28 | sonoff.feature.node.kubernetes.io/zigbee: "true" 29 | matchFeatures: 30 | - feature: usb.device 31 | matchExpressions: 32 | class: { op: In, value: ["ff"] } 33 | vendor: { op: In, value: ["10c4"] } 34 | device: { op: In, value: ["ea60"] } 35 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fail_fast: false 3 | repos: 4 | # - repo: https://github.com/adrienverge/yamllint 5 | # rev: v1.26.1 6 | # hooks: 7 | # - args: 8 | # - --config-file 9 | # - .github/lint/.yamllint.yaml 10 | # id: yamllint 11 | - repo: https://github.com/pre-commit/pre-commit-hooks 12 | rev: v6.0.0 13 | hooks: 14 | - id: trailing-whitespace 15 | - id: end-of-file-fixer 16 | - id: mixed-line-ending 17 | - repo: https://github.com/Lucas-C/pre-commit-hooks 18 | rev: v1.5.5 19 | hooks: 20 | - id: remove-crlf 21 | - id: remove-tabs 22 | - repo: https://github.com/sirosen/fix-smartquotes 23 | rev: 0.2.0 24 | hooks: 25 | - id: fix-smartquotes 26 | - repo: https://github.com/k8s-at-home/sops-pre-commit 27 | rev: v2.1.1 28 | hooks: 29 | - id: forbid-secrets 30 | # - repo: https://github.com/igorshubovych/markdownlint-cli 31 | # rev: v0.28.1 32 | # hooks: 33 | # - id: markdownlint 34 | # args: 35 | # - --config 36 | # - ".github/lint/.markdownlint.yaml" 37 | -------------------------------------------------------------------------------- /infrastructure/node-feature-discovery/values.yaml: -------------------------------------------------------------------------------- 1 | node-feature-discovery: 2 | 3 | worker: 4 | config: 5 | core: 6 | sources: 7 | - custom 8 | - pci 9 | - usb 10 | sources: 11 | usb: 12 | deviceClassWhitelist: 13 | - "02" 14 | - "03" 15 | - "0e" 16 | - "ef" 17 | - "fe" 18 | - "ff" 19 | deviceLabelFields: 20 | - "class" 21 | - "vendor" 22 | - "device" 23 | 24 | 25 | annotations: 26 | configmap.reloader.stakater.com/reload: "nfd-worker-conf" 27 | tolerations: 28 | # - key: arm 29 | # operator: Exists 30 | - key: arm64 31 | operator: Exists 32 | - key: "node-role.kubernetes.io/master" 33 | operator: "Exists" 34 | # - effect: "NoExecute" 35 | # operator: "Exists" 36 | - effect: "NoSchedule" 37 | operator: "Exists" 38 | master: 39 | replicaCount: 1 40 | tolerations: 41 | # - key: arm 42 | # operator: Exists 43 | - key: arm64 44 | operator: Exists 45 | 46 | -------------------------------------------------------------------------------- /main/homelab/planka/templates/planka-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: planka-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: planka-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | SECRET_KEY: '{{ printf "{{ .planka_secret_key }}" }}' 17 | DEFAULT_ADMIN_EMAIL: '{{ printf "{{ .planka_admin_email }}" }}' 18 | DEFAULT_ADMIN_PASSWORD: '{{ printf "{{ .planka_secret_key }}" }}' 19 | DEFAULT_ADMIN_NAME: 'Roger Rumao' 20 | DEFAULT_ADMIN_USERNAME: '{{ printf "{{ .planka_admin_username }}" }}' 21 | DATABASE_PASS: '{{ printf "{{ .planka_password }}" }}' 22 | DATABASE_USER: '{{ printf "{{ .planka_username }}" }}' 23 | DATABASE_URL: '{{ printf "postgresql://{{ .planka_username }}:{{ .planka_password }}@postgres-lb.kube-system.svc.cluster.local:5432/planka?sslmode=no-verify" }}' 24 | dataFrom: 25 | - extract: 26 | key: postgres-config 27 | - extract: 28 | key: planka-config 29 | -------------------------------------------------------------------------------- /infrastructure/intel-gpu-plugins/values.yaml: -------------------------------------------------------------------------------- 1 | 2 | intel-gpu-exporter: 3 | controller: 4 | type: daemonset 5 | image: 6 | repository: ghcr.io/onedr0p/intel-gpu-exporter 7 | tag: rolling@sha256:90a95483bf5d3752f4db2ab2e1663f19bba307fd832bf53557cbdc38c3701f84 8 | service: 9 | main: 10 | ports: 11 | http: 12 | port: 8080 13 | serviceMonitor: 14 | main: 15 | enabled: true 16 | endpoints: 17 | - port: http 18 | scheme: http 19 | path: /metrics 20 | interval: 1m 21 | scrapeTimeout: 10s 22 | relabelings: 23 | - sourceLabels: [__meta_kubernetes_pod_node_name] 24 | targetLabel: node 25 | securityContext: 26 | privileged: true 27 | nodeSelector: 28 | intel.feature.node.kubernetes.io/gpu: "true" 29 | resources: 30 | requests: 31 | gpu.intel.com/i915: 1 32 | cpu: 100m 33 | memory: 100Mi 34 | limits: 35 | gpu.intel.com/i915: 1 36 | memory: 500Mi 37 | 38 | intel-device-plugins-gpu: 39 | name: intel-gpu-plugins 40 | sharedDevNum: 3 41 | nodeFeatureRule: true 42 | 43 | #intel-device-plugins-operator: 44 | -------------------------------------------------------------------------------- /archive/heimdall/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | env: 3 | TZ: "America/Chicago" 4 | PGID: "1000" 5 | PUID: "1000" 6 | 7 | image: 8 | repository: linuxserver/heimdall 9 | tag: 2.6.1 10 | 11 | service: 12 | main: 13 | enabled: true 14 | ports: 15 | http: 16 | port: &port 80 17 | ingress: 18 | main: 19 | enabled: true 20 | annotations: 21 | kubernetes.io/ingress.class: nginx 22 | cert-manager.io/issuer: step-issuer 23 | cert-manager.io/issuer-kind: StepClusterIssuer 24 | cert-manager.io/issuer-group: certmanager.step.sm 25 | cert-manager.io/revision-history-limit: "3" 26 | cert-manager.io/duration: "2160h" 27 | cert-manager.io/renew-before: "720h" 28 | hosts: 29 | - host: home.rsr.net 30 | paths: 31 | - path: / 32 | pathType: Prefix 33 | tls: 34 | - hosts: 35 | - home.rsr.net 36 | secretName: home-cert-tls 37 | 38 | persistence: 39 | config: 40 | enabled: true 41 | storageClass: "longhorn" 42 | accessMode: ReadWriteOnce 43 | size: "1Gi" 44 | skipuninstall: true 45 | -------------------------------------------------------------------------------- /archive/change-detection/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | image: 3 | repository: ghcr.io/dgtlmoon/changedetection.io 4 | tag: 0.45.8.1 5 | pullPolicy: IfNotPresent 6 | 7 | env: 8 | TZ: "America/Chicago" 9 | 10 | service: 11 | main: 12 | ports: 13 | http: 14 | port: 5000 15 | 16 | ingress: 17 | main: 18 | enabled: true 19 | annotations: 20 | kubernetes.io/ingress.class: nginx 21 | cert-manager.io/issuer: step-issuer 22 | cert-manager.io/issuer-kind: StepClusterIssuer 23 | cert-manager.io/issuer-group: certmanager.step.sm 24 | cert-manager.io/revision-history-limit: "3" 25 | cert-manager.io/duration: "2160h" 26 | cert-manager.io/renew-before: "720h" 27 | hosts: 28 | - host: change.rsr.net 29 | paths: 30 | - path: / 31 | pathType: Prefix 32 | tls: 33 | - hosts: 34 | - change.rsr.net 35 | secretName: change-cert-tls 36 | 37 | persistence: 38 | data: 39 | enabled: true 40 | storageClass: "longhorn" 41 | accessMode: ReadWriteOnce 42 | skipuninstall: true 43 | size: 1Gi 44 | 45 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/templates/postgres-superuser-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: postgres-superuser-secret 5 | namespace: default 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: postgres-superuser-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | type: kubernetes.io/basic-auth 16 | metadata: 17 | labels: 18 | cnpg.io/reload: "true" 19 | dataFrom: 20 | - extract: 21 | key: postgres-superuser 22 | --- 23 | apiVersion: external-secrets.io/v1 24 | kind: ExternalSecret 25 | metadata: 26 | name: postgres-superuser-secret 27 | namespace: kube-system 28 | spec: 29 | secretStoreRef: 30 | kind: ClusterSecretStore 31 | name: onepassword-connect 32 | target: 33 | name: postgres-superuser-secret 34 | creationPolicy: Owner 35 | template: 36 | engineVersion: v2 37 | type: kubernetes.io/basic-auth 38 | metadata: 39 | labels: 40 | cnpg.io/reload: "true" 41 | dataFrom: 42 | - extract: 43 | key: postgres-superuser 44 | -------------------------------------------------------------------------------- /main/monitoring/pushgateway/values.yaml: -------------------------------------------------------------------------------- 1 | prometheus-pushgateway: 2 | fullnameOverride: pushgateway 3 | 4 | ingress: 5 | enabled: true 6 | className: nginx 7 | annotations: 8 | cert-manager.io/issuer: step-issuer 9 | cert-manager.io/issuer-kind: StepClusterIssuer 10 | cert-manager.io/issuer-group: certmanager.step.sm 11 | cert-manager.io/revision-history-limit: "3" 12 | cert-manager.io/duration: "2160h" 13 | cert-manager.io/renew-before: "720h" 14 | hosts: 15 | - pushgateway.rsr.net 16 | tls: 17 | - hosts: 18 | - pushgateway.rsr.net 19 | secretName: pushgateway-cert-tls 20 | 21 | route: 22 | main: 23 | enabled: true 24 | annotations: 25 | gethomepage.dev/enabled: "true" 26 | gethomepage.dev/group: Monitoring 27 | gethomepage.dev/icon: prometheus 28 | gethomepage.dev/name: Pushgateway 29 | parentRefs: 30 | - name: internal 31 | namespace: kube-system 32 | 33 | hostnames: 34 | - pushgateway.rsr.net 35 | 36 | serviceMonitor: 37 | enabled: true 38 | additionalLabels: 39 | app: prometheus-operator 40 | release: prometheus 41 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/gateways/gateway-public.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json 3 | # Gateway for public/internet DNS records (Cloudflare) 4 | # Routes referencing this gateway will have DNS records pointing to techbuzzworld.com (router public IP) 5 | apiVersion: gateway.networking.k8s.io/v1 6 | kind: Gateway 7 | metadata: 8 | name: public 9 | namespace: kube-system 10 | spec: 11 | gatewayClassName: eg-standard 12 | infrastructure: 13 | annotations: 14 | #lbipam.cilium.io/ips: "192.168.100.152" 15 | metallb.universe.tf/loadBalancerIPs: "192.168.100.152" 16 | listeners: 17 | - name: http 18 | protocol: HTTP 19 | port: 80 20 | hostname: "*.techbuzzworld.com" 21 | allowedRoutes: 22 | namespaces: 23 | from: All 24 | - name: https 25 | protocol: HTTPS 26 | port: 443 27 | hostname: "*.techbuzzworld.com" 28 | allowedRoutes: 29 | namespaces: 30 | from: All 31 | tls: 32 | certificateRefs: 33 | - kind: Secret 34 | name: acme-crt-secret 35 | namespace: cert-manager 36 | -------------------------------------------------------------------------------- /setup/bootstrap-objects.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | REPO_ROOT=$(git rev-parse --show-toplevel) 4 | 5 | die() { 6 | echo "$*" 1>&2 ; exit 1; 7 | } 8 | 9 | need() { 10 | which "$1" &>/dev/null || die "Binary '$1' is missing but required" 11 | } 12 | 13 | need "kubectl" 14 | 15 | message() { 16 | echo -e "\n######################################################################" 17 | echo "# $1" 18 | echo "######################################################################" 19 | } 20 | 21 | kapply() { 22 | if output=$(envsubst < "$@"); then 23 | printf '%s' "$output" | kubectl apply -f - 24 | fi 25 | } 26 | 27 | installManualObjects(){ 28 | . "$REPO_ROOT"/setup/.env 29 | 30 | message "installing manual secrets and objects" 31 | 32 | ########## 33 | # secrets 34 | ########## 35 | kubectl -n kube-system create secret generic kms-vault --from-literal=account.json="$(echo $VAULT_KMS_ACCOUNT_JSON)" 36 | kubectl -n kube-system create secret docker-registry registry-creds-secret --namespace kube-system --docker-username=$DOCKER_USERNAME --docker-password=$DOCKER_TOKEN --docker-email=$EMAIL 37 | 38 | } 39 | 40 | export KUBECONFIG="$REPO_ROOT/setup/kubeconfig" 41 | installManualObjects 42 | 43 | message "all done!" 44 | -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/templates/gateways/gateway-internal.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json 3 | # Gateway for internal/local DNS records (piHole) 4 | # Routes referencing this gateway will have DNS records pointing to 192.168.100.151 (local gateway IP) 5 | # This provides ISP outage resilience by allowing local DNS resolution 6 | apiVersion: gateway.networking.k8s.io/v1 7 | kind: Gateway 8 | metadata: 9 | name: internal 10 | namespace: kube-system 11 | spec: 12 | gatewayClassName: eg-standard 13 | infrastructure: 14 | annotations: 15 | #lbipam.cilium.io/ips: "192.168.100.151" 16 | metallb.universe.tf/loadBalancerIPs: "192.168.100.151" 17 | listeners: 18 | - name: http 19 | protocol: HTTP 20 | port: 80 21 | hostname: "*.rsr.net" 22 | allowedRoutes: 23 | namespaces: 24 | from: All 25 | - name: https 26 | protocol: HTTPS 27 | port: 443 28 | hostname: "*.rsr.net" 29 | allowedRoutes: 30 | namespaces: 31 | from: All 32 | tls: 33 | certificateRefs: 34 | - kind: Secret 35 | name: rsr-crt-secret 36 | namespace: cert-manager 37 | -------------------------------------------------------------------------------- /main/homelab/external-ingress/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: external-ingress 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "1.16.0" 25 | -------------------------------------------------------------------------------- /main/homelab/external-route/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: external-route 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "1.16.0" 25 | -------------------------------------------------------------------------------- /main/monitoring/templates/argo-helm-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- $files := .Files }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if and $app.helm $app.helm.secrets $app.helm.secrets.enabled }} 4 | {{ $filePath := printf "%s/%s" $app.name "secret-helm-values.yaml" }} 5 | --- 6 | apiVersion: external-secrets.io/v1 7 | kind: ExternalSecret 8 | metadata: 9 | name: {{ $app.name }}-helm-values 10 | namespace: argocd 11 | labels: 12 | app.kubernetes.io/instance: {{ $.Release.Name }} # Add this! 13 | app.kubernetes.io/part-of: {{ $.Release.Name }} 14 | annotations: 15 | {{- if index $app "sync-wave" }} 16 | argocd.argoproj.io/sync-wave: {{ sub (index $app "sync-wave") 1 | quote}} 17 | {{- end }} 18 | spec: 19 | secretStoreRef: 20 | kind: ClusterSecretStore 21 | name: onepassword-connect 22 | target: 23 | name: {{ $app.name }}-helm-values 24 | creationPolicy: Owner 25 | deletionPolicy: Merge 26 | template: 27 | engineVersion: v2 28 | data: 29 | # multiline string 30 | {{ $app.name }}.yml: |- 31 | {{ $files.Get $filePath | indent 10 }} 32 | dataFrom: 33 | {{- range $adIndx, $key := $app.helm.secrets.keys }} 34 | - extract: 35 | key: {{$key}} 36 | {{- end }} 37 | {{- end }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /.github/workflows/publish-docs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Publish docs via GitHub Pages 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - main 9 | paths: 10 | - ".github/workflows/publish-docs.yaml" 11 | - "mkdocs.yaml" 12 | - "docs/**" 13 | 14 | jobs: 15 | publish-docs: 16 | runs-on: ubuntu-24.04 17 | if: github.event.pull_request.head.repo.fork == false 18 | steps: 19 | - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 20 | - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 21 | with: 22 | python-version: 3.x 23 | - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 24 | with: 25 | python-version: 3.x 26 | - run: | 27 | git config user.name "${GITHUB_ACTOR}" 28 | git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" 29 | - run: | 30 | pip install \ 31 | mkdocs>=1.1 \ 32 | mkdocs-macros-plugin >=0.5 \ 33 | mkdocs-material >=1.0 \ 34 | mkdocs-minify-plugin>=0.3 \ 35 | mkdocs-redirects>=1.0 \ 36 | pymdown-extensions==7.1 37 | - run: mkdocs gh-deploy --config-file ./mkdocs.yaml --force 38 | -------------------------------------------------------------------------------- /main/homelab/nomie/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | controllers: 3 | nomie: 4 | containers: 5 | app: 6 | image: 7 | repository: ghcr.io/rogerrum/docker-nomie6-oss 8 | tag: 6.3.0 9 | env: 10 | TZ: "America/Chicago" 11 | 12 | service: 13 | app: 14 | controller: nomie 15 | ports: 16 | http: 17 | port: 80 18 | primary: true 19 | 20 | ingress: 21 | app: 22 | annotations: 23 | gethomepage.dev/enabled: "true" 24 | gethomepage.dev/group: Home 25 | gethomepage.dev/icon: nomie 26 | gethomepage.dev/name: Nomie 27 | kubernetes.io/ingress.class: nginx 28 | cert-manager.io/issuer: step-issuer 29 | cert-manager.io/issuer-kind: StepClusterIssuer 30 | cert-manager.io/issuer-group: certmanager.step.sm 31 | cert-manager.io/revision-history-limit: "3" 32 | cert-manager.io/duration: "2160h" 33 | cert-manager.io/renew-before: "720h" 34 | hosts: 35 | - host: nomie.rsr.net 36 | paths: 37 | - path: / 38 | service: 39 | identifier: app 40 | port: http 41 | tls: 42 | - hosts: 43 | - nomie.rsr.net 44 | secretName: nomie-cert-tls 45 | -------------------------------------------------------------------------------- /main/monitoring/unifi-poller/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | 3 | image: 4 | repository: ghcr.io/k8s-at-home/unpoller 5 | tag: 2.1.3 6 | 7 | service: 8 | main: 9 | enabled: true 10 | ports: 11 | http: 12 | enabled: false 13 | metrics: 14 | port: &port 9130 15 | 16 | env: 17 | TZ: "America/Chicago" 18 | UP_UNIFI_DEFAULT_ROLE: "homelab-controller" 19 | UP_UNIFI_DEFAULT_URL: 20 | valueFrom: 21 | secretKeyRef: 22 | name: unifi-poller-secret 23 | key: UNIFI_URL 24 | UP_UNIFI_DEFAULT_VERIFY_SSL: false 25 | UP_UNIFI_DEFAULT_USER: 26 | valueFrom: 27 | secretKeyRef: 28 | name: unifi-poller-secret 29 | key: UNIFI_USER 30 | UP_UNIFI_DEFAULT_PASS: 31 | valueFrom: 32 | secretKeyRef: 33 | name: unifi-poller-secret 34 | key: UNIFI_PASSWORD 35 | UP_UNIFI_DEFAULT_SAVE_SITES: true 36 | UP_UNIFI_DEFAULT_SAVE_DPI: false 37 | UP_INFLUXDB_DISABLE: true 38 | UP_PROMETHEUS_DISABLE: false 39 | UP_PROMETHEUS_NAMESPACE: "unifipoller" 40 | 41 | serviceMonitor: 42 | main: 43 | enabled: true 44 | endpoints: 45 | - port: metrics 46 | path: /metrics 47 | interval: 1m 48 | scrapeTimeout: 30s 49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /archive/vault/vault/values.yaml: -------------------------------------------------------------------------------- 1 | vault: 2 | server: 3 | dataStorage: 4 | enabled: true 5 | storageClass: "longhorn" 6 | extraEnvironmentVars: 7 | GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-vault/account.json 8 | extraVolumes: 9 | - type: secret 10 | name: kms-vault 11 | path: /vault/userconfig 12 | tolerations: | 13 | - key: "arm64" 14 | operator: "Exists" 15 | resources: 16 | requests: 17 | memory: 256Mi 18 | cpu: 250m 19 | limits: 20 | memory: 256Mi 21 | standalone: 22 | enabled: false 23 | ha: 24 | enabled: true 25 | replicas: 3 26 | raft: 27 | enabled: true 28 | setNodeId: true 29 | config: | 30 | ui = true 31 | listener "tcp" { 32 | tls_disable = 1 33 | address = "[::]:8200" 34 | cluster_address = "[::]:8201" 35 | } 36 | storage "raft" { 37 | path = "/vault/data" 38 | } 39 | seal "gcpckms" { 40 | project = "vault-303307" 41 | region = "global" 42 | key_ring = "vault-unseal" 43 | crypto_key = "vault-key" 44 | } 45 | service_registration "kubernetes" {} 46 | ui: 47 | enabled: true 48 | serviceType: "ClusterIP" 49 | -------------------------------------------------------------------------------- /main/homelab/openttd/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | image: 3 | repository: ghcr.io/rogerrum/docker-openttd 4 | tag: "14.1" 5 | pullPolicy: IfNotPresent 6 | 7 | service: 8 | main: 9 | ports: 10 | http: 11 | port: 3000 12 | 13 | ingress: 14 | main: 15 | enabled: true 16 | annotations: 17 | gethomepage.dev/enabled: "true" 18 | gethomepage.dev/group: Home 19 | gethomepage.dev/icon: https://raw.githubusercontent.com/rogerrum/icons/refs/heads/main/images/openttd.svg 20 | gethomepage.dev/name: OpenTTD 21 | kubernetes.io/ingress.class: nginx 22 | cert-manager.io/issuer: step-issuer 23 | cert-manager.io/issuer-kind: StepClusterIssuer 24 | cert-manager.io/issuer-group: certmanager.step.sm 25 | cert-manager.io/revision-history-limit: "3" 26 | cert-manager.io/duration: "2160h" 27 | cert-manager.io/renew-before: "720h" 28 | hosts: 29 | - host: ttd.rsr.net 30 | paths: 31 | - path: / 32 | pathType: Prefix 33 | tls: 34 | - hosts: 35 | - ttd.rsr.net 36 | secretName: ttd-cert-tls 37 | 38 | persistence: 39 | config: 40 | enabled: true 41 | storageClass: "longhorn" 42 | accessMode: ReadWriteOnce 43 | skipuninstall: true 44 | size: 1Gi 45 | -------------------------------------------------------------------------------- /.github/renovate/grafanaDashboards.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customDatasources: { 4 | "grafana-dashboards": { 5 | defaultRegistryUrlTemplate: "https://grafana.com/api/dashboards/{{packageName}}", 6 | format: "json", 7 | transformTemplates: ['{"releases":[{"version": $string(revision)}]}'], 8 | }, 9 | }, 10 | customManagers: [ 11 | { 12 | customType: "regex", 13 | description: "Process Grafana dashboards", 14 | fileMatch: ["./.+\\.yaml$"], 15 | matchStrings: [ 16 | '# renovate: dashboardName="(?.*)"\\n(?\\s+)gnetId: (?\\d+)\\n.+revision: (?\\d+)', 17 | ], 18 | autoReplaceStringTemplate: '# renovate: dashboardName="{{{depName}}}"\n{{{indentation}}}gnetId: {{{packageName}}}\n{{{indentation}}}revision: {{{newValue}}}', 19 | datasourceTemplate: "custom.grafana-dashboards", 20 | versioningTemplate: "regex:^(?\\d+)$", 21 | }, 22 | ], 23 | packageRules: [ 24 | { 25 | addLabels: ["renovate/grafana-dashboard"], 26 | matchDatasources: ["custom.grafana-dashboards"], 27 | matchUpdateTypes: ["major"], 28 | semanticCommitScope: "grafana-dashboards", 29 | semanticCommitType: "chore", 30 | commitMessageTopic: "dashboard {{depName}}", 31 | commitMessageExtra: "( {{currentVersion}} → {{newVersion}} )", 32 | }, 33 | ], 34 | } -------------------------------------------------------------------------------- /archive/grocy/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | image: 3 | repository: linuxserver/grocy 4 | tag: 4.2.0 5 | env: 6 | TZ: "America/Chicago" 7 | PGID: "1000" 8 | PUID: "1000" 9 | 10 | service: 11 | main: 12 | enabled: true 13 | ports: 14 | http: 15 | port: &port 80 16 | 17 | ingress: 18 | main: 19 | enabled: true 20 | annotations: 21 | gethomepage.dev/enabled: "true" 22 | gethomepage.dev/group: Home 23 | gethomepage.dev/icon: grocy 24 | gethomepage.dev/name: Grocy 25 | kubernetes.io/ingress.class: nginx 26 | cert-manager.io/issuer: step-issuer 27 | cert-manager.io/issuer-kind: StepClusterIssuer 28 | cert-manager.io/issuer-group: certmanager.step.sm 29 | cert-manager.io/revision-history-limit: "3" 30 | cert-manager.io/duration: "2160h" 31 | cert-manager.io/renew-before: "720h" 32 | hosts: 33 | - host: grocy.rsr.net 34 | paths: 35 | - path: / 36 | pathType: Prefix 37 | tls: 38 | - hosts: 39 | - grocy.rsr.net 40 | secretName: grocy-cert-tls 41 | persistence: 42 | config: 43 | enabled: true 44 | storageClass: "longhorn" 45 | accessMode: ReadWriteOnce 46 | size: "1Gi" 47 | skipuninstall: true 48 | viewcache: 49 | enabled: true 50 | type: emptyDir 51 | mountPath: /config/data/viewcache 52 | -------------------------------------------------------------------------------- /main/homelab/frigate/templates/noauth-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | annotations: 5 | kubernetes.io/ingress.class: "nginx" 6 | nginx.ingress.kubernetes.io/use-regex: "true" 7 | labels: 8 | app.kubernetes.io/instance: frigate 9 | app.kubernetes.io/name: frigate 10 | name: frigate-noauth 11 | namespace: default 12 | spec: 13 | rules: 14 | - host: {{ .Values.externalHostName }} 15 | http: 16 | paths: 17 | - path: /api/events/.*/clip\.mp4 18 | pathType: Prefix 19 | backend: 20 | service: 21 | name: frigate 22 | port: 23 | name: http 24 | - path: /api/events/.*/thumbnail\.jpg 25 | pathType: Prefix 26 | backend: 27 | service: 28 | name: frigate 29 | port: 30 | name: http 31 | - path: /api/events/.*/snapshot\.jpg 32 | pathType: Prefix 33 | backend: 34 | service: 35 | name: frigate 36 | port: 37 | name: http 38 | - path: /api/events/.*/preview\.gif 39 | pathType: Prefix 40 | backend: 41 | service: 42 | name: frigate 43 | port: 44 | name: http 45 | tls: 46 | - hosts: 47 | - {{ .Values.externalHostName }} 48 | -------------------------------------------------------------------------------- /infrastructure/tailscale-gateway/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | 3 | serviceAccount: 4 | tailscale: 5 | staticToken: true 6 | 7 | controllers: 8 | main: 9 | serviceAccount: 10 | identifier: tailscale 11 | 12 | 13 | pod: 14 | enableServiceLinks: false 15 | securityContext: 16 | runAsUser: 1000 17 | runAsGroup: 1000 18 | 19 | containers: 20 | main: 21 | image: 22 | repository: ghcr.io/tailscale/tailscale 23 | tag: v1.92.4 24 | env: 25 | TZ: "America/Chicago" 26 | TS_KUBE_SECRET: "tailscale-auth" 27 | SA_NAME: tailscale 28 | TS_USERSPACE: "true" 29 | TS_ROUTES: "192.168.1.0/24" 30 | TS_EXTRA_ARGS: "--advertise-exit-node" 31 | envFrom: 32 | - secretRef: 33 | name: tailscale-auth 34 | probes: 35 | liveness: 36 | enabled: false 37 | readiness: 38 | enabled: false 39 | startup: 40 | enabled: false 41 | 42 | 43 | resources: 44 | requests: 45 | cpu: 12m 46 | memory: 128M 47 | limits: 48 | memory: 512M 49 | 50 | service: 51 | main: 52 | enabled: false 53 | ports: 54 | http: 55 | port: &port 45387 56 | 57 | 58 | ingress: 59 | main: 60 | enabled: false 61 | -------------------------------------------------------------------------------- /infrastructure/oauth2-proxy/values.yaml: -------------------------------------------------------------------------------- 1 | oauth2-proxy: 2 | image: 3 | registry: "quay.io" 4 | repository: "oauth2-proxy/oauth2-proxy" 5 | tag: "v7.12.0" 6 | replicaCount: 2 7 | # tolerations: 8 | # - key: "arm" 9 | # operator: "Exists" 10 | ingress: 11 | enabled: true 12 | path: /oauth2 13 | hosts: [ auth.rsr.net ] 14 | annotations: 15 | kubernetes.io/ingress.class: nginx 16 | cert-manager.io/issuer: step-issuer 17 | cert-manager.io/issuer-kind: StepClusterIssuer 18 | cert-manager.io/issuer-group: certmanager.step.sm 19 | cert-manager.io/revision-history-limit: "3" 20 | cert-manager.io/duration: "2160h" 21 | cert-manager.io/renew-before: "720h" 22 | tls: 23 | - hosts: 24 | - auth.rsr.net 25 | secretName: oauth2-proxy-cert-tls 26 | extraArgs: 27 | provider: oidc 28 | oidc-issuer-url: "https://rogerrum.us.auth0.com/" 29 | skip-provider-button: 30 | pass-authorization-header: 31 | email-domain: "*" 32 | cookie-domain: ".rsr.net" 33 | whitelist-domain: ".rsr.net" 34 | 35 | affinity: 36 | podAntiAffinity: 37 | requiredDuringSchedulingIgnoredDuringExecution: 38 | - labelSelector: 39 | matchExpressions: 40 | - key: app.kubernetes.io/name 41 | operator: In 42 | values: 43 | - oauth2-proxy 44 | topologyKey: "kubernetes.io/hostname" 45 | 46 | config: 47 | existingSecret: oauth2-proxy-secret 48 | -------------------------------------------------------------------------------- /main/homelab/tesla-dashcam/values.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/common-3.0.1/charts/library/common/values.schema.json 2 | app-template: 3 | controllers: 4 | main: 5 | containers: 6 | main: 7 | image: 8 | repository: billimek/tesla_dashcam 9 | tag: 0.1.21-2@sha256:784c5542d28003b9d17e5c6fa015d8f340572422a27de932c502760e4a089eef 10 | env: 11 | TZ: America/Chicago 12 | args: ["--delete_source", "--skip_existing", "--monitor", "--monitor_trigger", "/input/ARCHIVE_UPLOADED", "--motion_only", "--output", "/output", "/input/SentryClips", "/input/SavedClips"] 13 | probes: 14 | liveness: &probes 15 | enabled: false 16 | readiness: *probes 17 | startup: 18 | enabled: false 19 | securityContext: 20 | fsGroup: 1001 21 | pod: 22 | nodeSelector: 23 | google.feature.node.kubernetes.io/coral: "true" 24 | intel.feature.node.kubernetes.io/gpu: "true" 25 | securityContext: 26 | fsGroup: 1001 27 | 28 | 29 | persistence: 30 | telsa: 31 | existingClaim: nas-tesla-pvc 32 | globalMounts: 33 | - path: /input 34 | media: 35 | existingClaim: nas-media-pvc 36 | advancedMounts: 37 | main: 38 | main: 39 | - path: /output 40 | readOnly: false 41 | subPath: Videos/tesla_dashcam/ 42 | -------------------------------------------------------------------------------- /main/monitoring/grafana/templates/grafana-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1 2 | kind: ExternalSecret 3 | metadata: 4 | name: grafana-secret 5 | namespace: monitoring 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: grafana-secret 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | data: 16 | GF_DATABASE_USER: "{{ printf "{{.grafana_username }}" }}" 17 | GF_DATABASE_PASSWORD: "{{ printf "{{.grafana_password }}" }}" 18 | GF_DATABASE_HOST: postgres-lb.kube-system.svc.cluster.local:5432 19 | GF_DATABASE_NAME: grafana 20 | GF_DATABASE_SSL_MODE: disable 21 | GF_DATABASE_TYPE: postgres 22 | GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "{{ printf "{{.grafana_client_id }}" }}" 23 | GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ printf "{{.grafana_client_secret }}" }}" 24 | TESLAMATE_DB_PASSWORD: "{{ printf "{{.teslamate_password }}" }}" 25 | # Postgres Init 26 | INIT_POSTGRES_DBNAME: grafana 27 | INIT_POSTGRES_HOST: postgres-lb.kube-system.svc.cluster.local 28 | INIT_POSTGRES_SUPER_PASS: "{{ printf "{{.password }}" }}" 29 | INIT_POSTGRES_PASS: "{{ printf "{{.grafana_password }}" }}" 30 | INIT_POSTGRES_USER: "{{ printf "{{.grafana_username }}" }}" 31 | 32 | dataFrom: 33 | - extract: 34 | key: auth0-config 35 | - extract: 36 | key: postgres-superuser 37 | - extract: 38 | key: postgres-config 39 | -------------------------------------------------------------------------------- /infrastructure/longhorn/values.yaml: -------------------------------------------------------------------------------- 1 | longhorn: 2 | persistence: 3 | defaultClassReplicaCount: "3" 4 | defaultSettings: 5 | defaultReplicaCount: "3" 6 | createDefaultDiskLabeledNodes: true 7 | backupTarget: s3://longhorn@us-east-1/ 8 | backupTargetCredentialSecret: longhorn-backup-secret 9 | storageMinimalAvailablePercentage: "10" 10 | taintToleration: arm64=true:NoExecute 11 | ingress: 12 | enabled: true 13 | host: longhorn.rsr.net 14 | tlsSecret: longhorn-cert 15 | tls: true 16 | annotations: 17 | gethomepage.dev/enabled: "true" 18 | gethomepage.dev/group: Infrastructure 19 | gethomepage.dev/icon: longhorn 20 | gethomepage.dev/name: longhorn 21 | kubernetes.io/ingress.class: nginx 22 | cert-manager.io/issuer: step-issuer 23 | cert-manager.io/issuer-kind: StepClusterIssuer 24 | cert-manager.io/issuer-group: certmanager.step.sm 25 | cert-manager.io/revision-history-limit: "3" 26 | cert-manager.io/duration: "2160h" 27 | cert-manager.io/renew-before: "720h" 28 | # nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.kube-system.svc.cluster.local:80/oauth2/auth" 29 | # nginx.ingress.kubernetes.io/auth-signin: "https://auth.rsr.net/oauth2/start" 30 | 31 | #Temp fix 32 | # image: 33 | # longhorn: 34 | # instanceManager: 35 | # repository: longhornio/longhorn-instance-manager 36 | # tag: v1.7.1-rc2 37 | # 38 | # manager: 39 | # repository: longhornio/longhorn-manager 40 | # tag: v1.7.1-rc2 41 | 42 | -------------------------------------------------------------------------------- /main/homelab/oscar/templates/cronjob.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: CronJob 3 | metadata: 4 | name: oscar-downloader 5 | spec: 6 | schedule: "{{ .Values.cron.schedule }}" 7 | concurrencyPolicy: {{ .Values.cron.concurrencyPolicy }} 8 | successfulJobsHistoryLimit: {{ .Values.cron.successfulJobsHistoryLimit }} 9 | failedJobsHistoryLimit: {{ .Values.cron.failedJobsHistoryLimit }} 10 | timeZone: America/Chicago 11 | jobTemplate: 12 | spec: 13 | template: 14 | spec: 15 | containers: 16 | - name: oscar-cron 17 | image: "{{ .Values.cron.image.repository }}:{{ .Values.cron.image.tag }}" 18 | imagePullPolicy: IfNotPresent 19 | securityContext: 20 | privileged: true 21 | volumeMounts: 22 | - name: backup 23 | mountPath: /config 24 | subPath: oscar 25 | volumes: 26 | - name: backup 27 | persistentVolumeClaim: 28 | claimName: nas-data-pvc 29 | 30 | restartPolicy: OnFailure 31 | tolerations: 32 | - key: "arm" 33 | operator: "Exists" 34 | affinity: 35 | nodeAffinity: 36 | requiredDuringSchedulingIgnoredDuringExecution: 37 | nodeSelectorTerms: 38 | - matchExpressions: 39 | - key: kubernetes.io/arch 40 | operator: In 41 | values: 42 | - "arm" 43 | 44 | -------------------------------------------------------------------------------- /main/homelab/oscar/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | image: 3 | repository: rogerrum/docker-oscar 4 | tag: main 5 | pullPolicy: Always 6 | 7 | service: 8 | main: 9 | ports: 10 | http: 11 | port: 3000 12 | 13 | ingress: 14 | main: 15 | enabled: true 16 | annotations: 17 | gethomepage.dev/enabled: "true" 18 | gethomepage.dev/group: Home 19 | gethomepage.dev/icon: https://raw.githubusercontent.com/rogerrum/icons/refs/heads/main/images/oscar.png 20 | gethomepage.dev/name: Oscar 21 | kubernetes.io/ingress.class: nginx 22 | cert-manager.io/issuer: step-issuer 23 | cert-manager.io/issuer-kind: StepClusterIssuer 24 | cert-manager.io/issuer-group: certmanager.step.sm 25 | cert-manager.io/revision-history-limit: "3" 26 | cert-manager.io/duration: "2160h" 27 | cert-manager.io/renew-before: "720h" 28 | hosts: 29 | - host: oscar.rsr.net 30 | paths: 31 | - path: / 32 | pathType: Prefix 33 | tls: 34 | - hosts: 35 | - oscar.rsr.net 36 | secretName: oscar-cert-tls 37 | 38 | persistence: 39 | data: 40 | enabled: true 41 | existingClaim: "nas-data-pvc" 42 | subPath: "oscar" 43 | mountPath: /config/ 44 | 45 | cron: 46 | image: 47 | repository: rogerrum/docker-oscar-cron 48 | tag: main 49 | 50 | schedule: "0 13 * * *" 51 | concurrencyPolicy: "Forbid" 52 | successfulJobsHistoryLimit: 3 53 | failedJobsHistoryLimit: 5 54 | -------------------------------------------------------------------------------- /.github/renovate/semantic-commits.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [":semanticCommits"], 4 | "packageRules": [ 5 | { 6 | "matchUpdateTypes": ["major"], 7 | "semanticCommitType": "feat", 8 | "commitMessagePrefix": "{{semanticCommitType}}({{semanticCommitScope}})!:", 9 | "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )" 10 | }, 11 | { 12 | "matchUpdateTypes": ["minor"], 13 | "semanticCommitType": "feat", 14 | "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )" 15 | }, 16 | { 17 | "matchUpdateTypes": ["patch"], 18 | "semanticCommitType": "fix", 19 | "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )" 20 | }, 21 | { 22 | "matchUpdateTypes": ["digest"], 23 | "semanticCommitType": "chore", 24 | "commitMessageExtra": "( {{currentDigestShort}} → {{newDigestShort}} )" 25 | }, 26 | { 27 | "matchDatasources": ["docker"], 28 | "semanticCommitScope": "container" 29 | }, 30 | { 31 | "matchDatasources": ["helm"], 32 | "semanticCommitScope": "helm" 33 | }, 34 | { 35 | "matchDatasources": ["terraform-provider"], 36 | "semanticCommitScope": "terraform" 37 | }, 38 | { 39 | "matchDatasources": ["galaxy", "galaxy-collection"], 40 | "semanticCommitScope": "ansible" 41 | }, 42 | { 43 | "matchManagers": ["github-actions"], 44 | "semanticCommitType": "ci", 45 | "semanticCommitScope": "github-action" 46 | } 47 | ] 48 | } -------------------------------------------------------------------------------- /infrastructure/envoy-gateway/values.yaml: -------------------------------------------------------------------------------- 1 | gateway-helm: 2 | config: 3 | envoyGateway: 4 | gateway: 5 | controllerName: gateway.envoyproxy.io/gatewayclass-controller 6 | extensionApis: 7 | enableBackend: true 8 | 9 | 10 | error-pages: 11 | global: 12 | nameOverride: error-pages 13 | controllers: 14 | error-pages: 15 | replicas: 2 16 | strategy: RollingUpdate 17 | containers: 18 | app: 19 | image: 20 | repository: ghcr.io/tarampampam/error-pages 21 | tag: 3.8.0 22 | env: 23 | TEMPLATE_NAME: orient 24 | SHOW_DETAILS: "false" 25 | probes: 26 | liveness: 27 | enabled: true 28 | readiness: 29 | enabled: true 30 | startup: 31 | enabled: true 32 | spec: 33 | failureThreshold: 30 34 | periodSeconds: 5 35 | resources: 36 | requests: 37 | cpu: 5m 38 | memory: 16M 39 | limits: 40 | memory: 32M 41 | securityContext: 42 | runAsNonRoot: true 43 | runAsUser: 65534 44 | runAsGroup: 65534 45 | readOnlyRootFilesystem: true 46 | allowPrivilegeEscalation: false 47 | seccompProfile: 48 | type: RuntimeDefault 49 | capabilities: 50 | drop: [ "ALL" ] 51 | 52 | service: 53 | app: 54 | controller: error-pages 55 | ports: 56 | http: 57 | port: 8080 58 | -------------------------------------------------------------------------------- /main/homelab/external-route/templates/external-route.yaml: -------------------------------------------------------------------------------- 1 | {{- $fullName := include "external-route.fullname" . -}} 2 | {{- $labels := include "external-route.labels" . | nindent 4}} 3 | {{- range .Values.apps }} 4 | --- 5 | --- 6 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/gateway.envoyproxy.io/backend_v1alpha1.json 7 | apiVersion: gateway.envoyproxy.io/v1alpha1 8 | kind: Backend 9 | metadata: 10 | name: {{ $fullName }}-{{ .name }} 11 | labels: 12 | {{- $labels}} 13 | spec: 14 | endpoints: 15 | - fqdn: 16 | hostname: {{ .service.externalName }} 17 | port: {{ .port }} 18 | {{ if .backendInsecure }} 19 | tls: 20 | insecureSkipVerify: true 21 | {{ end }} 22 | --- 23 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/gateway.networking.k8s.io/httproute_v1.json 24 | apiVersion: gateway.networking.k8s.io/v1 25 | kind: HTTPRoute 26 | metadata: 27 | name: {{ $fullName }}-{{ .name }} 28 | annotations: 29 | gethomepage.dev/enabled: "true" 30 | gethomepage.dev/group: {{ .homepageGroup }} 31 | gethomepage.dev/icon: {{ .homepageIcon }} 32 | gethomepage.dev/name: {{ .homepageName }} 33 | spec: 34 | parentRefs: 35 | - name: internal 36 | hostnames: 37 | - {{ .host }} 38 | rules: 39 | - matches: 40 | - path: 41 | type: PathPrefix 42 | value: / 43 | backendRefs: 44 | - group: gateway.envoyproxy.io 45 | kind: Backend 46 | name: {{ $fullName }}-{{ .name }} 47 | port: {{ .port }} 48 | {{- end }} 49 | -------------------------------------------------------------------------------- /.github/renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | "packageRules": [ 3 | // auto-updates - daily 4 | { 5 | "datasources": ["docker"], 6 | "automerge": true, 7 | "automergeType": "branch", 8 | "requiredStatusChecks": null, 9 | "schedule": "after 3am and before 6am", 10 | "updateTypes": ["minor", "patch"], 11 | "packageNames": [ 12 | "homeassistant/home-assistant", 13 | "ghcr.io/home-assistant/home-assistant", 14 | "nodered/node-red", 15 | "ghcr.io/zwave-js/zwave-js-ui", 16 | "codercom/code-server" 17 | ] 18 | }, 19 | { 20 | "datasources": ["helm"], 21 | "automerge": true, 22 | "requiredStatusChecks": null, 23 | "schedule": "after 3am and before 7am", 24 | "updateTypes": ["minor", "patch"], 25 | "packageNames": [ 26 | // "grafana", 27 | "thanos", 28 | "reloader", 29 | "kube-prometheus-stack" 30 | ] 31 | }, 32 | { 33 | "description": "Auto merge GitHub Actions", 34 | "matchManagers": ["github-actions"], 35 | "matchDatasources": ["github-tags"], 36 | "automerge": true, 37 | "ignoreTests": true, 38 | "automergeType": "branch", 39 | "matchUpdateTypes": ["minor", "patch"] 40 | }, 41 | { 42 | "description": "Auto merge container digests", 43 | "matchDatasources": ["docker"], 44 | "automerge": false, 45 | "automergeType": "branch", 46 | "requiredStatusChecks": null, 47 | "matchUpdateTypes": ["digest"], 48 | "matchPackagePattern": ["ghcr.io/onedr0p"], 49 | } 50 | ] 51 | } 52 | 53 | -------------------------------------------------------------------------------- /main/homelab/cyberchef/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | controllers: 3 | main: 4 | containers: 5 | main: 6 | image: 7 | repository: docker.io/mpepping/cyberchef 8 | tag: v10.19.4 9 | env: 10 | TZ: America/Chicago 11 | service: 12 | main: 13 | controller: main 14 | ports: 15 | http: 16 | port: 8000 17 | 18 | route: 19 | main: 20 | annotations: 21 | gethomepage.dev/enabled: "true" 22 | gethomepage.dev/group: Tools 23 | gethomepage.dev/icon: cyberchef 24 | gethomepage.dev/name: Cyberchef 25 | enabled: true 26 | parentRefs: 27 | - name: internal 28 | namespace: kube-system 29 | hostnames: 30 | - tools.rsr.net 31 | rules: 32 | - matches: 33 | - path: 34 | type: PathPrefix 35 | value: / 36 | backendRefs: 37 | - name: cyberchef 38 | port: 8000 39 | 40 | ingress: 41 | main: 42 | enabled: true 43 | className: "nginx" 44 | annotations: 45 | cert-manager.io/issuer: step-issuer 46 | cert-manager.io/issuer-kind: StepClusterIssuer 47 | cert-manager.io/issuer-group: certmanager.step.sm 48 | cert-manager.io/revision-history-limit: "3" 49 | cert-manager.io/duration: "2160h" 50 | cert-manager.io/renew-before: "720h" 51 | hosts: 52 | - host: &host tools.rsr.net 53 | paths: 54 | - path: / 55 | tls: 56 | - hosts: 57 | - *host 58 | secretName: cyberchef-tls 59 | -------------------------------------------------------------------------------- /docs/_snippets/links.jinja2: -------------------------------------------------------------------------------- 1 | {%- set urls = 2 | { 3 | 'repo': { 4 | 'url': 'https://github.com/rogerrum/k8s-gitops' 5 | }, 6 | 'external': { 7 | 'cert-manager': { 8 | 'url': 'https://cert-manager.io' 9 | }, 10 | 'ingress-nginx': { 11 | 'url': 'https://kubernetes.github.io/ingress-nginx/', 12 | 'label': 'NGINX Ingress' 13 | }, 14 | 'k3s': { 15 | 'url': 'https://k3s.io' 16 | }, 17 | 'kah_repo_awesome': { 18 | 'url': 'https://github.com/k8s-at-home/awesome-home-kubernetes', 19 | 'label': 'awesome-home-kubernetes' 20 | }, 21 | 'kah_discord': { 22 | 'url': 'https://discord.gg/k8s-at-home', 23 | 'label': 'Kubernetes @home Discord' 24 | }, 25 | 'kured': { 26 | 'url': 'https://github.com/weaveworks/kured', 27 | 'label': 'Kured' 28 | }, 29 | 'letsencrypt': { 30 | 'url': 'https://letsencrypt.org', 31 | 'label': 'LetsEncrypt' 32 | }, 33 | 'metallb': { 34 | 'url': 'https://metallb.universe.tf/', 35 | 'label': 'Metallb' 36 | } 37 | } 38 | } 39 | -%} 40 | 41 | {% macro external(name, label) -%} 42 | {% if label %} 43 | [{{ label }}]({{ urls.external[name].url }}){target=\_blank} 44 | {% elif urls.external[name].label %} 45 | [{{ urls.external[name].label }}]({{ urls.external[name].url }}){target=\_blank} 46 | {% else %} 47 | [{{ name }}]({{ urls.external[name].url }}){target=\_blank} 48 | {% endif %} 49 | {%- endmacro %} 50 | 51 | {% macro repoUrl(label, suffix) -%} 52 | [{{ label }}]({{ urls.repo.url }}{% if label %}/{{ suffix }}{% endif %}){target=\_blank} 53 | {%- endmacro %} 54 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/values.yaml: -------------------------------------------------------------------------------- 1 | cloudnative-pg: 2 | 3 | replicaCount: 1 4 | 5 | storage: 6 | size: 20Gi 7 | storageClass: "longhorn" 8 | 9 | superuserSecret: postgres-superuser-secret 10 | 11 | cluster: 12 | name: postgres-v17 13 | image: ghcr.io/cloudnative-pg/postgresql:17.4 14 | 15 | previousCluster: 16 | enabled: false 17 | name: postgres-v17 18 | image: ghcr.io/cloudnative-pg/postgresql:17.4 19 | 20 | activeDatabases: 21 | - mealie 22 | - kanboard 23 | - teslamate 24 | - webtrees 25 | - grafana 26 | - planka 27 | 28 | clusterUpgrade: 29 | enabled: false 30 | newClusterName: postgres-vXX 31 | newClusterImage: ghcr.io/cloudnative-pg/postgresql:17.4 32 | currentClusterName: postgres-v17 33 | 34 | ## 3 step upgrade process: 35 | ## 1. Initial setup - Create new cluster and copy data 36 | ## - Set clusterUpgrade.enabled: true 37 | ## - Set newClusterName to your target version (e.g., postgres-v17) 38 | ## - Set newClusterImage to the desired PostgreSQL version 39 | ## - Set currentClusterName to your existing cluster name 40 | ## - Push changes to create new pods and copy data from current cluster 41 | ## 42 | ## 2. Switch to new cluster 43 | ## - After validating the new cluster is working, update cluster.name to match newClusterName 44 | ## - Set clusterUpgrade.enabled: false 45 | ## - Copy current cluster name to previousCluster.name 46 | ## - Set previousCluster.enabled: true 47 | ## - This keeps the old cluster running while testing the new one as primary 48 | ## 49 | ## 3. Clean up old cluster 50 | ## - Once confident the new cluster is stable, set previousCluster.enabled: false 51 | ## - This will remove the old cluster's resources 52 | -------------------------------------------------------------------------------- /infrastructure/cert-manager/templates/cert-manager-letsencrypt.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cert-manager.io/v1 2 | kind: ClusterIssuer 3 | metadata: 4 | name: letsencrypt-test 5 | spec: 6 | acme: 7 | email: roger@techbuzzworld.com 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | privateKeySecretRef: 10 | name: letsencrypt-test 11 | solvers: 12 | # An empty 'selector' means that this solver matches all domains 13 | - selector: 14 | dnsNames: 15 | - 'techbuzzworld.com' 16 | - '*.techbuzzworld.com' 17 | dns01: 18 | cloudflare: 19 | email: rogerrum@gmail.com 20 | apiKeySecretRef: 21 | name: cloudflare-api-key 22 | key: api-key 23 | --- 24 | apiVersion: cert-manager.io/v1 25 | kind: ClusterIssuer 26 | metadata: 27 | name: letsencrypt-prod 28 | spec: 29 | acme: 30 | email: roger@techbuzzworld.com 31 | server: https://acme-v02.api.letsencrypt.org/directory 32 | privateKeySecretRef: 33 | name: letsencrypt-prod 34 | solvers: 35 | # An empty 'selector' means that this solver matches all domains 36 | - selector: 37 | dnsNames: 38 | - 'techbuzzworld.com' 39 | - '*.techbuzzworld.com' 40 | dns01: 41 | cloudflare: 42 | email: rogerrum@gmail.com 43 | apiKeySecretRef: 44 | name: cloudflare-api-key 45 | key: api-key 46 | --- 47 | apiVersion: cert-manager.io/v1 48 | kind: Certificate 49 | metadata: 50 | name: acme-crt 51 | namespace: cert-manager 52 | spec: 53 | secretName: acme-crt-secret 54 | issuerRef: 55 | name: letsencrypt-prod 56 | kind: ClusterIssuer 57 | dnsNames: 58 | - techbuzzworld.com 59 | - '*.techbuzzworld.com' 60 | -------------------------------------------------------------------------------- /main/logs/victoria-logs/values.yaml: -------------------------------------------------------------------------------- 1 | victoria-logs-single: 2 | server: 3 | fullnameOverride: victoria-logs 4 | retentionPeriod: 14d 5 | persistentVolume: 6 | enabled: true 7 | storageClassName: "longhorn" 8 | size: 20Gi 9 | serviceMonitor: 10 | enabled: true 11 | route: 12 | enabled: true 13 | annotations: 14 | gethomepage.dev/enabled: 'true' 15 | gethomepage.dev/group: Logs 16 | gethomepage.dev/icon: sh-victoriametrics 17 | gethomepage.dev/name: VM-Logs 18 | parentRefs: 19 | - name: internal 20 | namespace: kube-system 21 | hostnames: 22 | - vm-logs.rsr.net 23 | rules: 24 | - matches: 25 | - path: 26 | type: PathPrefix 27 | value: / 28 | backendRefs: 29 | - name: victoria-logs-server 30 | port: 9428 31 | ingress: 32 | enabled: true 33 | ingressClassName: nginx 34 | annotations: 35 | kubernetes.io/ingress.class: nginx 36 | cert-manager.io/issuer: step-issuer 37 | cert-manager.io/issuer-kind: StepClusterIssuer 38 | cert-manager.io/issuer-group: certmanager.step.sm 39 | cert-manager.io/revision-history-limit: "3" 40 | cert-manager.io/duration: "2160h" 41 | cert-manager.io/renew-before: "720h" 42 | hosts: 43 | - name: vm-logs.rsr.net 44 | path: 45 | - / 46 | port: http 47 | tls: 48 | - hosts: 49 | - vm-logs.rsr.net 50 | secretName: vm-logs-cert-tls 51 | 52 | dashboards: 53 | enabled: true 54 | annotations: 55 | grafana_folder: observability 56 | labels: 57 | grafana_dashboard: "1" 58 | -------------------------------------------------------------------------------- /.github/renovate/versioning.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | packageRules: [ 4 | { 5 | description: "Loose versioning for non-semver packages", 6 | matchDatasources: ["docker"], 7 | matchPackageNames: [ 8 | "ghcr.io/onedr0p/plex", 9 | "ghcr.io/onedr0p/qbittorrent", 10 | ], 11 | versioning: "loose", 12 | }, 13 | // Custom versions 14 | { 15 | "matchDatasources": ["docker"], 16 | "matchPackageNames": ["blakeblackshear/frigate"], 17 | "versioning": "regex:^(?\\d+)\\.(?\\d+)\\.(?\\d+)-(?.*)$" 18 | }, 19 | { 20 | "datasources": ["docker"], 21 | "versionScheme": "regex:^nightly-0\\.(?\\d+)\\.(?\\d+)\\.(?\\d+)$", 22 | "packageNames": ["hotio/readarr"] 23 | }, 24 | { 25 | "datasources": ["docker"], 26 | "versioning": "loose", 27 | "packageNames": ["ghcr.io/onedr0p/plex"] 28 | }, 29 | { 30 | "matchDatasources": ["docker"], 31 | "matchPackageNames": ["docker.io/timberio/vector"], 32 | "versioning": "regex:^(?\\d+)\\.(?\\d+)\\.(?\\d+)-(?.*)$" 33 | }, 34 | { 35 | description: "Custom versioning for http-https-echo", 36 | matchDatasources: ["docker"], 37 | matchPackageNames: ["ghcr.io/mendhak/http-https-echo"], 38 | versioning: "regex:^(?\\d+)$", 39 | }, 40 | { 41 | description: "Custom versioning for Minio", 42 | matchDatasources: ["docker"], 43 | versioning: "regex:^RELEASE\\.(?\\d+)-(?\\d+)-(?\\d+)T.*Z(-(?.*))?$", 44 | matchPackageNames: ["quay.io/minio/minio"], 45 | }, 46 | ], 47 | } 48 | -------------------------------------------------------------------------------- /.github/renovate/groups.json5: -------------------------------------------------------------------------------- 1 | { 2 | packageRules: [ 3 | { 4 | "description": "1Password Group", 5 | "groupName": "1Password", 6 | "matchPackagePatterns": ["1password"], 7 | "matchDatasources": ["docker"], 8 | "group": { 9 | "commitMessageTopic": "{{{groupName}}} group" 10 | }, 11 | "separateMinorPatch": true 12 | }, 13 | { 14 | "matchDatasources": ["github-releases"], 15 | "matchPackagePatterns": ["k3s-io/k3s"], 16 | "groupName": "k3s-upgrade-plan", 17 | "additionalBranchPrefix": "", 18 | "separateMinorPatch": true, 19 | "separateMultipleMajor": true 20 | }, 21 | { 22 | "matchDatasources": ["github-tags", "docker"], 23 | "matchPackagePatterns": ["rancher/system-upgrade-controller"], 24 | "groupName": "system-upgrade-controller-suite", 25 | "additionalBranchPrefix": "", 26 | "separateMinorPatch": true 27 | }, 28 | { 29 | description: "Thanos image and chart - versions do not match", 30 | groupName: "Thanos", 31 | matchDatasources: ["docker", "github-releases", "helm"], 32 | matchPackagePatterns: ["quay.io/thanos/thanos", "thanos"], 33 | matchUpdateTypes: ["minor", "patch"], 34 | group: { commitMessageTopic: "{{{groupName}}} group" }, 35 | separateMinorPatch: false, 36 | }, 37 | { 38 | description: "Vector image and chart - versions do not match", 39 | groupName: "Vector", 40 | matchDatasources: ["docker", "github-releases", "helm"], 41 | matchPackagePatterns: ["vector"], 42 | matchUpdateTypes: ["minor", "patch"], 43 | group: { commitMessageTopic: "{{{groupName}}} group" }, 44 | separateMinorPatch: false, 45 | stabilityDays: 2, 46 | } 47 | ], 48 | } 49 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/script/cloudflare-ddns.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | findCurrentIP() { 4 | printf "Finding current ip\n" 5 | ip4=$(curl -s https://ipv4.icanhazip.com/) 6 | printf "Current External IP is %s" "$ip4" 7 | printf "\n" 8 | } 9 | 10 | checkAndUpdateIP() { 11 | printf "Updating ip for the CF Record %s \n" "$1" 12 | record4=$( 13 | curl -s -X GET \ 14 | "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONEID/dns_records?name=$1&type=A" \ 15 | -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ 16 | -H "X-Auth-Key: $CLOUDFLARE_APIKEY" \ 17 | -H "Content-Type: application/json" 18 | ) 19 | 20 | old_ip4=$(echo "$record4" | sed -n 's/.*"content":"\([^"]*\).*/\1/p') 21 | if [ "$ip4" = "$old_ip4" ]; then 22 | printf "%s - Success - IP Address '%s' has not changed yet\n" "$(date -u)" "$ip4" 23 | return 0 24 | fi 25 | 26 | record4_identifier=$(echo "$record4" | sed -n 's/.*"id":"\([^"]*\).*/\1/p') 27 | update4=$( 28 | curl -s -X PUT \ 29 | "https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONEID/dns_records/$record4_identifier" \ 30 | -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ 31 | -H "X-Auth-Key: $CLOUDFLARE_APIKEY" \ 32 | -H "Content-Type: application/json" \ 33 | --data "{\"id\":\"$CLOUDFLARE_ZONEID\",\"type\":\"A\",\"name\":\"$1\",\"content\":\"$ip4\"}" 34 | ) 35 | 36 | if echo "$update4" | grep -q '\"success\":false'; then 37 | printf "%s - Yikes - Updating IP Address '%s' has failed" "$(date -u)" "$ip4" 38 | exit 1 39 | else 40 | printf "%s - Success - IP Address '%s' has been updated\n" "$(date -u)" "$ip4" 41 | fi 42 | } 43 | 44 | set -o nounset 45 | set -o errexit 46 | 47 | findCurrentIP 48 | checkAndUpdateIP "$CLOUDFLARE_RECORD_NAME_1" 49 | checkAndUpdateIP "$CLOUDFLARE_RECORD_NAME_2" 50 | checkAndUpdateIP "$CLOUDFLARE_RECORD_NAME_3" 51 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # My Home Kubernetes cluster managed by GitOps 4 | 5 | _ managed by ArgoCD and serviced with RenovateBot :robot: 6 | 7 |
8 |
9 |
10 | 11 | 12 |
13 | 14 | [![GitHub stars](https://img.shields.io/github/stars/rogerrum/k8s-gitops?color=green&style=for-the-badge)](https://github.com/rogerrum/k8s-gitops/stargazers) 15 | [![GitHub issues](https://img.shields.io/github/issues/rogerrum/k8s-gitops?style=for-the-badge)](https://github.com/rogerrum/k8s-gitops/issues) 16 | [![GitHub last commit](https://img.shields.io/github/last-commit/rogerrum/k8s-gitops?color=purple&style=for-the-badge)](https://github.com/rogerrum/k8s-gitops/commits/main) 17 | [![pre-commit](https://img.shields.io/badge/pre--commit-enabled?logo=pre-commit&logoColor=white&style=for-the-badge&color=brightgreen)](https://github.com/pre-commit/pre-commit) 18 | [![renovate](https://img.shields.io/badge/renovate-enabled?style=for-the-badge&logo=renovatebot&logoColor=white&color=brightgreen)](https://github.com/renovatebot/renovate) 19 | 20 |
21 | 22 | --- 23 | 24 | ## :wave: Overview 25 | 26 | This repository is my home Kubernetes cluster in a declarative state. 27 | 28 | Leverage [ArgoCD](https://github.com/argoproj/argo-cd) to automate cluster state using code residing in this repo 29 | 30 | Feel free to open a [GitHub Issue](https://github.com/rogerrum/k8s-gitops/issues/new). 31 | 32 | For more information, head on over to my [docs](https://rogerrum.github.io/k8s-gitops/). 33 | 34 | --- 35 | 36 | ## :handshake:  Thanks 37 | 38 | A lot of inspiration for this repo came from [billimek/k8s-gitops](https://github.com/billimek/k8s-gitops) and the people that have shared their clusters over at [awesome-home-kubernetes](https://github.com/k8s-at-home/awesome-home-kubernetes) 39 | -------------------------------------------------------------------------------- /main/homelab/cloudflare-ddns/templates/cronjob.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: CronJob 3 | metadata: 4 | name: {{ include "cloudflare-ddns.fullname" . }} 5 | namespace: {{ .Values.namespace }} 6 | labels: 7 | {{- include "cloudflare-ddns.labels" . | nindent 4 }} 8 | spec: 9 | schedule: "{{ .Values.schedule }}" 10 | concurrencyPolicy: {{ .Values.concurrencyPolicy }} 11 | successfulJobsHistoryLimit: {{ .Values.successfulJobsHistoryLimit }} 12 | failedJobsHistoryLimit: {{ .Values.failedJobsHistoryLimit }} 13 | jobTemplate: 14 | spec: 15 | backoffLimit: 3 16 | ttlSecondsAfterFinished: 300 17 | template: 18 | metadata: 19 | labels: 20 | {{- include "cloudflare-ddns.selectorLabels" . | nindent 12 }} 21 | botkube.io/disable: "true" 22 | spec: 23 | restartPolicy: {{ .Values.restartPolicy }} 24 | containers: 25 | - name: cloudflare-ddns 26 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 27 | envFrom: 28 | - secretRef: 29 | name: cloudflare-ddns-secret 30 | command: 31 | - "/bin/sh" 32 | - "/app/cloudflare-ddns.sh" 33 | volumeMounts: 34 | - name: cloudflare-ddns 35 | mountPath: /app/cloudflare-ddns.sh 36 | subPath: cloudflare-ddns.sh 37 | readOnly: true 38 | volumes: 39 | - name: cloudflare-ddns 40 | projected: 41 | defaultMode: 0775 42 | sources: 43 | - configMap: 44 | name: {{ include "cloudflare-ddns.fullname" . }}-config 45 | items: 46 | - key: cloudflare-ddns.sh 47 | path: cloudflare-ddns.sh 48 | -------------------------------------------------------------------------------- /apps/templates/app.yaml: -------------------------------------------------------------------------------- 1 | {{- $repo := .Values.repo }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if index $app "create-namespace" }} 4 | --- 5 | apiVersion: v1 6 | kind: Namespace 7 | metadata: 8 | name: {{ $app.namespace }} 9 | annotations: 10 | {{- if index $app "namespace-sync-wave" }} 11 | argocd.argoproj.io/sync-wave: {{ index $app "namespace-sync-wave" | quote}} 12 | {{- end }} 13 | {{- end}} 14 | --- 15 | apiVersion: argoproj.io/v1alpha1 16 | kind: Application 17 | metadata: 18 | name: {{ $app.name }} 19 | namespace: argocd 20 | annotations: 21 | {{- if index $app "sync-wave" }} 22 | argocd.argoproj.io/sync-wave: {{ index $app "sync-wave" | quote}} 23 | {{- end }} 24 | argocd.argoproj.io/manifest-generate-paths: {{ index $app "manifest-paths" }} 25 | finalizers: 26 | - resources-finalizer.argocd.argoproj.io 27 | spec: 28 | destination: 29 | server: https://kubernetes.default.svc 30 | namespace: {{ $app.namespace }} 31 | project: default 32 | {{- if $app.ignoreDifferences }} 33 | ignoreDifferences: 34 | {{ $app.ignoreDifferences | toYaml | indent 4 }} 35 | {{- end }} 36 | source: 37 | path: {{ $app.path }} 38 | repoURL: {{ $repo.url }} 39 | targetRevision: {{ $repo.revision }} 40 | {{- if $app.helm }} 41 | helm: 42 | valueFiles: 43 | - values.yaml 44 | {{- if $app.helm.additionalValues }} 45 | {{- range $adIndx, $adVal := $app.helm.additionalValues }} 46 | - {{$adVal}} 47 | {{- end }} 48 | {{- end}} 49 | {{- end }} 50 | syncPolicy: 51 | automated: 52 | prune: {{ default true $app.prune }} 53 | selfHeal: {{ default true $app.selfHeal }} 54 | syncOptions: 55 | - ApplyOutOfSyncOnly=true 56 | {{- if $app.syncOptions }} 57 | {{- range $indx, $opt := $app.syncOptions }} 58 | - {{$opt}} 59 | {{- end }} 60 | {{- end}} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /main/templates/app.yaml: -------------------------------------------------------------------------------- 1 | {{- $repo := .Values.repo }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if index $app "create-namespace" }} 4 | --- 5 | apiVersion: v1 6 | kind: Namespace 7 | metadata: 8 | name: {{ $app.namespace }} 9 | annotations: 10 | {{- if index $app "namespace-sync-wave" }} 11 | argocd.argoproj.io/sync-wave: {{ index $app "namespace-sync-wave" | quote}} 12 | {{- end }} 13 | {{- end}} 14 | --- 15 | apiVersion: argoproj.io/v1alpha1 16 | kind: Application 17 | metadata: 18 | name: {{ $app.name }} 19 | namespace: argocd 20 | annotations: 21 | {{- if index $app "sync-wave" }} 22 | argocd.argoproj.io/sync-wave: {{ index $app "sync-wave" | quote}} 23 | {{- end }} 24 | argocd.argoproj.io/manifest-generate-paths: {{ index $app "manifest-paths" }} 25 | finalizers: 26 | - resources-finalizer.argocd.argoproj.io 27 | spec: 28 | destination: 29 | server: https://kubernetes.default.svc 30 | namespace: {{ $app.namespace }} 31 | project: default 32 | {{- if $app.ignoreDifferences }} 33 | ignoreDifferences: 34 | {{ $app.ignoreDifferences | toYaml | indent 4 }} 35 | {{- end }} 36 | source: 37 | path: {{ $app.path }} 38 | repoURL: {{ $repo.url }} 39 | targetRevision: {{ $repo.revision }} 40 | {{- if $app.helm }} 41 | helm: 42 | valueFiles: 43 | - values.yaml 44 | {{- if $app.helm.additionalValues }} 45 | {{- range $adIndx, $adVal := $app.helm.additionalValues }} 46 | - {{$adVal}} 47 | {{- end }} 48 | {{- end}} 49 | {{- end }} 50 | syncPolicy: 51 | automated: 52 | prune: {{ default true $app.prune }} 53 | selfHeal: {{ default true $app.selfHeal }} 54 | syncOptions: 55 | - ApplyOutOfSyncOnly=true 56 | {{- if $app.syncOptions }} 57 | {{- range $indx, $opt := $app.syncOptions }} 58 | - {{$opt}} 59 | {{- end }} 60 | {{- end}} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /main/logs/templates/app.yaml: -------------------------------------------------------------------------------- 1 | {{- $repo := .Values.repo }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if index $app "create-namespace" }} 4 | --- 5 | apiVersion: v1 6 | kind: Namespace 7 | metadata: 8 | name: {{ $app.namespace }} 9 | annotations: 10 | {{- if index $app "namespace-sync-wave" }} 11 | argocd.argoproj.io/sync-wave: {{ index $app "namespace-sync-wave" | quote}} 12 | {{- end }} 13 | {{- end}} 14 | --- 15 | apiVersion: argoproj.io/v1alpha1 16 | kind: Application 17 | metadata: 18 | name: {{ $app.name }} 19 | namespace: argocd 20 | annotations: 21 | {{- if index $app "sync-wave" }} 22 | argocd.argoproj.io/sync-wave: {{ index $app "sync-wave" | quote}} 23 | {{- end }} 24 | argocd.argoproj.io/manifest-generate-paths: {{ index $app "manifest-paths" }} 25 | finalizers: 26 | - resources-finalizer.argocd.argoproj.io 27 | spec: 28 | destination: 29 | server: https://kubernetes.default.svc 30 | namespace: {{ $app.namespace }} 31 | project: default 32 | {{- if $app.ignoreDifferences }} 33 | ignoreDifferences: 34 | {{ $app.ignoreDifferences | toYaml | indent 4 }} 35 | {{- end }} 36 | source: 37 | path: {{ $app.path }} 38 | repoURL: {{ $repo.url }} 39 | targetRevision: {{ $repo.revision }} 40 | {{- if $app.helm }} 41 | helm: 42 | valueFiles: 43 | - values.yaml 44 | {{- if $app.helm.additionalValues }} 45 | {{- range $adIndx, $adVal := $app.helm.additionalValues }} 46 | - {{$adVal}} 47 | {{- end }} 48 | {{- end}} 49 | {{- end }} 50 | syncPolicy: 51 | automated: 52 | prune: {{ default true $app.prune }} 53 | selfHeal: {{ default true $app.selfHeal }} 54 | syncOptions: 55 | - ApplyOutOfSyncOnly=true 56 | {{- if $app.syncOptions }} 57 | {{- range $indx, $opt := $app.syncOptions }} 58 | - {{$opt}} 59 | {{- end }} 60 | {{- end}} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /main/homelab/templates/app.yaml: -------------------------------------------------------------------------------- 1 | {{- $repo := .Values.repo }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if index $app "create-namespace" }} 4 | --- 5 | apiVersion: v1 6 | kind: Namespace 7 | metadata: 8 | name: {{ $app.namespace }} 9 | annotations: 10 | {{- if index $app "namespace-sync-wave" }} 11 | argocd.argoproj.io/sync-wave: {{ index $app "namespace-sync-wave" | quote}} 12 | {{- end }} 13 | {{- end}} 14 | --- 15 | apiVersion: argoproj.io/v1alpha1 16 | kind: Application 17 | metadata: 18 | name: {{ $app.name }} 19 | namespace: argocd 20 | annotations: 21 | {{- if index $app "sync-wave" }} 22 | argocd.argoproj.io/sync-wave: {{ index $app "sync-wave" | quote}} 23 | {{- end }} 24 | argocd.argoproj.io/manifest-generate-paths: {{ index $app "manifest-paths" }} 25 | finalizers: 26 | - resources-finalizer.argocd.argoproj.io 27 | spec: 28 | destination: 29 | server: https://kubernetes.default.svc 30 | namespace: {{ $app.namespace }} 31 | project: default 32 | {{- if $app.ignoreDifferences }} 33 | ignoreDifferences: 34 | {{ $app.ignoreDifferences | toYaml | indent 4 }} 35 | {{- end }} 36 | source: 37 | path: {{ $app.path }} 38 | repoURL: {{ $repo.url }} 39 | targetRevision: {{ $repo.revision }} 40 | {{- if $app.helm }} 41 | helm: 42 | valueFiles: 43 | - values.yaml 44 | {{- if $app.helm.additionalValues }} 45 | {{- range $adIndx, $adVal := $app.helm.additionalValues }} 46 | - {{$adVal}} 47 | {{- end }} 48 | {{- end}} 49 | {{- end }} 50 | syncPolicy: 51 | automated: 52 | prune: {{ default true $app.prune }} 53 | selfHeal: {{ default true $app.selfHeal }} 54 | syncOptions: 55 | - ApplyOutOfSyncOnly=true 56 | {{- if $app.syncOptions }} 57 | {{- range $indx, $opt := $app.syncOptions }} 58 | - {{$opt}} 59 | {{- end }} 60 | {{- end}} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /archive/traccar/values.yaml: -------------------------------------------------------------------------------- 1 | traccar: 2 | image: 3 | repository: traccar/traccar 4 | tag: "5.8" 5 | 6 | 7 | mysql: 8 | enabled: false 9 | 10 | database: 11 | driverFile: 12 | driver: org.postgresql.Driver 13 | url: jdbc:postgresql://postgresql.kube-system.svc.cluster.local:5432/traccar 14 | user: traccar 15 | 16 | 17 | # env: 18 | # TZ: "America/Chicago" 19 | # DATABASE_DRIVER: "org.postgresql.Driver" 20 | # DATABASE_URL: jdbc:postgresql://postgresql.kube-system.svc.cluster.local:5432/traccar 21 | # DATABASE_USER: traccar 22 | # DATABASE_PASSWORD: 23 | # valueFrom: 24 | # secretKeyRef: 25 | # name: traccar-secret 26 | # key: DATABASE_PASSWORD 27 | # UDP_PORT: 5170 28 | # GEOCODER_ENABLE: true 29 | # GEOCODER_TYPE: nominatim 30 | # GEOCODER_URL: https://us1.locationiq.com/v1/reverse.php 31 | # GEOCODER_ON_REQUEST: true 32 | # GEOCODER_IGNORE_POSITIONS: true 33 | # GEOCODER_REUSE_DISTANCE: 10 34 | # GEOCODER_KEY: 35 | # valueFrom: 36 | # secretKeyRef: 37 | # name: traccar-secret 38 | # key: LOCATION_ID_TOKEN 39 | 40 | # service: 41 | # external: 42 | # enabled: true 43 | # type: LoadBalancer 44 | # loadBalancerIP: 192.168.100.59 45 | # ports: 46 | # freematics-udp: 47 | # port: 5170 48 | # enabled: true 49 | # protocol: UDP 50 | # targetPort: 5170 51 | # externalTrafficPolicy: Local 52 | 53 | ingress: 54 | enabled: false 55 | extraAnnotations: { } 56 | annotations: 57 | kubernetes.io/ingress.class: nginx 58 | cert-manager.io/cluster-issuer: vault-issuer 59 | cert-manager.io/common-name: traccar.rsr.net 60 | hosts: 61 | - host: traccar.rsr.net 62 | paths: 63 | - / 64 | tls: 65 | - hosts: 66 | - traccar.rsr.net 67 | secretName: traccar-cert-tls 68 | -------------------------------------------------------------------------------- /infrastructure/cloudnative-pg/templates/custom-backup-cron.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | name: {{ .Values.cluster.name }}-backup 6 | spec: 7 | schedule: "0 4 * * *" 8 | concurrencyPolicy: Forbid 9 | jobTemplate: 10 | spec: 11 | template: 12 | spec: 13 | automountServiceAccountToken: false 14 | enableServiceLinks: false 15 | {{/* securityContext:*/}} 16 | {{/* runAsUser: 1031*/}} 17 | {{/* runAsGroup: 1031*/}} 18 | {{/* fsGroup: 1031*/}} 19 | {{/* supplementalGroups:*/}} 20 | {{/* - 65541*/}} 21 | 22 | containers: 23 | - name: postgres-backup 24 | image: docker.io/prodrigestivill/postgres-backup-local:17 25 | imagePullPolicy: IfNotPresent 26 | command: 27 | - "/backup.sh" 28 | env: 29 | - name: POSTGRES_HOST 30 | value: {{ .Values.cluster.name }}-rw.kube-system.svc.cluster.local 31 | - name: POSTGRES_USER 32 | valueFrom: 33 | secretKeyRef: 34 | name: {{ .Values.superuserSecret }} 35 | key: username 36 | - name: POSTGRES_PASSWORD 37 | valueFrom: 38 | secretKeyRef: 39 | name: {{ .Values.superuserSecret }} 40 | key: password 41 | - name: POSTGRES_DB 42 | value: {{ .Values.activeDatabases | join "," }} 43 | volumeMounts: 44 | - name: backup 45 | mountPath: /backups 46 | subPath: {{ .Values.cluster.name }} 47 | 48 | restartPolicy: OnFailure 49 | 50 | volumes: 51 | - name: backup 52 | nfs: 53 | server: 192.168.1.115 54 | path: "/kube-backup" 55 | -------------------------------------------------------------------------------- /infrastructure/templates/app.yaml: -------------------------------------------------------------------------------- 1 | {{- $repo := .Values.repo }} 2 | {{- range $index, $app := .Values.applications }} 3 | {{- if index $app "create-namespace" }} 4 | --- 5 | apiVersion: v1 6 | kind: Namespace 7 | metadata: 8 | name: {{ $app.namespace }} 9 | annotations: 10 | {{- if index $app "namespace-sync-wave" }} 11 | argocd.argoproj.io/sync-wave: {{ index $app "namespace-sync-wave" | quote}} 12 | {{- end }} 13 | {{- end}} 14 | --- 15 | apiVersion: argoproj.io/v1alpha1 16 | kind: Application 17 | metadata: 18 | name: {{ $app.name }} 19 | {{- if index $app "app-namespace" }} 20 | namespace: {{ index $app "app-namespace" }} 21 | {{- end }} 22 | annotations: 23 | {{- if index $app "sync-wave" }} 24 | argocd.argoproj.io/sync-wave: {{ index $app "sync-wave" | quote}} 25 | {{- end }} 26 | argocd.argoproj.io/manifest-generate-paths: {{ index $app "manifest-paths" }} 27 | finalizers: 28 | - resources-finalizer.argocd.argoproj.io 29 | spec: 30 | destination: 31 | server: https://kubernetes.default.svc 32 | namespace: {{ $app.namespace }} 33 | project: default 34 | {{- if $app.ignoreDifferences }} 35 | ignoreDifferences: 36 | {{ $app.ignoreDifferences | toYaml | indent 4 }} 37 | {{- end }} 38 | source: 39 | path: {{ $app.path }} 40 | repoURL: {{ $repo.url }} 41 | targetRevision: {{ $repo.revision }} 42 | {{- if $app.helm }} 43 | helm: 44 | valueFiles: 45 | - values.yaml 46 | {{- if $app.helm.additionalValues }} 47 | {{- range $adIndx, $adVal := $app.helm.additionalValues }} 48 | - {{$adVal}} 49 | {{- end }} 50 | {{- end}} 51 | {{- end }} 52 | syncPolicy: 53 | automated: 54 | prune: {{ default true $app.prune }} 55 | selfHeal: {{ default true $app.selfHeal }} 56 | syncOptions: 57 | - ApplyOutOfSyncOnly=true 58 | {{- if $app.syncOptions }} 59 | {{- range $indx, $opt := $app.syncOptions }} 60 | - {{$opt}} 61 | {{- end }} 62 | {{- end}} 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /infrastructure/step-certificates/templates/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1 3 | kind: ExternalSecret 4 | metadata: 5 | name: {{ include "step-certificates.fullname" . }}-ca-password 6 | spec: 7 | secretStoreRef: 8 | kind: ClusterSecretStore 9 | name: onepassword-connect 10 | target: 11 | name: {{ include "step-certificates.fullname" . }}-ca-password 12 | creationPolicy: Owner 13 | template: 14 | engineVersion: v2 15 | type: smallstep.com/ca-password 16 | data: 17 | password: '{{ printf "{{ .password }}" }}' 18 | dataFrom: 19 | - extract: 20 | key: RSR CA Password 21 | --- 22 | apiVersion: external-secrets.io/v1 23 | kind: ExternalSecret 24 | metadata: 25 | name: {{ include "step-certificates.fullname" . }}-provisioner-password 26 | spec: 27 | secretStoreRef: 28 | kind: ClusterSecretStore 29 | name: onepassword-connect 30 | target: 31 | name: {{ include "step-certificates.fullname" . }}-provisioner-password 32 | creationPolicy: Owner 33 | template: 34 | engineVersion: v2 35 | type: smallstep.com/provisioner-password 36 | data: 37 | password: '{{ printf "{{ .password }}" }}' 38 | dataFrom: 39 | - extract: 40 | key: RSR CA Password 41 | --- 42 | apiVersion: external-secrets.io/v1 43 | kind: ExternalSecret 44 | metadata: 45 | name: {{ include "step-certificates.fullname" . }}-secrets 46 | spec: 47 | secretStoreRef: 48 | kind: ClusterSecretStore 49 | name: onepassword-connect 50 | target: 51 | name: {{ include "step-certificates.fullname" . }}-secrets 52 | creationPolicy: Owner 53 | template: 54 | engineVersion: v2 55 | type: smallstep.com/private-keys 56 | data: 57 | - secretKey: intermediate_ca_key 58 | remoteRef: 59 | key: RSR Intermediate CA Key 60 | property: rsr_intermediate_ca.key 61 | - secretKey: root_ca_key 62 | remoteRef: 63 | key: RSR Root CA Key 64 | property: rsr_root_ca.key 65 | -------------------------------------------------------------------------------- /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | extends: [ 3 | 'config:recommended', 4 | 'docker:enableMajor', 5 | ':disableRateLimiting', 6 | ':dependencyDashboard', 7 | ':enablePreCommit', 8 | ':semanticCommits', 9 | ':automergeDigest', 10 | ':automergeBranch', 11 | 'github>rogerrum/k8s-gitops//.github/renovate/automerge-github-actions.json', 12 | 'github>rogerrum/k8s-gitops//.github/renovate/commit-message.json', 13 | 'github>rogerrum/k8s-gitops//.github/renovate/pr-labels.json', 14 | 'github>rogerrum/k8s-gitops//.github/renovate/semantic-commits.json', 15 | 'github>rogerrum/k8s-gitops//.github/renovate/custom-managers.json5', 16 | 'github>rogerrum/k8s-gitops//.github/renovate/allowedVersions.json5', 17 | 'github>rogerrum/k8s-gitops//.github/renovate/versioning.json5', 18 | 'github>rogerrum/k8s-gitops//.github/renovate/groups.json5', 19 | 'github>rogerrum/k8s-gitops//.github/renovate/grafanaDashboards.json5', 20 | 'github>rogerrum/k8s-gitops//.github/renovate/autoMerge.json5', 21 | 'github>rogerrum/k8s-gitops//.github/renovate/disabledDatasources.json5', 22 | ], 23 | enabled: true, 24 | timezone: 'America/Chicago', 25 | dependencyDashboard: true, 26 | dependencyDashboardTitle: 'Renovate Dashboard', 27 | suppressNotifications: [ 28 | 'prIgnoreNotification', 29 | ], 30 | rebaseWhen: 'conflicted', 31 | commitBodyTable: true, 32 | platformCommit: 'enabled', 33 | gitAuthor: 'Roger Rumao ', 34 | commitBody: 'Signed-off-by: Roger Rumao ', 35 | ignorePaths: [ 36 | 'setup/**', 37 | '.taskfiles/**', 38 | '**/archive/**', 39 | ], 40 | 'helm-values': { 41 | managerFilePatterns: [ 42 | '/./.+\\.yaml$/', 43 | ], 44 | ignorePaths: [ 45 | '**/archive/**', 46 | ], 47 | }, 48 | kubernetes: { 49 | managerFilePatterns: [ 50 | '/\\.yaml$/', 51 | ], 52 | ignorePaths: [ 53 | '.github', 54 | '**/archive/**', 55 | ], 56 | }, 57 | } 58 | -------------------------------------------------------------------------------- /main/homelab/node-red/values.yaml: -------------------------------------------------------------------------------- 1 | app-template: 2 | image: 3 | repository: nodered/node-red 4 | tag: 4.1.2-18-minimal 5 | 6 | service: 7 | main: 8 | enabled: true 9 | ports: 10 | http: 11 | port: &port 1880 12 | env: 13 | TZ: "America/Chicago" 14 | FLOWS: "flows.json" 15 | NODE_RED_ENABLE_PROJECTS: "true" 16 | NODE_RED_ENABLE_SAFE_MODE: "false" 17 | NODE_OPTIONS: null 18 | 19 | ingress: 20 | main: 21 | enabled: true 22 | annotations: 23 | gethomepage.dev/enabled: "true" 24 | gethomepage.dev/group: Home 25 | gethomepage.dev/icon: node-red 26 | gethomepage.dev/name: Node-Red 27 | cert-manager.io/issuer: step-issuer 28 | cert-manager.io/issuer-kind: StepClusterIssuer 29 | cert-manager.io/issuer-group: certmanager.step.sm 30 | cert-manager.io/revision-history-limit: "3" 31 | cert-manager.io/duration: "2160h" 32 | cert-manager.io/renew-before: "720h" 33 | kubernetes.io/ingress.class: nginx 34 | #nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.kube-system.svc.cluster.local:80/oauth2/auth" 35 | #nginx.ingress.kubernetes.io/auth-signin: https://auth.rsr.net/oauth2/start 36 | hosts: 37 | - host: node-red.rsr.net 38 | paths: 39 | - path: / 40 | pathType: Prefix 41 | tls: 42 | - hosts: 43 | - "node-red.rsr.net" 44 | secretName: node-red-cert 45 | persistence: 46 | data: 47 | enabled: true 48 | storageClass: "longhorn" 49 | accessMode: ReadWriteOnce 50 | size: "5Gi" 51 | skipuninstall: true 52 | tolerations: 53 | - key: "arm" 54 | operator: "Exists" 55 | - key: "arm64" 56 | operator: "Exists" 57 | resources: 58 | requests: 59 | memory: 350Mi 60 | cpu: 25m 61 | limits: 62 | memory: 500Mi 63 | 64 | podSecurityContext: 65 | runAsUser: 1000 66 | runAsGroup: 1000 67 | fsGroup: 1000 68 | -------------------------------------------------------------------------------- /main/monitoring/victoria-metrics/templates/server-tracker.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | labels: 6 | prometheus: k8s 7 | role: alert-rules 8 | name: server-tracker-rules 9 | namespace: monitoring 10 | spec: 11 | groups: 12 | - name: server-tracker.rules 13 | rules: 14 | - alert: ServerRebootRequired 15 | annotations: 16 | description: Server requires a reboot 17 | summary: Server {{`{{$labels.host}}`}} needs manual reboot since last 7 days 18 | expr: min(min_over_time(server_reboot_needed{container="pushgateway"}[7d])) by (host) == 1 19 | labels: 20 | severity: warning 21 | - alert: ServerRebootRequired25d 22 | annotations: 23 | description: Server requires a reboot for critical issues 24 | summary: Server {{`{{$labels.host}}`}} needs manual reboot since last 25 days 25 | expr: min(min_over_time(server_reboot_needed{container="pushgateway"}[25d])) by (host) == 1 26 | labels: 27 | severity: warning 28 | - alert: ServerRebootAdvised 29 | annotations: 30 | description: Server have not been rebooted for a while 31 | summary: Server {{`{{$labels.host}}`}} has not been rebooted for 30 days 32 | expr: time() - server_last_reboot_time{container="pushgateway"} > 30d 33 | labels: 34 | severity: warning 35 | - alert: ServerMissingPing 36 | annotations: 37 | description: Server missed ping for 2 hours 38 | summary: Server {{`{{$labels.host}}`}} missed ping for 2 hours 39 | expr: time() - server_last_push_time{container="pushgateway"} > 2h 40 | labels: 41 | severity: warning 42 | - alert: ServerUpdateNeeded 43 | annotations: 44 | description: Server requires a update 45 | summary: Server {{`{{$labels.host}}`}} has updates available. 46 | expr: server_updates_available{container="pushgateway"} > 5 47 | for: 5d 48 | labels: 49 | severity: warning 50 | -------------------------------------------------------------------------------- /main/homelab/external-ingress/templates/external-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- $fullName := include "external-ingress.fullname" . -}} 2 | {{- $labels := include "external-ingress.labels" . | nindent 4}} 3 | {{- range .Values.apps }} 4 | --- 5 | apiVersion: networking.k8s.io/v1 6 | kind: Ingress 7 | metadata: 8 | name: {{ $fullName }}-{{ .name }} 9 | labels: 10 | {{- $labels}} 11 | annotations: 12 | gethomepage.dev/enabled: "true" 13 | gethomepage.dev/group: {{ .homepageGroup }} 14 | gethomepage.dev/icon: {{ .homepageIcon }} 15 | gethomepage.dev/name: {{ .homepageName }} 16 | kubernetes.io/ingress.class: nginx 17 | cert-manager.io/issuer: step-issuer 18 | cert-manager.io/issuer-kind: StepClusterIssuer 19 | cert-manager.io/issuer-group: certmanager.step.sm 20 | cert-manager.io/revision-history-limit: "3" 21 | cert-manager.io/duration: "2160h" 22 | cert-manager.io/renew-before: "720h" 23 | nginx.ingress.kubernetes.io/backend-protocol: "{{ .backendProtocol }}" 24 | {{ if .backendInsecureIngress }} 25 | nginx.ingress.kubernetes.io/insecure-ingress: "true" 26 | {{ end }} 27 | nginx.ingress.kubernetes.io/proxy-ssl-verify: "{{ .proxySslVerify }}" 28 | nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .proxyReadTimeout }}" 29 | spec: 30 | rules: 31 | - host: {{ .host }} 32 | http: 33 | paths: 34 | - path: {{ .path }} 35 | pathType: Prefix 36 | backend: 37 | service: 38 | name: {{ $fullName }}-{{ .name }} 39 | port: 40 | number: {{ .port }} 41 | tls: 42 | - hosts: 43 | - {{ .host }} 44 | secretName: {{ .name }}-cert-tls 45 | --- 46 | apiVersion: v1 47 | kind: Service 48 | metadata: 49 | name: {{ $fullName }}-{{ .name }} 50 | labels: 51 | {{- $labels }} 52 | spec: 53 | ports: 54 | - name: {{ .name }} 55 | port: {{ .port }} 56 | targetPort: {{ .port }} 57 | type: ExternalName 58 | externalName: {{ .service.externalName }} 59 | {{- end }} 60 | -------------------------------------------------------------------------------- /docs/installation/installing-kubernetes.md: -------------------------------------------------------------------------------- 1 | # Installing Kubernetes 2 | 3 | 4 | ## Cluster Init 5 | 6 | !!! info "Download the script to init the cluster on first node" 7 | ```sh 8 | wget https://raw.githubusercontent.com/rogerrum/homelab-infrastructure/main/k3s/ha/setupMainNode.sh \ 9 | -O setupMainNode.sh && chmod +x setupMainNode.sh 10 | ``` 11 | !!! info "Create cluster and get token to setup the remaining nodes" 12 | ```sh 13 | ./setupMainNode.sh 14 | ``` 15 | 16 | ## Additional master nodes for HA 17 | 18 | !!! info "Download the script on HA nodes" 19 | ```sh 20 | wget https://raw.githubusercontent.com/rogerrum/homelab-infrastructure/main/k3s/ha/setupHANode.sh \ 21 | -O setupHANode.sh && chmod +x setupHANode.sh 22 | ``` 23 | !!! info "Use the token from the First master node to join the cluster" 24 | ```sh 25 | ./setupHANode.sh 26 | ``` 27 | 28 | 29 | ## Add worker nodes 30 | 31 | !!! info "Download the script" 32 | ```sh 33 | wget https://raw.githubusercontent.com/rogerrum/homelab-infrastructure/main/k3s/ha/setupWorkerNode.sh \ 34 | -O setupWorkerNode.sh && chmod +x setupWorkerNode.sh 35 | ``` 36 | !!! info "Use the token from the First master node to join the cluster" 37 | ```sh 38 | ./setupWorkerNode.sh 39 | ``` 40 | 41 | ## Add worker nodes (arm) 42 | 43 | !!! info "Download the script" 44 | ```sh 45 | wget https://raw.githubusercontent.com/rogerrum/homelab-infrastructure/main/k3s/ha/setupWorkerNodeArm.sh \ 46 | -O setupWorkerNodeArm.sh && chmod +x setupWorkerNodeArm.sh 47 | ``` 48 | !!! info "Use the token from the First master node to join the cluster" 49 | ```sh 50 | ./setupWorkerNodeArm.sh 51 | ``` 52 | 53 | ## Add worker nodes (arm64) 54 | 55 | !!! info "Download the script" 56 | ```sh 57 | wget https://raw.githubusercontent.com/rogerrum/homelab-infrastructure/main/k3s/ha/setupWorkerNodeArm64.sh \ 58 | -O setupWorkerNodeArm64.sh && chmod +x setupWorkerNodeArm64.sh 59 | ``` 60 | !!! info "Use the token from the First master node to join the cluster" 61 | ```sh 62 | ./setupWorkerNodeArm64.sh 63 | ``` 64 | 65 | 66 | 67 | 68 | -------------------------------------------------------------------------------- /.github/renovate/custom-managers.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | customManagers: [ 4 | { 5 | customType: "regex", 6 | description: "Process various dependencies in YAML files", 7 | fileMatch: ["\\.yaml$"], 8 | matchStrings: [ 9 | // # renovate: datasource=github-releases depName=k3s-io/k3s 10 | // k3s_release_version: &version v1.29.0+k3s1 11 | // # renovate: datasource=helm depName=cilium repository=https://helm.cilium.io 12 | // version: 1.15.1 13 | "datasource=(?\\S+) depName=(?\\S+)( repository=(?\\S+))?\\n.+: (&\\S+\\s)?(?\\S+)", 14 | // # renovate: datasource=github-releases depName=rancher/system-upgrade-controller 15 | // https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.2/crd.yaml 16 | "datasource=(?\\S+) depName=(?\\S+)\\n.+/(?(v|\\d)[^/]+)" 17 | 18 | ], 19 | datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}" 20 | }, 21 | { 22 | customType: "regex", 23 | description: "Process GitHub download dependencies in YAML files", 24 | fileMatch: ["\\.ya?ml(\\.j2)?$"], 25 | matchStrings: [ 26 | // https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.2/crd.yaml 27 | "https:\\/\\/github.com\\/(?\\S+?\\/\\S+?)\\/releases\\/download\\/(?(v|\\d)\\S+?)\\/\\S+", 28 | // https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.11/docs/snippets/dashboard.json 29 | "https:\\/\\/raw.githubusercontent.com\\/(?\\S+?\\/\\S+?)\\/(?(v|\\d)\\S+?)\\/\\S+", 30 | ], 31 | datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}", 32 | versioningTemplate: "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}", 33 | // extractVersionTemplate: "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?.*)${{/if}}", 34 | }, 35 | ], 36 | } 37 | -------------------------------------------------------------------------------- /docs/installation/preparing-nodes.md: -------------------------------------------------------------------------------- 1 | # Preparing Nodes 2 | 3 | ## Install Ubuntu 4 | 5 | Download Ubuntu Server 21.04 ISO and install Ubuntu on each node. 6 | 7 | !!! abstract "VLAN Config" 8 | 9 | === "Physical devices (amd64)" 10 | 11 | Select the required VLAN (100) during the server setup 12 | 13 | === "Raspberry Pi (arm)" 14 | 15 | !!! info "For raspberry pi/ARM edit the file" 16 | ```sh 17 | sudo vi /etc/netplan/50-cloud-init.yaml 18 | ``` 19 | 20 | !!! info "Update the yaml file with the content" 21 | ```yaml 22 | # /etc/netplan/50-cloud-init.yaml 23 | network: 24 | ethernets: 25 | eth0: 26 | dhcp4: true 27 | vlans: 28 | vlan100: 29 | id: 100 30 | link: eth0 31 | dhcp4: true 32 | version: 2 33 | ``` 34 | !!! info "Validate the network settings" 35 | ```sh 36 | sudo netplan try 37 | ``` 38 | !!! info "Save the network settings" 39 | ```sh 40 | sudo netplan apply 41 | ``` 42 | 43 | 44 | 45 | ## Generate SSH Key on host machine 46 | 47 | ```sh 48 | ssh-keygen -t ed25519 -C "rogerrum@gmail.com" 49 | ``` 50 | 51 | ## Copy over SSH key from the host machine 52 | 53 | ```sh 54 | ssh-copy-id -i ~/.ssh/id_rsa.pub rsr@192.168.50.100 55 | ``` 56 | 57 | ## Ubuntu use all partition space 58 | 59 | ```sh 60 | lsblk 61 | ``` 62 | ```sh 63 | sudo parted /dev/sda print 64 | ``` 65 | ```sh 66 | sudo lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lv 67 | ``` 68 | ```sh 69 | sudo resize2fs /dev/ubuntu-vg/ubuntu-lv 70 | ``` 71 | 72 | ## Prepare Disks for Longhorn 73 | 74 | !!! info "Prepare/mount the additional disks for Longhorn" 75 | 76 | ```sh 77 | wget https://raw.githubusercontent.com/rogerrum/homelab-infrastructure/main/k3s/ha/setup-disks.sh \ 78 | -O setup-disks.sh && chmod +x setup-disks.sh 79 | ``` 80 | 81 | !!! info "run `setup-disks.sh` for each additional disk" 82 | 83 | ```sh 84 | ./setup-disks.sh sdb storage 85 | ``` 86 | 87 | --------------------------------------------------------------------------------