2 | Cilium on Argo CD
3 |
4 |
5 |
6 | 
7 | 
8 |
9 |
10 |
11 | Deploy Cilium to Kubernetes via an ArgoCD ApplicationSet.
12 |
13 |
14 | ___
15 |
16 | Features:
17 | - Deploy hubble dashboard behind vouch
18 | - Enables use of ebfp-dependant apps like Keda and Kepler
19 | - Encryption enabled via Wireguard integration. See https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#enable-wireguard-in-cilium for more details.
20 |
--------------------------------------------------------------------------------
/demo/pixelfed/external_secrets/templates/bitwarden/pixelfed_app_key.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: pixelfed-app-key
7 | namespace: pixelfed
8 | spec:
9 | target:
10 | name: pixelfed-app-key
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | key: |-
16 | {{ `{{ .secretKey }}` }}
17 | data:
18 | - secretKey: secretKey
19 | sourceRef:
20 | storeRef:
21 | name: bitwarden-login
22 | kind: ClusterSecretStore
23 | remoteRef:
24 | key: {{ .Values.appKeyBitwardenID }}
25 | property: password
26 | {{- end }}
27 |
--------------------------------------------------------------------------------
/ingress-nginx/modsecurity_configmap/modsecurity_exception_files/README.md:
--------------------------------------------------------------------------------
1 | # Security Rule ID Ranges
2 |
3 | | App | Start |
4 | |:---------------|:-------|
5 | | postgres | 20000 |
6 | | Grafana | 30001 |
7 | | Matrix | 40001 |
8 | | Home Assistant | 50001 |
9 | | zitadel | 60001 |
10 | | ArgoCD | 70001 |
11 | | ActivityPub | 80000 |
12 | | Loki | 90001 |
13 | | tempo | 100000 |
14 | | Mimir | 110001 |
15 | | Harbor | 120001 |
16 | | Jellyfin | 130000 |
17 | | Forgejo | 140000 |
18 | | Ghost | 150000 |
19 | | AI | 160000 |
20 | | Banned | 170000 |
21 | | VNC | 180000 |
22 | | Nextcloud | 950000 |
23 |
--------------------------------------------------------------------------------
/ingress-nginx/modsecurity_configmap/values.yaml:
--------------------------------------------------------------------------------
1 | # -- enable the activity pub exceptions
2 | activitypub: true
3 |
4 | # -- enable the argocd exceptions
5 | argocd: true
6 |
7 | # -- enable the grafana exceptions
8 | grafana: true
9 |
10 | # -- enable the home assistant exceptions
11 | home-assistant: true
12 |
13 | # -- enable the loki exceptions
14 | loki: true
15 |
16 | # -- enable the matrix exceptions
17 | matrix: true
18 |
19 | # -- enable the mimir exceptions
20 | mimir: true
21 |
22 | # -- enable the nextcloud exceptions
23 | nextcloud: true
24 |
25 | # -- enable the postgresql exceptions
26 | postgresql: true
27 |
28 | # -- enable the tempo exceptions
29 | tempo: true
30 |
31 | # -- enable the zitadel exceptions
32 | zitadel: true
33 |
--------------------------------------------------------------------------------
/mastodon/small-hack/storage/pvc/values.yaml:
--------------------------------------------------------------------------------
1 | valkey_pvc:
2 | # -- enable nextcloud configuration pvc
3 | enabled: true
4 | # -- default storage class name to use for config pvc
5 | storageClassName: "local-path"
6 | # -- default access mode for the config pvc
7 | accessMode: "ReadWriteOnce"
8 | # -- storage capacity for the nextcloud config pvc
9 | storage: "2Gi"
10 |
11 | # -- tolerate affinity
12 | affinity: {}
13 |
14 | # -- tolerate taints
15 | tolerations: []
16 |
17 | # -- for enabling backups to a remote s3 provider or local disk backup
18 | k8up:
19 | # -- user to run the backups as
20 | securityContext:
21 | # this may need to be 33 (apache) or 82 (nginx) depending on how you run nextcloud
22 | runAsUser: 0
23 |
--------------------------------------------------------------------------------
/seaweedfs/operator/seaweedfs_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: seaweedfs-operator-app
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "2"
9 | spec:
10 | project: seaweedfs
11 | destination:
12 | server: https://kubernetes.default.svc
13 | namespace: seaweedfs
14 | syncPolicy:
15 | syncOptions:
16 | - CreateNamespace=true
17 | - ApplyOutOfSyncOnly=true
18 | automated:
19 | prune: true
20 | selfHeal: true
21 | source:
22 | repoURL: https://github.com/seaweedfs/seaweedfs-operator
23 | targetRevision: master
24 | path: deploy/helm/
25 | helm:
26 | releaseName: seaweedfs-operator
27 |
--------------------------------------------------------------------------------
/argocd/manifests/projects/social.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: AppProject
4 | metadata:
5 | name: mastodon
6 | namespace: argocd
7 | spec:
8 | clusterResourceWhitelist:
9 | - group: '*'
10 | kind: '*'
11 | description: all mastodon apps
12 | destinations:
13 | - name: in-cluster
14 | namespace: mastodon
15 | server: https://kubernetes.default.svc
16 | - name: '*'
17 | namespace: argocd
18 | server: '*'
19 | namespaceResourceWhitelist:
20 | - group: '*'
21 | kind: '*'
22 | orphanedResources: {}
23 | sourceRepos:
24 | - registry-1.docker.io
25 | - https://github.com/small-hack/argocd-apps.git
26 | - https://github.com/jessebot/mastodon-helm-chart.git
27 |
--------------------------------------------------------------------------------
/mastodon/README.md:
--------------------------------------------------------------------------------
1 | # Argo CD ApplicationSets for Mastodon
2 |
3 | **Stable directory**: [small-hack](./small-hack)
4 | **UnStable directory**: [mastodon](./mastodon)
5 |
6 | Example Argo CD tree view of Mastodon (small-hack) App:
7 |
8 | 
9 |
--------------------------------------------------------------------------------
/postgres/backups/k8up-test/k8up-job/manifests/backup-as-root.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: k8up.io/v1
3 | kind: Backup
4 | metadata:
5 | name: root-backup-to-b2
6 | namespace: default
7 | spec:
8 | podSecurityContext:
9 | runAsUser: 0
10 | failedJobsHistoryLimit: 10
11 | successfulJobsHistoryLimit: 10
12 | backend:
13 | repoPasswordSecretRef:
14 | name: k8up-restic-b2-repo-pw-pg-backup
15 | key: password
16 | s3:
17 | endpoint: s3.eu-central-003.backblazeb2.com
18 | bucket: vmt-pg-backup-test
19 | accessKeyIDSecretRef:
20 | name: k8up-b2-creds-pg-backup
21 | key: applicationKeyId
22 | secretAccessKeySecretRef:
23 | name: k8up-b2-creds-pg-backup
24 | key: applicationKey
25 |
--------------------------------------------------------------------------------
/demo/test-app/nginx-hello-world/manifests/ingress.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: nginx-hello-ingress
6 | namespace: nginx-hello
7 | annotations:
8 | kubernetes.io/ingress.class: nginx
9 | cert-manager.io/cluster-issuer: "letsencrypt-prod"
10 | nginx.ingress.kubernetes.io/rewrite-target: /
11 | spec:
12 | tls:
13 | - hosts:
14 | - {{ .testing_hostname }}
15 | secretName: "letsencrypt-prod"
16 | rules:
17 | - host: {{ .testing_hostname }}
18 | http:
19 | paths:
20 | - path: /
21 | pathType: Prefix
22 | backend:
23 | service:
24 | name: nginx-hello-service
25 | port:
26 | number: 5000
27 |
--------------------------------------------------------------------------------
/external-secrets-operator/app_of_apps/external-secrets-crds_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: external-secrets-operator-crds
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "1"
9 | spec:
10 | project: external-secrets-operator
11 | destination:
12 | server: "https://kubernetes.default.svc"
13 | namespace: external-secrets
14 | syncPolicy:
15 | syncOptions:
16 | - CreateNamespace=true
17 | - ServerSideApply=true
18 | automated:
19 | prune: true
20 | selfHeal: true
21 | source:
22 | repoURL: 'https://github.com/external-secrets/external-secrets'
23 | targetRevision: v0.20.4
24 | path: deploy/crds/
25 |
--------------------------------------------------------------------------------
/seaweedfs/README.md:
--------------------------------------------------------------------------------
1 | # Argo CD Applications for deploying SeaweedFS
2 |
3 | We are currently experimenting with [SeaweedFS](https://github.com/seaweedfs/seaweedfs) on Kubernetes.
4 |
5 | ## Sync Waves
6 |
7 | 1. persistent volumes for filer, volume server, and master server
8 | 2. SeaweedFS helm chart
9 |
10 | ## Persistence
11 |
12 | This is to deploy a pre-existing persistent volume.
13 |
14 | - [persistent volumes](./persistence/seaweedfs_data_pvc.yaml)
15 |
16 | ### Backups
17 |
18 | Docs on backing up SeaweedFS.
19 |
20 | - [Regular docs](./backups/backups.md)
21 | - [S3 docs](./backups/s3-backups.md)
22 |
23 | ## Operator
24 |
25 | This is the new SeaweedFS operator helm chart for using the SeaweedFS CRDs. Still in experimental phase.
26 |
27 |
--------------------------------------------------------------------------------
/grafana_stack/app_of_apps_with_matrix/dashboards_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: grafana-dashboards
6 | namespace: argocd
7 |
8 | spec:
9 | project: monitoring
10 |
11 | destination:
12 | server: "https://kubernetes.default.svc"
13 | namespace: monitoring
14 |
15 | syncPolicy:
16 | syncOptions:
17 | - Replace=true
18 | - CreateNamespace=true
19 | automated:
20 | prune: true
21 | selfHeal: true
22 |
23 | source:
24 | repoURL: 'https://github.com/small-hack/argocd-apps'
25 | targetRevision: main
26 | path: grafana_stack/dashboards/
27 | helm:
28 | valuesObject:
29 | dashboards:
30 | deploy_all: true
31 |
--------------------------------------------------------------------------------
/k8up/k8up_argocd_app.md:
--------------------------------------------------------------------------------
1 | this is what it would look like to deploy the CRDs separately:
2 | ```yaml
3 | ---
4 | # CRDs for backups
5 | apiVersion: argoproj.io/v1alpha1
6 | kind: Application
7 | metadata:
8 | name: k8up-crd
9 | namespace: argocd
10 | annotations:
11 | argocd.argoproj.io/sync-wave: "-1"
12 | spec:
13 | project: k8up
14 | source:
15 | repoURL: https://github.com/k8up-io/k8up.git
16 | path: config/crd/apiextensions.k8s.io/v1/
17 | targetRevision: k8up-4.8.5
18 | destination:
19 | server: "https://kubernetes.default.svc"
20 | namespace: k8up
21 | syncPolicy:
22 | syncOptions:
23 | - CreateNamespace=true
24 | - Replace=true
25 | automated:
26 | prune: true
27 | selfHeal: true
28 | ```
29 |
--------------------------------------------------------------------------------
/minio/backups/external_secrets_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # First sync wave because we need secrets for nextcloud, so it has to be
3 | # before nextcloud so it has secrets for all its credentials.
4 | apiVersion: argoproj.io/v1alpha1
5 | kind: Application
6 | metadata:
7 | name: minio-backups-external-secrets
8 | namespace: argocd
9 | annotations:
10 | argocd.argoproj.io/sync-wave: "1"
11 | spec:
12 | project: minio
13 | destination:
14 | server: "https://kubernetes.default.svc"
15 | namespace: minio
16 | source:
17 | repoURL: https://github.com/small-hack/argocd-apps.git
18 | path: minio/backups/external_secrets/
19 | syncPolicy:
20 | syncOptions:
21 | - Replace=true
22 | automated:
23 | prune: true
24 | selfHeal: true
25 |
--------------------------------------------------------------------------------
/ghost/storage/templates/pvc_mysql.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # Dynamic Persistent volume claim for postgresql specifically to persist
3 | apiVersion: v1
4 | kind: PersistentVolumeClaim
5 | metadata:
6 | name: ghost-mysql
7 | spec:
8 | storageClassName: {{ .Values.pvc_storageClassName }}
9 | accessModes:
10 | - ReadWriteOnce
11 | resources:
12 | requests:
13 | storage: {{ .Values.pvc_capacity }}
14 | ---
15 | # Dynamic Persistent volume claim for postgresql specifically to persist
16 | apiVersion: v1
17 | kind: PersistentVolumeClaim
18 | metadata:
19 | name: ghost-activitypub-mysql
20 | spec:
21 | storageClassName: {{ .Values.pvc_storageClassName }}
22 | accessModes:
23 | - ReadWriteOnce
24 | resources:
25 | requests:
26 | storage: {{ .Values.pvc_capacity }}
27 |
--------------------------------------------------------------------------------
/minio/backups/testing/backups/root_backup.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: k8up.io/v1
3 | kind: Backup
4 | metadata:
5 | name: root-backup-minio-s3
6 | namespace: nextcloud
7 | spec:
8 | promURL: http://push-gateway.prometheus:9091/
9 | podSecurityContext:
10 | runAsUser: 0
11 | failedJobsHistoryLimit: 10
12 | successfulJobsHistoryLimit: 10
13 | backend:
14 | repoPasswordSecretRef:
15 | name: minio-backups-credentials
16 | key: resticRepoPassword
17 | s3:
18 | endpoint: s3.eu-central-003.backblazeb2.com
19 | bucket: testing-minio-backups
20 | accessKeyIDSecretRef:
21 | name: minio-backups-credentials
22 | key: applicationKeyId
23 | secretAccessKeySecretRef:
24 | name: minio-backups-credentials
25 | key: applicationKey
26 |
--------------------------------------------------------------------------------
/zitadel/storage/minio_tenant/minio_setup_script_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: zitadel-minio-setup-script
6 | namespace: argocd
7 | annotations:
8 | # after the external secrets and minio tenant but before the postgres and zitadel apps
9 | argocd.argoproj.io/sync-wave: "3"
10 | spec:
11 | project: zitadel
12 | destination:
13 | server: "https://kubernetes.default.svc"
14 | namespace: zitadel
15 | syncPolicy:
16 | syncOptions:
17 | - ApplyOutOfSyncOnly=true
18 | automated:
19 | prune: true
20 | selfHeal: true
21 | source:
22 | repoURL: https://github.com/small-hack/argocd-apps.git
23 | path: zitadel/storage/minio_tenant/minio_setup_script/
24 | targetRevision: main
25 |
--------------------------------------------------------------------------------
/ingress-nginx/modsecurity_configmap/templates/modsecurity_plugins_configmap.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: modsecurity-plugins
5 | labels:
6 | nginx-configmap: "1"
7 | data:
8 | empty-after.conf: |
9 | # no data
10 | empty-before.conf: |
11 | # no data
12 | empty-config.conf: |
13 | # no data
14 | {{/* range through all modsecurity exception files */}}
15 | {{ range $path, $_ := .Files.Glob "modsecurity_exception_files/**.conf" }}
16 | {{/* create a simple file name to template with */}}
17 | {{- $file_name := $path | trimPrefix "modsecurity_exception_files/" | lower | nospace | trimSuffix ".conf" -}}
18 |
19 | {{- $file_name | nindent 2 }}-rule-exclusions-before.conf: |-
20 | {{- $.Files.Get $path | nindent 4 }}
21 | {{- end }}
22 |
--------------------------------------------------------------------------------
/s3_bucket_ingresses/templates/ingress.yaml:
--------------------------------------------------------------------------------
1 | {{- range .Values.buckets }}
2 | ---
3 | apiVersion: networking.k8s.io/v1
4 | kind: Ingress
5 | metadata:
6 | name: s3-{{ . }}-bucket-ingress
7 | {{- with $.Values.annotations }}
8 | annotations:
9 | {{- toYaml . | nindent 4 }}
10 | {{- end }}
11 | spec:
12 | ingressClassName: nginx
13 | rules:
14 | - host: {{ . }}.{{ $.Values.s3_hostname }}
15 | http:
16 | paths:
17 | - path: /
18 | pathType: ImplementationSpecific
19 | backend:
20 | service:
21 | name: seaweedfs-s3
22 | port:
23 | number: 8333
24 | tls:
25 | - secretName: s3-{{ . }}-bucket-tls
26 | hosts:
27 | - {{ . }}.{{ $.Values.s3_hostname }}
28 | {{- end }}
29 |
--------------------------------------------------------------------------------
/argocd/manifests/projects/zitadel.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: AppProject
3 | metadata:
4 | name: zitadel
5 | namespace: argocd
6 | spec:
7 | clusterResourceWhitelist:
8 | - group: '*'
9 | kind: '*'
10 | description: project for zitadel
11 | destinations:
12 | - name: in-cluster
13 | namespace: zitadel
14 | server: https://kubernetes.default.svc
15 | - name: in-cluster
16 | namespace: argocd
17 | server: https://kubernetes.default.svc
18 | namespaceResourceWhitelist:
19 | - group: '*'
20 | kind: '*'
21 | orphanedResources: {}
22 | sourceRepos:
23 | - https://charts.zitadel.com
24 | - https://charts.cockroachdb.com/
25 | - https://zitadel.github.io/zitadel-charts
26 | - https://github.com/small-hack/argocd-apps
27 |
--------------------------------------------------------------------------------
/demo/vault/vault_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: vault-app
6 | namespace: argocd
7 | spec:
8 | project: vault
9 | destination:
10 | server: https://kubernetes.default.svc
11 | namespace: vault
12 |
13 | syncPolicy:
14 | syncOptions:
15 | - CreateNamespace=true
16 | - ApplyOutOfSyncOnly=true
17 | automated:
18 | prune: true
19 | selfHeal: true
20 |
21 | ignoreDifferences:
22 | - group: apps
23 | kind: MutatingWebhookConfiguration
24 | name: vault-app-agent-injector-cfg
25 | jqPathExpressions:
26 | - '.webhooks[]?.clientConfig.caBundle'
27 |
28 | source:
29 | repoURL: 'https://helm.releases.hashicorp.com'
30 | targetRevision: 0.31.0
31 | chart: vault
32 |
--------------------------------------------------------------------------------
/matrix/external_secrets/templates/bitwarden/syncv3_env.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (eq .Values.external_secrets_provider "bitwarden") .Values.sliding_sync.sliding_sync_bitwarden_ID }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: syncv3-secret
7 | spec:
8 | target:
9 | name: syncv3-secret
10 | deletionPolicy: Delete
11 | template:
12 | type: Opaque
13 | data:
14 | SYNCV3_SECRET: |-
15 | {{ `{{ .secret }}` }}
16 | data:
17 | # SYNCV3_SECRET
18 | - secretKey: secret
19 | sourceRef:
20 | storeRef:
21 | name: bitwarden-login
22 | kind: ClusterSecretStore
23 | remoteRef:
24 | key: {{ .Values.sliding_sync.sliding_sync_bitwarden_ID }}
25 | property: password
26 | {{- end }}
27 |
--------------------------------------------------------------------------------
/nextcloud/maintenance_mode_cronjobs/values.yaml:
--------------------------------------------------------------------------------
1 | # -- timezone you want to use for TZ env var, must be identifier from this list:
2 | # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
3 | # example could be "Europe/Amsterdam"
4 | timezone: ""
5 |
6 | image:
7 | # -- docker image repo
8 | repository: "nextcloud"
9 | # -- docker image tag
10 | tag: "31.0.10-fpm-alpine"
11 |
12 | maintenance_mode_on:
13 | # -- cron schedule to turn on maintenance mode for nextcloud
14 | schedule: ""
15 |
16 | maintenance_mode_off:
17 | # -- cron schedule to turn off maintenance mode for nextcloud
18 | schedule: ""
19 |
20 | # -- affinity to make the cronjobs use a specific node
21 | affinity: {}
22 |
23 | # -- tolerations to make the cronjobs tolerate the taints on a specific node
24 | tolerations: []
25 |
--------------------------------------------------------------------------------
/external-secrets-operator/providers/bitwarden/bitwarden_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: bitwarden-eso-provider
6 | namespace: argocd
7 | spec:
8 | project: external-secrets-operator
9 | source:
10 | repoURL: 'https://small-hack.github.io/bitwarden-eso-provider'
11 | targetRevision: 1.2.0
12 | chart: bitwarden-eso-provider
13 | helm:
14 | values: |
15 | network_policy: false
16 | bitwarden_eso_provider:
17 | auth:
18 | existingSecret: bweso-login
19 | destination:
20 | server: "https://kubernetes.default.svc"
21 | namespace: external-secrets
22 | syncPolicy:
23 | syncOptions:
24 | - CreateNamespace=true
25 | automated:
26 | prune: true
27 | selfHeal: true
28 |
--------------------------------------------------------------------------------
/prometheus/crds/prometheus_crds_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: prometheus-crd
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "1"
9 | spec:
10 | project: prometheus
11 | destination:
12 | name: in-cluster
13 | namespace: prometheus
14 | source:
15 | repoURL: https://github.com/prometheus-community/helm-charts.git
16 | path: charts/kube-prometheus-stack/charts/crds/crds/
17 | targetRevision: kube-prometheus-stack-78.5.0
18 | directory:
19 | recurse: true
20 | syncPolicy:
21 | syncOptions:
22 | - CreateNamespace=true
23 | - ApplyOutOfSyncOnly=true
24 | - ServerSideApply=true
25 | - Retry=true
26 | automated:
27 | selfHeal: true
28 | prune: true
29 |
--------------------------------------------------------------------------------
/s3_persistence_and_backups/templates/juicefs_valkey_pvc.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "juicefs" }}
2 | ---
3 | kind: PersistentVolumeClaim
4 | apiVersion: v1
5 | metadata:
6 | name: juicefs-valkey-primary
7 | annotations:
8 | k8up.io/backup: "true"
9 | spec:
10 | storageClassName: {{ .Values.pvc_storageClassName }}
11 | accessModes:
12 | - ReadWriteOnce
13 | resources:
14 | requests:
15 | storage: {{ .Values.pvc_capacity }}
16 | ---
17 | kind: PersistentVolumeClaim
18 | apiVersion: v1
19 | metadata:
20 | name: juicefs-valkey-replica
21 | annotations:
22 | k8up.io/backup: "true"
23 | spec:
24 | storageClassName: {{ .Values.pvc_storageClassName }}
25 | accessModes:
26 | - ReadWriteOnce
27 | resources:
28 | requests:
29 | storage: {{ .Values.pvc_capacity }}
30 | {{- end }}
31 |
--------------------------------------------------------------------------------
/argocd/manifests/projects/external-secrets.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: AppProject
4 | metadata:
5 | name: external-secrets-operator
6 | namespace: argocd
7 | spec:
8 | clusterResourceWhitelist:
9 | - group: '*'
10 | kind: '*'
11 | description: all apps for kubernetes external secrets operator
12 | destinations:
13 | - name: in-cluster
14 | namespace: external-secrets
15 | server: https://kubernetes.default.svc
16 | - name: '*'
17 | namespace: argocd
18 | server: '*'
19 | namespaceResourceWhitelist:
20 | - group: '*'
21 | kind: '*'
22 | orphanedResources: {}
23 | sourceRepos:
24 | - https://github.com/small-hack/argocd-apps.git
25 | - https://charts.external-secrets.io
26 | - https://jessebot.github.io/bitwarden-eso-provider
27 |
--------------------------------------------------------------------------------
/nextcloud/backups_and_restores/root_backup.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: k8up.io/v1
3 | kind: Backup
4 | metadata:
5 | name: root-backup-nextcloud-s3
6 | namespace: nextcloud
7 | spec:
8 | promURL: http://push-gateway.monitoring:9091/
9 | podSecurityContext:
10 | runAsUser: 0
11 | failedJobsHistoryLimit: 10
12 | successfulJobsHistoryLimit: 10
13 | backend:
14 | repoPasswordSecretRef:
15 | name: nextcloud-backups-credentials
16 | key: resticRepoPassword
17 | s3:
18 | endpoint: s3.eu-central-003.backblazeb2.com
19 | bucket: testing-ncloud-backups-september
20 | accessKeyIDSecretRef:
21 | name: nextcloud-backups-credentials
22 | key: applicationKeyId
23 | secretAccessKeySecretRef:
24 | name: nextcloud-backups-credentials
25 | key: applicationKey
26 |
--------------------------------------------------------------------------------
/cert-manager/external_secrets/templates/bitwarden/cloudflare_token.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: cloudflare-api-token
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: cloudflare-api-token
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | token: |-
16 | {{ `{{ .token }}` }}
17 | data:
18 | # Key given to the secret to be created on the cluster
19 | - secretKey: token
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.cloudflareBitwardenID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/demo/juicefs/external_secrets/templates/redis_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: juicefs-redis-password
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: juicefs-redis-password
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | redis-password: |-
16 | {{ `{{ .password }}` }}
17 | data:
18 | # Key given to the secret to be created on the cluster
19 | - secretKey: password
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: juicefs-redis-password
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/postgres/backups/k8up-test/k8up-job/external_secrets/restic-repo-secret.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # repo secret for k8up, backups for persistent volumes using restic
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: k8up-restic-b2-repo-pw-pg-backup
7 | namespace: default
8 | spec:
9 | target:
10 | # Name for the secret to be created on the cluster
11 | name: k8up-restic-b2-repo-pw-pg-backup
12 | deletionPolicy: Delete
13 | template:
14 | type: Opaque
15 | data:
16 | password: |-
17 | {{ .password }}
18 |
19 | data:
20 | - secretKey: password
21 | sourceRef:
22 | storeRef:
23 | name: bitwarden-login
24 | kind: ClusterSecretStore
25 | remoteRef:
26 | key: pg-backup-test-b2-repo-password
27 | property: password
28 |
--------------------------------------------------------------------------------
/tempo/external_secrets/templates/valkey_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: tempo-valkey-credentials
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: tempo-valkey-credentials
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | password: |-
16 | {{ `{{ .password }}` }}
17 | data:
18 | # Key given to the secret to be created on the cluster
19 | - secretKey: password
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.valkeyCredentialsBitwardenID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/ingress-nginx/modsecurity_configmap/modsecurity_exception_files/loki.conf:
--------------------------------------------------------------------------------
1 | # allow "Request Containing Content, but Missing Content-Type header" rule 920340
2 | # rule 920340
3 | # Dont treat loki writes as an http smuggeling attack
4 | # Rule 921110
5 | # Remote Command Execution: Java process spawn (CVE-2017-9805)
6 | # 944110
7 | # Allow PUT method to /loki// rule 921110
8 | # this is for when loki tries to flush chunks
9 | # Suspicious Java class detected Event 944130
10 | SecRule REQUEST_URI "@beginsWith /loki" \
11 | "id:90001,\
12 | phase:1,\
13 | ver:'loki-exclusions-plugin/1.0.0',\
14 | pass,\
15 | nolog,\
16 | t:none,\
17 | ctl:ruleRemoveById=911100,\
18 | ctl:ruleRemoveById=920340,\
19 | ctl:ruleRemoveById=921110,\
20 | ctl:ruleRemoveById=944100,\
21 | ctl:ruleRemoveById=944110,\
22 | ctl:ruleRemoveById=944130"
23 |
--------------------------------------------------------------------------------
/valkey/external_secrets/templates/bitwarden/valkey_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: valkey-credentials
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: valkey-credentials
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | valkey_password: |-
16 | {{ `{{ .password }}` }}
17 | data:
18 | # Key given to the secret to be created on the cluster
19 | - secretKey: password
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.valkeyCredentialsBitwardenID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/demo/garage/manifests/init_rbac.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # see: https://stackoverflow.com/questions/54196533/how-to-execute-command-from-one-pod-inside-another-pod-using-kubectl-exec-which
3 | kind: Role
4 | apiVersion: rbac.authorization.k8s.io/v1
5 | metadata:
6 | name: garage-setup-role
7 | namespace: garage
8 | labels:
9 | app: garage
10 | rules:
11 | - apiGroups: [""]
12 | # this might need to also include pods/exec as an array item?
13 | resources: ["pods"]
14 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "exec"]
15 |
16 | ---
17 | kind: RoleBinding
18 | apiVersion: rbac.authorization.k8s.io/v1
19 | metadata:
20 | name: garage-rolebinding
21 | namespace: garage
22 | labels:
23 | app: garage
24 | subjects:
25 | - kind: Group
26 | name: system:serviceaccounts
27 | apiGroup: rbac.authorization.k8s.io
28 |
--------------------------------------------------------------------------------
/writefreely/external_secrets/templates/writefreely_admin_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: writefreely-admin-credentials
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: writefreely-admin-credentials
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | writefreely-password: |-
16 | {{ `{{ .password }}` }}
17 | data:
18 | # writefreely admin password
19 | - secretKey: password
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.adminCredentialsBitwardenID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/grafana_stack/external_secrets/templates/loki_valkey_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: loki-valkey-credentials
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: loki-valkey-credentials
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | password: |-
16 | {{ `{{ .password }}` }}
17 | data:
18 | # Key given to the secret to be created on the cluster
19 | - secretKey: password
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.lokiValkeyCredentialsBitwardenID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/nextcloud/external_secrets/templates/bitwarden/redis_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: nextcloud-redis-credentials
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: nextcloud-redis-credentials
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | redis_password: |-
16 | {{ `{{ .password }}` }}
17 | data:
18 | # Key given to the secret to be created on the cluster
19 | - secretKey: password
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.redisBitwardenID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/valkey_cluster/external_secrets/templates/bitwarden/valkey_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: valkey-credentials
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: valkey-credentials
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | valkey_password: |-
16 | {{ `{{ .password }}` }}
17 | data:
18 | # Key given to the secret to be created on the cluster
19 | - secretKey: password
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.valkeyCredentialsBitwardenID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/demo/infisical/secrets-operator/infisical_secrets_operator_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: infisical
6 | namespace: argocd
7 | spec:
8 | project: infisical
9 | source:
10 | # Actual source code: https://github.com/Infisical/infisical/tree/main/helm-charts/secrets-operator
11 | repoURL: 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
12 | chart: secrets-operator
13 | # published versions: https://cloudsmith.io/~infisical/repos/helm-charts/packages/detail/helm/secrets-operator/#versions
14 | targetRevision: 0.10.9
15 | destination:
16 | server: "https://kubernetes.default.svc"
17 | namespace: infisical
18 | syncPolicy:
19 | syncOptions:
20 | - ApplyOutOfSyncOnly=true
21 | automated:
22 | prune: true
23 | selfHeal: true
24 |
--------------------------------------------------------------------------------
/forgejo/storage/pvc/templates/pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: backups-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 | {{- range .Values.k8up.tolerations }}
13 | tolerations:
14 | {{- toYaml . | nindent 8 }}
15 | {{- end }}
16 | {{- range .Values.k8up.tolerations }}
17 | affinity:
18 | {{- toYaml . | nindent 8 }}
19 | {{- end }}
20 | securityContext:
21 | fsGroup: {{ .Values.k8up.podSecurityContext.runAsUser }}
22 | runAsUser: {{ .Values.k8up.podSecurityContext.runAsUser }}
23 | containers:
24 | - name: test
25 | env:
26 | - name: FORGEJO
27 | value: 'true'
28 |
--------------------------------------------------------------------------------
/matrix/external_secrets/templates/bitwarden/registration.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.external_secrets_provider "bitwarden" }}
2 | ---
3 | # secret for a matrix registration shared secret
4 | apiVersion: external-secrets.io/v1
5 | kind: ExternalSecret
6 | metadata:
7 | name: matrix-registration
8 | spec:
9 | target:
10 | # Name for the secret to be created on the cluster
11 | name: matrix-registration
12 | deletionPolicy: Delete
13 | template:
14 | type: Opaque
15 | data:
16 | registrationSharedSecret: |-
17 | {{ `{{ .sharedSecret }}` }}
18 | data:
19 | - secretKey: sharedSecret
20 | sourceRef:
21 | storeRef:
22 | name: bitwarden-login
23 | kind: ClusterSecretStore
24 | remoteRef:
25 | key: {{ .Values.synapse.registration_bitwarden_ID }}
26 | property: password
27 | {{- end }}
28 |
--------------------------------------------------------------------------------
/postgres/backups/k8up-test/k8up-job/manifests/external-secrets_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # Created during second sync wave because we need secrets to exist before
3 | # the job gets created, but after the "secret-store" is configured so we
4 | # have access to the external secrets operator
5 | ---
6 | apiVersion: argoproj.io/v1alpha1
7 | kind: Application
8 | metadata:
9 | name: k8up-pg-backup-test-secrets
10 | namespace: argocd
11 | annotations:
12 | argocd.argoproj.io/sync-wave: "2"
13 | spec:
14 | destination:
15 | name: ''
16 | namespace: default
17 | server: 'https://kubernetes.default.svc'
18 | source:
19 | path: postgres/backups/k8up-test/k8up-job/external_secrets/
20 | repoURL: 'https://github.com/small-hack/argocd-apps.git'
21 | targetRevision: HEAD
22 | sources: []
23 | project: default
24 | syncPolicy:
25 | automated: null
26 |
--------------------------------------------------------------------------------
/demo/argo-workflows/README.md:
--------------------------------------------------------------------------------
1 | # Argo Workflows
2 |
3 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes.
4 |
5 | Argo Workflows lets you define a YAML configuration with multiple steps, representing the steps in your CI/CD pipeline. Each of these steps runs in a separate container within your Kubernetes cluster.
6 |
7 | Argo uses a CRD called Workflows, which provides a generateName. This name becomes the prefix of all the pods the Workflow runs. As part of the Workflow, you can also define storage volumes, which will be accessible by the templates for your workflow steps.
8 |
9 |
10 | > Depends on Argo Server already existing, so make sure you install ArgoCD first.
11 |
12 | TODO:
13 | - replace secret manifests with external secrets
14 | - add workflows callback url to smol-k8s-lab provisioning process for argocd
15 |
--------------------------------------------------------------------------------
/jellyfin/storage/pvc/templates/k8up_pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: jellyfin-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 |
13 | containers:
14 | - name: test
15 | env:
16 | - name: jellyfin
17 | value: "true"
18 |
19 | {{- if .Values.tolerations }}
20 | tolerations:
21 | {{- range .Values.tolerations }}
22 | - effect: {{ .effect }}
23 | key: {{ .key }}
24 | operator: {{ .operator }}
25 | value: {{ .value }}
26 | {{- end }}
27 | {{- end }}
28 |
29 | {{- with .Values.affinity}}
30 | affinity:
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/metallb/README.md:
--------------------------------------------------------------------------------
1 | # metallb manifests
2 | Installs [metallb](https://github.com/metallb/metallb/) and configures your ip pool and l2 advertisement.
3 |
4 | ## Sync Waves
5 | 1. metallb controller and custom resource definitions
6 |
7 | ## To Deploy
8 | you can paste this in the "Edit as YAML" section when creating a new Argo CD app:
9 |
10 | ```yaml
11 | ---
12 | apiVersion: argoproj.io/v1alpha1
13 | kind: Application
14 | metadata:
15 | name: metallb
16 | namespace: argocd
17 | spec:
18 | project: metallb
19 | source:
20 | repoURL: 'https://github.com/small-hack/argocd-apps'
21 | targetRevision: main
22 | path: metallb/
23 | destination:
24 | server: "https://kubernetes.default.svc"
25 | namespace: metallb-system
26 | syncPolicy:
27 | syncOptions:
28 | - Replace=true
29 | automated:
30 | prune: true
31 | selfHeal: true
32 | ```
33 |
--------------------------------------------------------------------------------
/netmaker/app_of_apps/netmaker_persistsence.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # First sync wave done in parallel with creating secrets. Must be BEFORE
3 | # netmaker so that netmaker persists it's data between upgrades. Sync policy
4 | # is set to ApplyOutOfSyncOnly=true to create the volume initially only.
5 | apiVersion: argoproj.io/v1alpha1
6 | kind: Application
7 | metadata:
8 | name: netmaker-persistence
9 | namespace: argocd
10 | annotations:
11 | argocd.argoproj.io/sync-wave: "1"
12 | spec:
13 | project: netmaker
14 | destination:
15 | server: "https://kubernetes.default.svc"
16 | namespace: netmaker
17 | source:
18 | repoURL: https://github.com/small-hack/argocd-apps.git
19 | path: netmaker/manifests/persistence/
20 | targetRevision: main
21 | syncPolicy:
22 | syncOptions:
23 | - ApplyOutOfSyncOnly=true
24 | automated:
25 | selfHeal: true
26 |
27 |
--------------------------------------------------------------------------------
/nextcloud/storage/pvc/templates/k8up_pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: file-backups-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 |
13 | containers:
14 | - name: test
15 | env:
16 | - name: nextcloud
17 | value: "true"
18 |
19 | {{- if .Values.tolerations }}
20 | tolerations:
21 | {{- range .Values.tolerations }}
22 | - effect: {{ .effect }}
23 | key: {{ .key }}
24 | operator: {{ .operator }}
25 | value: {{ .value }}
26 | {{- end }}
27 | {{- end }}
28 |
29 | {{- with .Values.affinity}}
30 | affinity:
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/peertube/storage/pvc/templates/k8up_pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: file-backups-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 |
13 | containers:
14 | - name: test
15 | env:
16 | - name: nextcloud
17 | value: "true"
18 |
19 | {{- if .Values.tolerations }}
20 | tolerations:
21 | {{- range .Values.tolerations }}
22 | - effect: {{ .effect }}
23 | key: {{ .key }}
24 | operator: {{ .operator }}
25 | value: {{ .value }}
26 | {{- end }}
27 | {{- end }}
28 |
29 | {{- with .Values.affinity}}
30 | affinity:
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/demo/appflowy/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | # -- if this is not set to "bitwarden", we will not actually deploy any templates
2 | # we may support other secret providers in the future
3 | provider: ""
4 |
5 | # -- if set to seaweedfs we deploy a policy secret. can also be minio
6 | s3_provider: "seaweedfs"
7 |
8 | # -- existing bitwarden vault item id with s3 admin credentials
9 | s3AdminCredentialsBitwardenID: ""
10 |
11 | # -- existing bitwarden vault item id with s3 appflowy credentials
12 | s3AppflowyCredentialsBitwardenID: ""
13 |
14 | # -- existing bitwarden vault item id with s3 db credentials for gotrue
15 | s3PostgresCredentialsBitwardenID: ""
16 |
17 | # -- existing bitwarden vault item id with s3 credentials for the remote backups
18 | s3BackupCredentialsBitwardenID: ""
19 |
20 | # -- existing bitwarden vault item id with gotrue credentials
21 | gotrueCredentialsBitwardenID: ""
22 |
--------------------------------------------------------------------------------
/demo/pixelfed/storage/pvc/templates/k8up_pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: file-backups-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 |
13 | containers:
14 | - name: test
15 | env:
16 | - name: nextcloud
17 | value: "true"
18 |
19 | {{- if .Values.tolerations }}
20 | tolerations:
21 | {{- range .Values.tolerations }}
22 | - effect: {{ .effect }}
23 | key: {{ .key }}
24 | operator: {{ .operator }}
25 | value: {{ .value }}
26 | {{- end }}
27 | {{- end }}
28 |
29 | {{- with .Values.affinity}}
30 | affinity:
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/gotosocial/storage/pvc/templates/k8up_pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: file-backups-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 |
13 | containers:
14 | - name: test
15 | env:
16 | - name: gotosocial
17 | value: "true"
18 |
19 | {{- if .Values.tolerations }}
20 | tolerations:
21 | {{- range .Values.tolerations }}
22 | - effect: {{ .effect }}
23 | key: {{ .key }}
24 | operator: {{ .operator }}
25 | value: {{ .value }}
26 | {{- end }}
27 | {{- end }}
28 |
29 | {{- with .Values.affinity}}
30 | affinity:
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/demo/local-path-provisioner/README.md:
--------------------------------------------------------------------------------
1 | # Local Path Provisioner
2 |
3 | Custom ConfigMap and StorageClasses to add our storage defaults for nodes
4 |
5 | Storage Classes:
6 |
7 | - local-path (always /var/lib/rancher/k3s/storage)
8 | - fast-raid (always /mnt/raid1)
9 | - slow-raid (always /mnt/raid0)
10 |
11 | Performance Charactaristics:
12 |
13 | ## Host: Bradley
14 |
15 | Fast-Raid:
16 | - 2x Crucial MX500 1TB SSD
17 | - RAID1
18 | 
19 |
20 | Slow-Raid:
21 | - 3x Seagate HDD 3.5" 2TB ST2000DM008 Barracuda
22 | - RAID5
23 | 
24 |
25 | ## Host: Node0
26 | Fast-raid:
27 | - 2x Crucial P3 Plus 4TB
28 | - RAID1
29 |
--------------------------------------------------------------------------------
/external-secrets-operator/app_of_apps/with_metrics/external-secrets-argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: external-secrets-operator-helm
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "1"
9 | spec:
10 | project: external-secrets-operator
11 | destination:
12 | server: "https://kubernetes.default.svc"
13 | namespace: external-secrets
14 | syncPolicy:
15 | syncOptions:
16 | - CreateNamespace=true
17 | automated:
18 | prune: true
19 | selfHeal: true
20 | source:
21 | repoURL: 'https://charts.external-secrets.io'
22 | targetRevision: 0.20.4
23 | chart: external-secrets
24 | helm:
25 | releaseName: external-secrets
26 | valuesObject:
27 | fullnameOverride: external-secrets
28 | serviceMonitor:
29 | enabled: true
30 |
--------------------------------------------------------------------------------
/mastodon/small-hack/storage/pvc/templates/k8up_pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: file-backups-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 |
13 | containers:
14 | - name: test
15 | env:
16 | - name: nextcloud
17 | value: "true"
18 |
19 | {{- if .Values.tolerations }}
20 | tolerations:
21 | {{- range .Values.tolerations }}
22 | - effect: {{ .effect }}
23 | key: {{ .key }}
24 | operator: {{ .operator }}
25 | value: {{ .value }}
26 | {{- end }}
27 | {{- end }}
28 |
29 | {{- with .Values.affinity}}
30 | affinity:
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/mastodon/small-hack/storage/pvc/templates/valkey_pvc.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.valkey_pvc.enabled "true" }}
2 | ---
3 | kind: PersistentVolumeClaim
4 | apiVersion: v1
5 | metadata:
6 | name: mastodon-valkey-primary
7 | annotations:
8 | k8up.io/backup: 'true'
9 | spec:
10 | storageClassName: {{ .Values.valkey_pvc.storageClassName }}
11 | accessModes:
12 | - {{ .Values.valkey_pvc.accessMode }}
13 | resources:
14 | requests:
15 | storage: {{ .Values.valkey_pvc.storage }}
16 | ---
17 | kind: PersistentVolumeClaim
18 | apiVersion: v1
19 | metadata:
20 | name: mastodon-valkey-replica
21 | annotations:
22 | k8up.io/backup: 'true'
23 | spec:
24 | storageClassName: {{ .Values.valkey_pvc.storageClassName }}
25 | accessModes:
26 | - {{ .Values.valkey_pvc.accessMode }}
27 | resources:
28 | requests:
29 | storage: {{ .Values.valkey_pvc.storage }}
30 | {{- end }}
31 |
--------------------------------------------------------------------------------
/zitadel/external_secrets/templates/bitwarden/zitadel-core-key.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | # secret zitadel core key
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: zitadel-core-key
7 | namespace: zitadel
8 | spec:
9 | target:
10 | # Name of the kubernetes secret
11 | name: zitadel-core-key
12 | deletionPolicy: Delete
13 | template:
14 | type: Opaque
15 | data:
16 | masterkey: |-
17 | {{ `{{ .password }}` }}
18 |
19 | data:
20 | - secretKey: password
21 | sourceRef:
22 | storeRef:
23 | name: bitwarden-login
24 | kind: ClusterSecretStore
25 | remoteRef:
26 | # id of the bitwarden secret
27 | key: {{ .Values.bitwardenCoreItemID }}
28 | # property within the bitwarden secret we want
29 | property: password
30 | {{- end }}
31 |
--------------------------------------------------------------------------------
/demo/rancher/README.md:
--------------------------------------------------------------------------------
1 | # Rancher
2 |
3 | Rancher is a complete software stack for teams adopting containers. It addresses the operational and security challenges of managing multiple Kubernetes clusters, while providing DevOps teams with integrated tools for running containerized workloads.
4 |
5 | ## Manually Deploy to Argocd
6 |
7 | ```yaml
8 | ---
9 | apiVersion: argoproj.io/v1alpha1
10 | kind: Application
11 | metadata:
12 | name: rancher-argo-app
13 | namespace: argocd
14 | annotations:
15 | argocd.argoproj.io/sync-wave: "1"
16 | spec:
17 | project: rancher
18 | destination:
19 | server: "https://kubernetes.default.svc"
20 | namespace: cattle-system
21 | source:
22 | repoURL: https://github.com/small-hack/argocd-apps.git
23 | path: demo/rancher/
24 | syncPolicy:
25 | syncOptions:
26 | - ApplyOutOfSyncOnly=true
27 | automated:
28 | selfHeal: true
29 | ```
30 |
--------------------------------------------------------------------------------
/demo/garage/config.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # https://garagehq.deuxfleurs.fr/documentation/quick-start/#creating-a-cluster-layout
3 |
4 | # check ALL garage's nodes
5 | # NODE_IDS=$(kubectl exec --stdin --tty -n garage garage-web-app-0 -- ./garage status | tail -n 3 | cut -d ' ' -f 1 | xargs)
6 | NODE_ID=$(kubectl exec --stdin --tty -n garage garage-web-app-0 -- ./garage status | tail -n 1 | cut -d ' ' -f 1)
7 |
8 | # assign location and capcity to node
9 | kubectl exec --stdin --tty -n garage garage-web-app-0 -- ./garage layout assign -z dc1 -c 1G $NODE_ID
10 |
11 | # get the version to apply
12 | VERSION=$(kubectl exec --stdin --tty -n garage garage-web-app-0 -- ./garage layout show | grep "layout apply" | cut -d ' ' -f 9)
13 |
14 | echo "Found version: $VERSION"
15 |
16 | # apply the new version of the layout we just created
17 | kubectl exec --stdin --tty -n garage garage-web-app-0 -- ./garage layout apply --version 6
18 |
--------------------------------------------------------------------------------
/seaweedfs/persistence/seaweedfs_data_pvc.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | kind: PersistentVolumeClaim
3 | apiVersion: v1
4 | metadata:
5 | name: swfs-volume-data
6 | spec:
7 | accessModes:
8 | - ReadWriteOnce
9 | resources:
10 | requests:
11 | storage: 100Gi
12 | ---
13 | kind: PersistentVolumeClaim
14 | apiVersion: v1
15 | metadata:
16 | name: swfs-volume-idx
17 | spec:
18 | accessModes:
19 | - ReadWriteOnce
20 | resources:
21 | requests:
22 | storage: 10Gi
23 | ---
24 | kind: PersistentVolumeClaim
25 | apiVersion: v1
26 | metadata:
27 | name: swfs-master-data
28 | spec:
29 | accessModes:
30 | - ReadWriteOnce
31 | resources:
32 | requests:
33 | storage: 10Gi
34 | ---
35 | kind: PersistentVolumeClaim
36 | apiVersion: v1
37 | metadata:
38 | name: swfs-filer-data
39 | spec:
40 | accessModes:
41 | - ReadWriteOnce
42 | resources:
43 | requests:
44 | storage: 10Gi
45 |
--------------------------------------------------------------------------------
/demo/rancher/rancher-argo-app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: rancher
6 | namespace: argocd
7 | spec:
8 | project: default
9 | sources:
10 | - repoURL: 'https://releases.rancher.com/server-charts/latest'
11 | targetRevision: 2.12.3
12 | chart: rancher
13 | helm:
14 | values: |
15 | bootstrapPassword: password
16 | hostname: rancher.buildstar.online
17 | replicas: -1
18 | ingress:
19 | enabled: false
20 | - repoURL: https://github.com/small-hack/argocd-apps
21 | targetRevision: main
22 | path: demo/rancher/manifests
23 | destination:
24 | server: "https://kubernetes.default.svc"
25 | namespace: cattle-system
26 | syncPolicy:
27 | automated:
28 | prune: false
29 | selfHeal: true
30 | syncOptions:
31 | - CreateNamespace=true
32 |
--------------------------------------------------------------------------------
/matrix/external_secrets/templates/bitwarden/trusted_key_servers.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (eq .Values.external_secrets_provider "bitwarden") (not (eq .Values.synapse.trusted_key_servers_bitwarden_ID "not applicable")) }}
2 | ---
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: trusted-key-servers
7 | spec:
8 | target:
9 | # Name for the secret to be created on the cluster
10 | name: trusted-key-servers
11 | deletionPolicy: Delete
12 | template:
13 | type: Opaque
14 | data:
15 | trustedKeyServers: |-
16 | {{ `{{ .trustedKeyServers }}` }}
17 | data:
18 | - secretKey: trustedKeyServers
19 | sourceRef:
20 | storeRef:
21 | name: bitwarden-login
22 | kind: ClusterSecretStore
23 | remoteRef:
24 | key: {{ .Values.synapse.trusted_key_servers_bitwarden_ID }}
25 | property: password
26 | {{- end }}
27 |
--------------------------------------------------------------------------------
/minio/backups/helm/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: k8up_minio_backups
3 | description: A Helm chart for creating minio backups using k8up
4 |
5 | # A chart can be either an 'application' or a 'library' chart.
6 | #
7 | # Application charts are a collection of templates that can be packaged into versioned archives
8 | # to be deployed.
9 | #
10 | # Library charts provide useful utilities or functions for the chart developer. They're included as
11 | # a dependency of application charts to inject those utilities and functions into the rendering
12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed.
13 | type: application
14 |
15 | # This is the chart version. This version number should be incremented each time you make changes
16 | # to the chart and its templates, including the app version.
17 | # Versions are expected to follow Semantic Versioning (https://semver.org/)
18 | version: 0.0.0
19 |
--------------------------------------------------------------------------------
/argocd/manifests/projects/ingress_project.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: AppProject
4 | metadata:
5 | name: ingress
6 | namespace: argocd
7 | spec:
8 | clusterResourceWhitelist:
9 | - group: '*'
10 | kind: '*'
11 | description: Apps required for ingress to function like ingress-nginx, cert-manager, and vouch
12 | destinations:
13 | - name: in-cluster
14 | namespace: ingress
15 | server: https://kubernetes.default.svc
16 | - name: '*'
17 | namespace: argocd
18 | server: '*'
19 | - name: '*'
20 | namespace: ingress
21 | server: '*'
22 | namespaceResourceWhitelist:
23 | - group: '*'
24 | kind: '*'
25 | orphanedResources: {}
26 | sourceRepos:
27 | - https://github.com/small-hack/argocd-apps.git
28 | - https://charts.jetstack.io
29 | - https://kubernetes.github.io/ingress-nginx
30 | - https://vouch.github.io/helm-charts/
31 |
--------------------------------------------------------------------------------
/coturn/coturn_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # installs whole kube-prometheus-stack which includes grafana and alert manager
3 | apiVersion: argoproj.io/v1alpha1
4 | kind: Application
5 | metadata:
6 | name: coturn-helm-chart
7 | namespace: argocd
8 | annotations:
9 | argocd.argoproj.io/sync-wave: "2"
10 | spec:
11 | project: default
12 | destination:
13 | server: "https://kubernetes.default.svc"
14 | namespace: coturn
15 | sources:
16 | # prometheus-community helm repo
17 | - repoURL: https://small-hack.github.io/coturn-chart/
18 | chart: coturn
19 | targetRevision: 9.1.0
20 | helm:
21 | valueFiles:
22 | - $values/coturn/values/values.yaml
23 | # our values.yaml file locally
24 | - repoURL: 'https://github.com/small-hack/argocd-apps.git'
25 | targetRevision: main
26 | ref: values
27 | syncPolicy:
28 | automated:
29 | prune: true
30 | selfHeal: true
31 |
--------------------------------------------------------------------------------
/mysql/percona-pxc-operator/pxc_operator_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: pxc-operator-application
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "1"
9 | spec:
10 | project: pxc-operator
11 | destination:
12 | server: "https://kubernetes.default.svc"
13 | namespace: pxc-operator
14 | syncPolicy:
15 | syncOptions:
16 | - ApplyOutOfSyncOnly=true
17 | - ServerSideApply=true
18 | automated:
19 | prune: true
20 | selfHeal: true
21 | source:
22 | repoURL: 'https://percona.github.io/percona-helm-charts'
23 | chart: pxc-operator
24 | targetRevision: 1.18.0
25 | helm:
26 | releaseName: pxc-operator
27 | valuesObject:
28 | replicaCount: 1
29 | watchAllNamespaces: true
30 | logStructured: true
31 | logLevel: "INFO"
32 | disableTelemetry: false
33 |
--------------------------------------------------------------------------------
/argocd/manifests/projects/nextcloud.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: AppProject
4 | metadata:
5 | labels:
6 | env: prod
7 | name: nextcloud
8 | namespace: argocd
9 | spec:
10 | clusterResourceWhitelist:
11 | - group: '*'
12 | kind: '*'
13 | description: all nextcloud apps
14 | destinations:
15 | - name: in-cluster
16 | namespace: nextcloud
17 | server: https://kubernetes.default.svc
18 | - name: '*'
19 | namespace: argocd
20 | server: '*'
21 | namespaceResourceWhitelist:
22 | - group: '*'
23 | kind: '*'
24 | orphanedResources: {}
25 | roles:
26 | - description: nextcloud admins
27 | name: nextcloud
28 | policies:
29 | - p, proj:nextcloud:nextcloud, applications, *, nextcloud/*, allow
30 | sourceRepos:
31 | - registry-1.docker.io
32 | - https://nextcloud.github.io/helm
33 | - https://github.com/small-hack/argocd-apps.git
34 |
--------------------------------------------------------------------------------
/peertube/external_secrets/templates/bitwarden/peertube-secret.yaml:
--------------------------------------------------------------------------------
1 | {{- if and (eq .Values.provider "bitwarden") .Values.secretBitwardenID }}
2 | ---
3 | # secret peertube email stuff
4 | apiVersion: external-secrets.io/v1
5 | kind: ExternalSecret
6 | metadata:
7 | name: peertube-secret
8 | namespace: peertube
9 | spec:
10 | target:
11 | # Name of the kubernetes secret
12 | name: peertube-secret
13 | deletionPolicy: Delete
14 | template:
15 | type: Opaque
16 | data:
17 | password: |-
18 | {{ `{{ .password }}` }}
19 |
20 | data:
21 | - secretKey: password
22 | sourceRef:
23 | storeRef:
24 | name: bitwarden-login
25 | kind: ClusterSecretStore
26 | remoteRef:
27 | # key-id of the bitwarden secret
28 | key: {{ .Values.secretBitwardenID }}
29 | # property within the bitwarden secret we want
30 | property: password
31 | {{- end }}
32 |
--------------------------------------------------------------------------------
/s3_persistence_and_backups/templates/pod_config.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PodConfig
3 | metadata:
4 | name: s3-backups-podconfig
5 | spec:
6 | template:
7 | spec:
8 | {{- with .Values.k8up.securityContext }}
9 | securityContext:
10 | runAsUser: {{ .runAsUser }}
11 | {{- end }}
12 |
13 | containers:
14 | - name: test
15 | env:
16 | - name: {{ .Values.app }}
17 | value: "true"
18 |
19 | {{- if and .Values.tolerations .Values.k8up.tolerations }}
20 | tolerations:
21 | {{- range .Values.tolerations }}
22 | - effect: {{ .effect }}
23 | key: {{ .key }}
24 | operator: {{ .operator }}
25 | value: {{ .value }}
26 | {{- end }}
27 | {{- end }}
28 |
29 | {{- with and .Values.k8up.affinity .Values.affinity}}
30 | affinity:
31 | {{- toYaml . | nindent 8 }}
32 | {{- end }}
33 |
--------------------------------------------------------------------------------
/ghost/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | # -- if this is not set to "bitwarden", we will not actually deploy any templates
2 | # we may support other secret providers in the future
3 | provider: ""
4 |
5 | # -- if set to seaweedfs we deploy a policy secret. can also be minio
6 | s3_provider: "seaweedfs"
7 |
8 | # -- existing kubernetes secret with s3 admin credentials
9 | s3AdminCredentialsBitwardenID: ""
10 |
11 | # -- existing kubernetes secret with s3 ghost credentials
12 | s3ghostCredentialsBitwardenID: ""
13 |
14 | # -- existing kubernetes secret with s3 credentials for the remote backups
15 | s3BackupCredentialsBitwardenID: ""
16 |
17 | # other ghost specific secrets
18 |
19 | # -- ghost admin Credentials
20 | adminCredentialsBitwardenID: ""
21 |
22 | # -- ghost smtp Credentials
23 | smtpCredentialsBitwardenID: ""
24 |
25 | # -- ghost mysql Credentials
26 | mysqlBitwardenID: ""
27 |
28 | # -- ghost OIDC Credentials
29 | oidcCredentialsBitwardenID: ""
30 |
--------------------------------------------------------------------------------
/kubevirt/examples/machine-sizes/high-cpu.yaml:
--------------------------------------------------------------------------------
1 | # High CPU machines: Num Cores == GB RAM
2 | ---
3 | apiVersion: instancetype.kubevirt.io/v1beta1
4 | kind: VirtualMachineClusterInstancetype
5 | metadata:
6 | name: highcpu-micro
7 | spec:
8 | cpu:
9 | guest: 2
10 | memory:
11 | guest: 2Gi
12 | ---
13 | apiVersion: instancetype.kubevirt.io/v1beta1
14 | kind: VirtualMachineClusterInstancetype
15 | metadata:
16 | name: highcpu-small
17 | spec:
18 | cpu:
19 | guest: 4
20 | memory:
21 | guest: 4Gi
22 | ---
23 | apiVersion: instancetype.kubevirt.io/v1beta1
24 | kind: VirtualMachineClusterInstancetype
25 | metadata:
26 | name: highcpu-medium
27 | spec:
28 | cpu:
29 | guest: 8
30 | memory:
31 | guest: 8Gi
32 | ---
33 | apiVersion: instancetype.kubevirt.io/v1beta1
34 | kind: VirtualMachineClusterInstancetype
35 | metadata:
36 | name: highcpu-large
37 | spec:
38 | cpu:
39 | guest: 16
40 | memory:
41 | guest: 16Gi
42 |
--------------------------------------------------------------------------------
/kubevirt/examples/machine-sizes/high-mem.yaml:
--------------------------------------------------------------------------------
1 | # High Memory machines: Num Cores == (GB RAM)/4
2 | ---
3 | apiVersion: instancetype.kubevirt.io/v1beta1
4 | kind: VirtualMachineClusterInstancetype
5 | metadata:
6 | name: highmem-micro
7 | spec:
8 | cpu:
9 | guest: 1
10 | memory:
11 | guest: 4Gi
12 | ---
13 | apiVersion: instancetype.kubevirt.io/v1beta1
14 | kind: VirtualMachineClusterInstancetype
15 | metadata:
16 | name: highmem-small
17 | spec:
18 | cpu:
19 | guest: 2
20 | memory:
21 | guest: 8Gi
22 | ---
23 | apiVersion: instancetype.kubevirt.io/v1beta1
24 | kind: VirtualMachineClusterInstancetype
25 | metadata:
26 | name: highmem-medium
27 | spec:
28 | cpu:
29 | guest: 4
30 | memory:
31 | guest: 16Gi
32 | ---
33 | apiVersion: instancetype.kubevirt.io/v1beta1
34 | kind: VirtualMachineClusterInstancetype
35 | metadata:
36 | name: highmem-large
37 | spec:
38 | cpu:
39 | guest: 8
40 | memory:
41 | guest: 32Gi
42 |
--------------------------------------------------------------------------------
/kubevirt/examples/machine-sizes/standard.yaml:
--------------------------------------------------------------------------------
1 | # Standard machines: Num Cores == (GB RAM)/2
2 | ---
3 | apiVersion: instancetype.kubevirt.io/v1beta1
4 | kind: VirtualMachineClusterInstancetype
5 | metadata:
6 | name: standard-micro
7 | spec:
8 | cpu:
9 | guest: 1
10 | memory:
11 | guest: 2Gi
12 | ---
13 | apiVersion: instancetype.kubevirt.io/v1beta1
14 | kind: VirtualMachineClusterInstancetype
15 | metadata:
16 | name: standard-small
17 | spec:
18 | cpu:
19 | guest: 2
20 | memory:
21 | guest: 4Gi
22 | ---
23 | apiVersion: instancetype.kubevirt.io/v1beta1
24 | kind: VirtualMachineClusterInstancetype
25 | metadata:
26 | name: standard-medium
27 | spec:
28 | cpu:
29 | guest: 4
30 | memory:
31 | guest: 8Gi
32 | ---
33 | apiVersion: instancetype.kubevirt.io/v1beta1
34 | kind: VirtualMachineClusterInstancetype
35 | metadata:
36 | name: standard-large
37 | spec:
38 | cpu:
39 | guest: 8
40 | memory:
41 | guest: 16Gi
42 |
--------------------------------------------------------------------------------
/postgres/operators/cloud-native-postgres/cnpg_operator_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: cnpg-operator-application
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "1"
9 | spec:
10 | project: cnpg-operator
11 | destination:
12 | server: "https://kubernetes.default.svc"
13 | namespace: cnpg-system
14 | syncPolicy:
15 | syncOptions:
16 | - ApplyOutOfSyncOnly=true
17 | - ServerSideApply=true
18 | automated:
19 | prune: true
20 | selfHeal: true
21 | source:
22 | repoURL: 'https://cloudnative-pg.github.io/charts'
23 | chart: cloudnative-pg
24 | targetRevision: 0.26.1
25 | helm:
26 | releaseName: cnpg-operator
27 | values: |
28 | monitoring:
29 | # -- Specifies whether the monitoring should be enabled. Requires Prometheus Operator CRDs.
30 | podMonitorEnabled: false
31 |
--------------------------------------------------------------------------------
/demo/argo-workflows/app-of-apps/service-account.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | namespace: argocd
5 | name: operate-workflow-sa
6 | ---
7 | # Similarly you can use a ClusterRole and ClusterRoleBinding
8 | apiVersion: rbac.authorization.k8s.io/v1
9 | kind: Role
10 | metadata:
11 | name: operate-workflow-role
12 | namespace: argocd
13 | rules:
14 | - apiGroups:
15 | - argoproj.io
16 | verbs:
17 | - "*"
18 | resources:
19 | - workflows
20 | - workflowtemplates
21 | - cronworkflows
22 | - clusterworkflowtemplates
23 | - workflowtaskresults
24 | ---
25 | apiVersion: rbac.authorization.k8s.io/v1
26 | kind: RoleBinding
27 | metadata:
28 | name: operate-workflow-role-binding
29 | namespace: argocd
30 | roleRef:
31 | apiGroup: rbac.authorization.k8s.io
32 | kind: Role
33 | name: operate-workflow-role
34 | subjects:
35 | - kind: ServiceAccount
36 | name: operate-workflow-sa
37 |
--------------------------------------------------------------------------------
/writefreely/external_secrets/templates/smtp-credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | # secret writefreely email stuff
4 | apiVersion: external-secrets.io/v1
5 | kind: ExternalSecret
6 | metadata:
7 | name: writefreely-smtp-credentials
8 | namespace: writefreely
9 | spec:
10 | target:
11 | # Name of the kubernetes secret to create
12 | name: writefreely-smtp-credentials
13 | deletionPolicy: Delete
14 | template:
15 | type: Opaque
16 | data:
17 | smtp-password: |-
18 | {{ `{{ .password }}` }}
19 |
20 | data:
21 | - secretKey: password
22 | sourceRef:
23 | storeRef:
24 | name: bitwarden-login
25 | kind: ClusterSecretStore
26 | remoteRef:
27 | # name of the bitwarden secret
28 | key: {{ .Values.smtpCredentialsBitwardenID }}
29 | # property within the bitwarden secret we want
30 | property: password
31 | {{- end }}
32 |
--------------------------------------------------------------------------------
/cert-manager/external_secrets/README.md:
--------------------------------------------------------------------------------
1 | # cert-manager-eso-bitwarden-chart
2 |
3 |   
4 |
5 | A Helm chart for Cert Manager External Secrets using the Bitwarden ESO provider on Kubernetes
6 |
7 | ## Values
8 |
9 | | Key | Type | Default | Description |
10 | |-----|------|---------|-------------|
11 | | cloudflareBitwardenID | string | `""` | |
12 | | provider | string | `""` | if this is not set to "bitwarden", we will not actually deploy any templates we may support other secret providers in the future |
13 |
14 | ----------------------------------------------
15 | Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
16 |
--------------------------------------------------------------------------------
/minio/backups/testing/restores/restore_files.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: k8up.io/v1
3 | kind: Restore
4 | metadata:
5 | name: nextcloud-files
6 | namespace: nextcloud
7 | spec:
8 | failedJobHistoryLimit: 5
9 | successfulJobHistoryLimit: 1
10 | podSecurityContext:
11 | # change to 33 for www-data
12 | runAsUser: 0
13 | # This is optional to specify a specific snapshot to restore from
14 | snapshot: REPLACE_ME
15 | restoreMethod:
16 | folder:
17 | claimName: nextcloud-files
18 | backend:
19 | repoPasswordSecretRef:
20 | name: nextcloud-backups-credentials
21 | key: resticRepoPassword
22 | s3:
23 | endpoint: s3.eu-central-003.backblazeb2.com
24 | bucket: testing-ncloud-backups-september
25 | accessKeyIDSecretRef:
26 | name: nextcloud-backups-credentials
27 | key: applicationKeyId
28 | secretAccessKeySecretRef:
29 | name: nextcloud-backups-credentials
30 | key: applicationKey
31 |
--------------------------------------------------------------------------------
/nextcloud/backups_and_restores/restore_files.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: k8up.io/v1
3 | kind: Restore
4 | metadata:
5 | name: nextcloud-files
6 | namespace: nextcloud
7 | spec:
8 | failedJobHistoryLimit: 5
9 | successfulJobHistoryLimit: 1
10 | podSecurityContext:
11 | # change to 33 for www-data
12 | runAsUser: 0
13 | # This is optional to specify a specific snapshot to restore from
14 | snapshot: REPLACE_ME
15 | restoreMethod:
16 | folder:
17 | claimName: nextcloud-files
18 | backend:
19 | repoPasswordSecretRef:
20 | name: nextcloud-backups-credentials
21 | key: resticRepoPassword
22 | s3:
23 | endpoint: s3.eu-central-003.backblazeb2.com
24 | bucket: testing-ncloud-backups-september
25 | accessKeyIDSecretRef:
26 | name: nextcloud-backups-credentials
27 | key: applicationKeyId
28 | secretAccessKeySecretRef:
29 | name: nextcloud-backups-credentials
30 | key: applicationKey
31 |
--------------------------------------------------------------------------------
/argocd/manifests/projects/monitoring-project.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: AppProject
4 | metadata:
5 | name: monitoring
6 | namespace: argocd
7 | spec:
8 | clusterResourceWhitelist:
9 | - group: '*'
10 | kind: '*'
11 | description: Prometheus, Alert Manager, Grafana, Loki, Promtail and node exporter :D
12 | destinations:
13 | - name: in-cluster
14 | namespace: monitoring
15 | server: https://kubernetes.default.svc
16 | - name: '*'
17 | namespace: argocd
18 | server: '*'
19 | - name: '*'
20 | namespace: monitoring
21 | server: '*'
22 | - name: '*'
23 | namespace: '*'
24 | server: '*'
25 | namespaceResourceWhitelist:
26 | - group: '*'
27 | kind: '*'
28 | orphanedResources: {}
29 | sourceRepos:
30 | - https://prometheus-community.github.io/helm-charts
31 | - https://github.com/small-hack/argocd-apps.git
32 | - https://github.com/grafana/helm-charts
33 |
--------------------------------------------------------------------------------
/prometheus/external_secrets/README.md:
--------------------------------------------------------------------------------
1 | # prometheus-eso-chart
2 |
3 |   
4 |
5 | A Helm chart for Prometheus Stack External Secrets using the Bitwarden ESO provider on Kubernetes
6 |
7 | ## Values
8 |
9 | | Key | Type | Default | Description |
10 | |-----|------|---------|-------------|
11 | | oidcCredentialsBitwardenID | string | `""` | zitadel OIDC Credentials |
12 | | provider | string | `""` | if this is not set to "bitwarden", we will not actually deploy any templates we may support other secret providers in the future |
13 |
14 | ----------------------------------------------
15 | Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
16 |
--------------------------------------------------------------------------------
/grafana_stack/README.md:
--------------------------------------------------------------------------------
1 | ### 🚧 This is under construction 🚧
2 |
3 | ## Grafana Monitoring Stack
4 |
5 | | Application | Description |
6 | |-------------|-------------|
7 | | alloy | collects logs and metrics on each cluster |
8 | | loki | receives logs and aggregates them before pushing to S3 |
9 | | mimir | prometheus replacement that does s3 storage (collects metrics) |
10 | | grafana | metics and logs query frontend and dashboards |
11 |
12 | ## Loki
13 |
14 | like Prometheus, but for logs
15 |
16 | - Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus.
17 | - It is designed to be very cost effective and easy to operate.
18 | - It does not index the contents of the logs, but rather a set of labels for each log stream.
19 |
20 | See: https://github.com/grafana/loki
21 |
22 | ## Coming soon
23 |
24 | Soon you'll also be able to use [smol-k8s-lab](https://github.com/small-hack/smol-k8s-lab) to deploy this.
25 |
--------------------------------------------------------------------------------
/kyverno/kyverno_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # webapp is deployed 2nd because we need secrets and persistent volumes up 1st
3 | apiVersion: argoproj.io/v1alpha1
4 | kind: Application
5 | metadata:
6 | name: kyverno-app
7 | namespace: argocd
8 | annotations:
9 | argocd.argoproj.io/sync-wave: "1"
10 | spec:
11 | project: default
12 | destination:
13 | server: "https://kubernetes.default.svc"
14 | namespace: kyverno
15 | sources:
16 | # official kyverno helm repo
17 | - repoURL: 'https://kyverno.github.io/kyverno/'
18 | chart: kyverno
19 | targetRevision: 3.5.2
20 | helm:
21 | valueFiles:
22 | - $values/kyverno/values/values.yaml
23 | # our values.yaml file locally
24 | - repoURL: 'https://github.com/small-hack/argocd-apps.git'
25 | targetRevision: main
26 | ref: values
27 | syncPolicy:
28 | syncOptions:
29 | - ApplyOutOfSyncOnly=true
30 | automated:
31 | prune: true
32 | selfHeal: true
33 |
--------------------------------------------------------------------------------
/valkey/external_secrets/README.md:
--------------------------------------------------------------------------------
1 | # external-secrets-valkey-chart
2 |
3 |   
4 |
5 | A Helm chart for External Secrets using the Bitwarden ESO provider on Kubernetes
6 |
7 | ## Values
8 |
9 | | Key | Type | Default | Description |
10 | |-----|------|---------|-------------|
11 | | provider | string | `""` | if this is not set to "bitwarden", we will not actually deploy any templates we may support other secret providers in the future |
12 | | valkeyBitwardenID | string | `""` | nextcloud redis (actually for valkey) Credentials |
13 |
14 | ----------------------------------------------
15 | Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
16 |
--------------------------------------------------------------------------------
/writefreely/external_secrets/templates/mysql_credentials.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "bitwarden" }}
2 | ---
3 | # secret for a writefreely mysql DB
4 | apiVersion: external-secrets.io/v1
5 | kind: ExternalSecret
6 | metadata:
7 | name: writefreely-mysql-credentials
8 | spec:
9 | target:
10 | # Name for the secret to be created on the cluster
11 | name: writefreely-mysql-credentials
12 | deletionPolicy: Delete
13 | template:
14 | type: Opaque
15 | data:
16 | mysql-password: |-
17 | {{ `{{ .password }}` }}
18 | mysql-replication-password: |-
19 | {{ `{{ .password }}` }}
20 | mysql-root-password: |-
21 | {{ `{{ .password }}` }}
22 | data:
23 | - secretKey: password
24 | sourceRef:
25 | storeRef:
26 | name: bitwarden-login
27 | kind: ClusterSecretStore
28 | remoteRef:
29 | key: {{ .Values.mysqlBitwardenID }}
30 | property: password
31 | {{- end }}
32 |
--------------------------------------------------------------------------------
/demo/infisical/infisical_secrets/secret.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # example secret
3 | apiVersion: v1
4 | kind: Secret
5 | metadata:
6 | name: infisical-backend-secrets
7 | namespace: infisical
8 | type: Opaque
9 | data:
10 | # these can be generated with: openssl rand -hex 16 | base64
11 | ENCRYPTION_KEY: OTBjNGI5YjY0MzBlOTQ2NTMyZTFhNmMxOWYwMWFkODM=
12 | JWT_AUTH_SECRET: YzljNWM4ZWFmZTMyMGM3YTdjYzQyOWNmMTY5M2ZhMjE=
13 | JWT_MFA_SECRET: YzEwZjMxMzUzYzE2YTI1ZmFlNDc4MGFjNGVmZGYxNTY=
14 | JWT_PROVIDER_AUTH_SECRET: OTNmYWNjZDg3ZWRkMzFkM2M3NTU2ZTMxMjYxNjdjNzk=
15 | JWT_REFRESH_SECRET: MDNlNDQ2ZWJlZGE5YjRkMmY2ZTMwNzJiYWM5MjQ2NDQ=
16 | JWT_SERVICE_SECRET: YTNkZWJkN2IzOWE2N2MyNTM1MTA2N2U0NmU2ZTNmYWQ=
17 | JWT_SIGNUP_SECRET: Mzg5NzExMzYyM2UxNGZhNGM0MjFlNTgzODM0MTEwODk=
18 | # these are not filled in but should be
19 | MONGO_URL:
20 | SMTP_FROM_ADDRESS:
21 | SMTP_FROM_NAME:
22 | SMTP_HOST:
23 | SMTP_PASSWORD:
24 | SMTP_PORT: NTg3
25 | SMTP_SECURE: dHJ1ZQ==
26 | SMTP_USERNAME:
27 |
--------------------------------------------------------------------------------
/demo/keycloak/external_secrets/keycloak-admin-credentials.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # secret for a nextcloud postgres DB
3 | apiVersion: external-secrets.io/v1
4 | kind: ExternalSecret
5 | metadata:
6 | name: keycloak-admin-credentials
7 | namespace: keycloak
8 | spec:
9 | target:
10 | # Name of the kubernetes secret
11 | name: keycloak-admin-credentials
12 | deletionPolicy: Delete
13 | template:
14 | type: Opaque
15 | data:
16 | # Key-names within the keubernetes secret
17 | password: |-
18 | {{ .password }}
19 |
20 | data:
21 | # `secretKey` relates to the key name defined within the keubernetes secret
22 | - secretKey: password
23 | sourceRef:
24 | storeRef:
25 | name: bitwarden-login
26 | kind: ClusterSecretStore
27 | remoteRef:
28 | # key-id of the bitwarden secret
29 | key: keycloak-admin-credentials
30 | # property within the secret we want
31 | property: password
32 |
--------------------------------------------------------------------------------
/demo/artifactory/artifactory_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: Application
3 | metadata:
4 | name: artifactory
5 | spec:
6 | destination:
7 | name: ''
8 | namespace: artifactory
9 | server: 'https://kubernetes.default.svc'
10 | source:
11 | repoURL: 'https://charts.jfrog.io'
12 | targetRevision: 107.117.19
13 | chart: artifactory-oss
14 | helm:
15 | parameters:
16 | - name: artifactory.ingress.enabled
17 | value: 'true'
18 | - name: artifactory.ingress.tls
19 | value: 'true'
20 | - name: artifactory.databaseUpgradeReady
21 | value: 'yes'
22 | - name: artifactory.nginx.enabled
23 | value: 'false'
24 | - name: artifactory.nginx.tlsSecretName
25 | value: artifactory-tls
26 | sources: []
27 | project: default
28 | syncPolicy:
29 | automated:
30 | prune: false
31 | selfHeal: false
32 | syncOptions:
33 | - CreateNamespace=true
34 |
--------------------------------------------------------------------------------
/demo/openbao/openbao_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: openbao-app
6 | namespace: argocd
7 | spec:
8 | project: openbao
9 | destination:
10 | server: https://kubernetes.default.svc
11 | namespace: openbao
12 |
13 | syncPolicy:
14 | syncOptions:
15 | - CreateNamespace=true
16 | - ApplyOutOfSyncOnly=true
17 | automated:
18 | prune: true
19 | selfHeal: true
20 |
21 | ignoreDifferences:
22 | - group: apps
23 | kind: MutatingWebhookConfiguration
24 | name: openbao-app-agent-injector-cfg
25 | jqPathExpressions:
26 | - '.webhooks[]?.clientConfig.caBundle'
27 | source:
28 | # for testing
29 | # repoURL: 'https://github.com/jessebot/openbao-helm'
30 | # repoURL: 'https://github.com/openbao/openbao-helm'
31 | # path: charts/openbao/
32 | repoURL: 'https://openbao.github.io/openbao-helm'
33 | chart: openbao
34 | targetRevision: 0.18.4
35 |
--------------------------------------------------------------------------------
/valkey_cluster/external_secrets/README.md:
--------------------------------------------------------------------------------
1 | # external-secrets-valkey-chart
2 |
3 |   
4 |
5 | A Helm chart for External Secrets using the Bitwarden ESO provider on Kubernetes
6 |
7 | ## Values
8 |
9 | | Key | Type | Default | Description |
10 | |-----|------|---------|-------------|
11 | | provider | string | `""` | if this is not set to "bitwarden", we will not actually deploy any templates we may support other secret providers in the future |
12 | | valkeyBitwardenID | string | `""` | nextcloud redis (actually for valkey) Credentials |
13 |
14 | ----------------------------------------------
15 | Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
16 |
--------------------------------------------------------------------------------
/cert-manager/cert-manager_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: cert-manager-helm-chart
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "1"
9 | spec:
10 | project: cert-manager
11 | source:
12 | repoURL: 'https://charts.jetstack.io'
13 | chart: cert-manager
14 | targetRevision: v1.19.1
15 | helm:
16 | releaseName: cert-manager
17 | valuesObject:
18 | config:
19 | featureGates:
20 | # Disable the use of Exact PathType in Ingress resources, to work around a bug in ingress-nginx
21 | # https://github.com/kubernetes/ingress-nginx/issues/11176
22 | ACMEHTTP01IngressPathTypeExact: false
23 | destination:
24 | server: "https://kubernetes.default.svc"
25 | namespace: cert-manager
26 | syncPolicy:
27 | syncOptions:
28 | - ApplyOutOfSyncOnly=true
29 | automated:
30 | prune: true
31 | selfHeal: true
32 |
--------------------------------------------------------------------------------
/writefreely/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | # -- if this is not set to "bitwarden", we will not actually deploy any templates
2 | # we may support other secret providers in the future
3 | provider: ""
4 |
5 | # -- if set to seaweedfs we deploy a policy secret. can also be minio
6 | s3_provider: "seaweedfs"
7 |
8 | # -- existing kubernetes secret with s3 admin credentials
9 | s3AdminCredentialsBitwardenID: ""
10 |
11 | # -- existing kubernetes secret with s3 writefreely credentials
12 | s3writefreelyCredentialsBitwardenID: ""
13 |
14 | # -- existing kubernetes secret with s3 credentials for the remote backups
15 | s3BackupCredentialsBitwardenID: ""
16 |
17 | # other writefreely specific secrets
18 |
19 | # -- writefreely admin Credentials
20 | adminCredentialsBitwardenID: ""
21 |
22 | # -- writefreely smtp Credentials
23 | smtpCredentialsBitwardenID: ""
24 |
25 | # -- writefreely mysql Credentials
26 | mysqlBitwardenID: ""
27 |
28 | # -- writefreely OIDC Credentials
29 | oidcCredentialsBitwardenID: ""
30 |
--------------------------------------------------------------------------------
/ingress-nginx/modsecurity_configmap/modsecurity_exception_files/jellyfin.conf:
--------------------------------------------------------------------------------
1 | # -------------------------------------------------------------------------
2 | # Allow uploading images to collections
3 | # Rule ID #920420 Request content type is not allowed by policy
4 | # -------------------------------------------------------------------------
5 | SecRule REQUEST_URI "@rx ^\/(?i)items\/.*\/images\/.*" \
6 | "id:130000,\
7 | phase:1,\
8 | ver:'jellyfin-rule-exclusions-plugin/1.0.0',\
9 | pass,\
10 | t:none,\
11 | nolog,\
12 | setvar:'tx.allowed_request_content_type=|image/jpeg|image/apng|image/gif|image/tiff|image/webp|image/png|'"
13 |
14 | # allow removing something from favorites
15 | # allow rule ID 911100 to include DELETE
16 | SecRule REQUEST_URI "@rx ^/Users/.*/FavoriteItems/.*$" \
17 | "id:130001,\
18 | phase:1,\
19 | ver:'jellyfin-rule-exclusions-plugin/1.0.0',\
20 | pass,\
21 | nolog,\
22 | t:none,\
23 | setvar:'tx.allowed_methods=GET HEAD POST OPTIONS DELETE'"
24 |
--------------------------------------------------------------------------------
/grafana_stack/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | # -- if this is not set to "bitwarden", we will not actually deploy any templates
2 | # we may support other secret providers in the future
3 | provider: ""
4 |
5 | # -- if set to seaweedfs we deploy a policy secret. can also be minio
6 | s3_provider: "seaweedfs"
7 |
8 | # -- existing kubernetes secret with s3 admin credentials
9 | s3AdminCredentialsBitwardenID: ""
10 |
11 | # -- existing kubernetes secret with s3 loki credentials
12 | s3LokiCredentialsBitwardenID: ""
13 |
14 | # -- existing kubernetes secret with s3 mimir credentials
15 | s3MimirCredentialsBitwardenID: ""
16 |
17 | # -- optional existing kubernetes secret with s3 tempo credentials
18 | s3TempoCredentialsBitwardenID: ""
19 |
20 | # -- existing kubernetes secret with s3 credentials for the remote backups
21 | s3BackupCredentialsBitwardenID: ""
22 |
23 | # -- grafana OIDC Credentials
24 | oidcCredentialsBitwardenID: ""
25 |
26 | # -- valkey Credentials for loki
27 | lokiValkeyCredentialsBitwardenID: ""
28 |
--------------------------------------------------------------------------------
/cert-manager/app_of_apps/cert-manager_argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: cert-manager-helm-chart
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "2"
9 | spec:
10 | project: cert-manager
11 | source:
12 | repoURL: 'https://charts.jetstack.io'
13 | chart: cert-manager
14 | targetRevision: v1.19.1
15 | helm:
16 | releaseName: cert-manager
17 | valuesObject:
18 | config:
19 | featureGates:
20 | # Disable the use of Exact PathType in Ingress resources, to work around a bug in ingress-nginx
21 | # https://github.com/kubernetes/ingress-nginx/issues/11176
22 | ACMEHTTP01IngressPathTypeExact: false
23 | destination:
24 | server: "https://kubernetes.default.svc"
25 | namespace: cert-manager
26 | syncPolicy:
27 | syncOptions:
28 | - ApplyOutOfSyncOnly=true
29 | automated:
30 | prune: true
31 | selfHeal: true
32 |
--------------------------------------------------------------------------------
/mastodon/small-hack/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | # Use external secrets. Set to bitwarden to use this chart. other providers may be supported in the future
2 | provider: ""
3 |
4 | adminCredentialsBitwardenID: ""
5 | pgsqlCredentialsBitwardenID: ""
6 | valkeyCredentialsBitwardenID: ""
7 | mastodonSecretsBitwardenID: ""
8 | smtpCredentialsBitwardenID: ""
9 |
10 | # -- if set to seaweedfs we deploy a policy secret. can also be minio
11 | s3_provider: "seaweedfs"
12 |
13 | # -- existing kubernetes secret with s3 admin credentials
14 | s3AdminCredentialsBitwardenID: ""
15 | # -- existing kubernetes secret with s3 mastodon credentials
16 | s3MastodonCredentialsBitwardenID: ""
17 | # -- existing kubernetes secret with s3 postgres credentials
18 | s3PostgresCredentialsBitwardenID: ""
19 |
20 | # -- existing kubernetes secret with s3 credentials for the remote backups
21 | s3BackupCredentialsBitwardenID: ""
22 |
23 | # -- existing kubernetes secret with libretranslate API secret key
24 | libretranslateApiKeybitwardenID: ""
25 |
--------------------------------------------------------------------------------
/ghost/storage/templates/prebackup_pod_ghost.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: k8up.io/v1
2 | kind: PreBackupPod
3 | metadata:
4 | name: ghost-mysqldump
5 | spec:
6 | backupCommand: sh -c 'mysqldump -u$USER -p$PW -h $DB_HOST --all-databases'
7 | pod:
8 | spec:
9 | containers:
10 | - name: ghost-mysqldump
11 | image: mariadb:10.4
12 | command:
13 | - 'sleep'
14 | - 'infinity'
15 | imagePullPolicy: Always
16 | env:
17 | - name: USER
18 | valueFrom:
19 | secretKeyRef:
20 | key: username
21 | name: ghost-mysql-credentials
22 | - name: PW
23 | valueFrom:
24 | secretKeyRef:
25 | key: mysql-password
26 | name: ghost-mysql-credentials
27 | - name: DB_HOST
28 | valueFrom:
29 | secretKeyRef:
30 | key: host
31 | name: ghost-mysql-credentials
32 |
--------------------------------------------------------------------------------
/external-secrets-operator/app_of_apps/external-secrets-argocd_app.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: argoproj.io/v1alpha1
3 | kind: Application
4 | metadata:
5 | name: external-secrets-operator-helm
6 | namespace: argocd
7 | annotations:
8 | argocd.argoproj.io/sync-wave: "1"
9 | spec:
10 | project: external-secrets-operator
11 | destination:
12 | server: "https://kubernetes.default.svc"
13 | namespace: external-secrets
14 | syncPolicy:
15 | syncOptions:
16 | - CreateNamespace=true
17 | automated:
18 | prune: true
19 | selfHeal: true
20 | source:
21 | repoURL: 'https://charts.external-secrets.io'
22 | targetRevision: 0.20.4
23 | chart: external-secrets
24 | helm:
25 | releaseName: external-secrets
26 | # -- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
27 | valuesObject:
28 | fullnameOverride: external-secrets
29 | # If set, install and upgrade CRDs through helm chart.
30 | installCRDs: false
31 |
--------------------------------------------------------------------------------
5 |
6 | ## Sync Waves
7 | 1. k8up helm chart
8 |
--------------------------------------------------------------------------------
/renovate/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | # -- git server platform (github, gitea, forgejo, etc)
2 | platform: "forgejo"
3 | # -- git server endpoint to contact with renovate
4 | endpoint: "https://git.smallhack.org/api/v1"
5 | # -- username of the renovate user for that endpoint
6 | username: "renovate"
7 |
8 | # -- bitwarden id for your renovate personal access token
9 | patBitwardenID: ""
10 |
--------------------------------------------------------------------------------
/demo/local-path-provisioner/fast-raid.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: storage.k8s.io/v1
2 | kind: StorageClass
3 | metadata:
4 | name: fast-raid
5 | annotations:
6 | defaultVolumeType: local
7 | provisioner: rancher.io/local-path
8 | parameters:
9 | nodePath: /mnt/raid1
10 | pathPattern: "{{ .PVC.Namespace }}/{{ .PVC.Name }}"
11 | volumeBindingMode: WaitForFirstConsumer
12 | reclaimPolicy: Delete
13 |
--------------------------------------------------------------------------------
/demo/local-path-provisioner/slow-raid.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: storage.k8s.io/v1
2 | kind: StorageClass
3 | metadata:
4 | name: slow-raid
5 | annotations:
6 | defaultVolumeType: local
7 | provisioner: rancher.io/local-path
8 | parameters:
9 | nodePath: /mnt/raid0
10 | pathPattern: "{{ .PVC.Namespace }}/{{ .PVC.Name }}"
11 | volumeBindingMode: WaitForFirstConsumer
12 | reclaimPolicy: Delete
13 |
--------------------------------------------------------------------------------
/s3_persistence_and_backups/templates/minio_pvc.yaml:
--------------------------------------------------------------------------------
1 | {{- if eq .Values.provider "minio" }}
2 | ---
3 | kind: PersistentVolumeClaim
4 | apiVersion: v1
5 | metadata:
6 | name: minio-data
7 | spec:
8 | storageClassName: {{ .Values.pvc_storageClassName }}
9 | accessModes:
10 | - ReadWriteOnce
11 | resources:
12 | requests:
13 | storage: {{ .Values.pvc_capacity }}
14 | {{- end }}
15 |
--------------------------------------------------------------------------------
/demo/pixelfed/README.md:
--------------------------------------------------------------------------------
1 | # PixelFed Argo CD App of Apps
2 |
3 | This directory is meant to deploy the [Pixelfed](https://pixelfed.org/) app, which is a federated FOSS Instagram replacement app.
4 |
5 | This uses the [small-hack/pixelfed-chart](https://github.com/small-hack/pixelfed-chart/tree/main) helm chart.
6 |
7 | PixelFed docs on config are here: https://docs.pixelfed.org/running-pixelfed/installation.html
8 |
--------------------------------------------------------------------------------
/gotosocial/storage/pvc/templates/gotosocial_pvc.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | kind: PersistentVolumeClaim
3 | apiVersion: v1
4 | metadata:
5 | name: gotosocial
6 | annotations:
7 | k8up.io/backup: 'true'
8 | spec:
9 | storageClassName: {{ .Values.pvc.storageClassName }}
10 | accessModes:
11 | - {{ .Values.pvc.accessMode }}
12 | resources:
13 | requests:
14 | storage: {{ .Values.pvc.storage }}
15 |
--------------------------------------------------------------------------------
/writefreely/README.md:
--------------------------------------------------------------------------------
1 | # WriteFreely Argo CD Application
2 |
3 | This is an Argo CD Application to deploy [WriteFreely](https://writefreely.org/).
4 |
5 | We're currently using our own helm chart located at [small-hack/writefreely-helm-chart](https://github.com/small-hack/writefreely-helm-chart).
6 |
7 | ## Sync Waves
8 |
9 | 1. External Secrets and PVCs
10 | 2. MySQL
11 | 3. WriteFreely docker web app
12 |
--------------------------------------------------------------------------------
/demo/argo-workflows/app-of-apps/event-bus.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: EventBus
3 | metadata:
4 | name: default
5 | namespace: argocd
6 | spec:
7 | nats:
8 | native:
9 | # Optional, defaults to 3. If it is < 3, set it to 3, that is the minimal requirement.
10 | replicas: 3
11 | # Optional, authen strategy, "none" or "token", defaults to "none"
12 | auth: none
13 |
--------------------------------------------------------------------------------
/demo/juicefs/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | # Use external secrets. Set to bitwarden to use this chart. other providers may be supported in the future
2 | provider: "bitwarden"
3 |
4 | # -- if set to seaweedfs we deploy a policy secret. can also be minio
5 | s3_provider: "seaweedfs"
6 |
7 | # -- existing kubernetes secret with s3 postgres credentials
8 | s3CredentialsBitwardenID: "juicefs-s3-credentials"
9 |
10 |
--------------------------------------------------------------------------------
/home-assistant/external_secrets/values.yaml:
--------------------------------------------------------------------------------
1 | ## if this is not set to "bitwarden", we will not actually deploy any templates
2 | # other providers may be supported in the future
3 | provider: "true"
4 |
5 | # the item ID of the Bitwarden admin credentials
6 | bitwardenAdminCredentialsID: ""
7 |
8 | # -- existing kubernetes secret with s3 credentials for the remote backups
9 | s3BackupCredentialsBitwardenID: ""
10 |
--------------------------------------------------------------------------------
/forgejo/storage/pvc/postgres-certs.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # Holds postgres certs
3 | apiVersion: v1
4 | kind: PersistentVolumeClaim
5 | metadata:
6 | namespace: forgejo
7 | name: postgres-certs
8 | annotations:
9 | k8up.io/backup: 'true'
10 | spec:
11 | storageClassName: {{ .Values.pvc_storageClassName }}
12 | accessModes:
13 | - ReadWriteOnce
14 | resources:
15 | requests:
16 | storage: 64Mi
17 |
--------------------------------------------------------------------------------
/.github/renovate-config.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json",
3 | "onboarding": false,
4 | "username": "renovate-release",
5 | "gitAuthor": "Renovate Bot