├── .github ├── ISSUE_TEMPLATE │ ├── cilium-upgrade.yaml │ ├── kubernetes-upgrade.yaml │ ├── rook-ceph-upgrade.yaml │ └── talos-upgrade.yaml └── workflows │ ├── flux-local.yaml │ ├── format-check.yaml │ ├── renovate.yaml │ └── yaml-schema-check.yaml ├── .gitignore ├── .pre-commit-config.yaml ├── .renovate ├── autoMerge.json5 ├── customManagers.json5 └── groups.json5 ├── .tasks ├── aws.yaml ├── cilium.yaml ├── cnpg.yaml ├── dprint.yaml ├── kubernetes.yaml ├── restic.yaml ├── rook-ceph.yaml ├── talos.yaml ├── terraform.yaml └── volsync.yaml ├── LICENSE ├── README.md ├── Taskfile.yaml ├── docs └── src │ ├── arch.excalidraw │ ├── arch.png │ ├── rack-20231206.jpg │ └── rack-20241103.jpg ├── dprint.json ├── kubernetes ├── .taskfile.yaml ├── archive │ ├── external-secrets │ │ ├── _namespace.yaml │ │ ├── external-secrets.yaml │ │ └── kustomization.yaml │ └── wego │ │ ├── group │ │ └── amethyst-wego-admin.yaml │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ ├── wego-secret.yaml │ │ └── wego.yaml ├── argo-workflows │ ├── app │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ └── secret.yaml │ ├── base │ │ └── ns.yaml │ ├── kustomization.yaml │ └── sso-rbac │ │ └── admin.yaml ├── aws-identity-webhook │ ├── aws-identity-webhook.yaml │ ├── kustomization.yaml │ └── namespace.yaml ├── cert-manager │ ├── _namespace.yaml │ ├── cert-manager-secret.yaml │ ├── cert-manager.yaml │ ├── clusterissuer.yaml │ └── kustomization.yaml ├── cloudflared │ ├── cloudflared-config.yaml │ ├── cloudflared-secret.yaml │ ├── cloudflared.yaml │ ├── kustomization.yaml │ └── namespace.yaml ├── cnpg │ ├── cnpg.yaml │ ├── kustomization.yaml │ └── namespace.yaml ├── etcd-backup │ ├── .taskfile.yaml │ ├── app │ │ ├── config.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ ├── secret.yaml │ │ └── talos-sa.yaml │ ├── base │ │ ├── netpol.yaml │ │ └── ns.yaml │ └── kustomization.yaml ├── flux-system │ ├── app │ │ ├── boostrap.yaml │ │ ├── receiver.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ └── secret.yaml │ ├── base │ │ └── ns.yaml │ └── kustomization.yaml ├── grafana │ ├── .taskfile.yaml │ ├── app │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ └── secret.yaml │ ├── base │ │ ├── netpol.yaml │ │ └── ns.yaml │ ├── deps │ │ ├── netpol.yaml │ │ ├── postgres-secret.yaml │ │ └── postgres.yaml │ ├── kustomization.yaml │ └── maintain │ │ └── postgres-restore.tmpl.yaml ├── ingress-nginx │ ├── _namespace.yaml │ ├── certificate.yaml │ ├── ingress-nginx.yaml │ ├── kustomization.yaml │ └── policy.yaml ├── intel-device-system │ ├── app │ │ ├── intel-device-plugins-gpu.yaml │ │ └── intel-device-plugins-operator.yaml │ ├── base │ │ ├── helmrepo.yaml │ │ └── namespace.yaml │ └── kustomization.yaml ├── kromgo │ ├── app │ │ ├── kromgo-config.yaml │ │ ├── kromgo.yaml │ │ └── networkpolicy.yaml │ ├── base │ │ ├── namespace.yaml │ │ └── networkpolicy.yaml │ └── kustomization.yaml ├── kube-system │ ├── base │ │ └── ns.yaml │ ├── cilium │ │ ├── kustomization.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ └── repo.yaml │ ├── metrics-server │ │ ├── kustomization.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ └── repo.yaml │ ├── node-feature-discovery │ │ ├── kustomization.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ └── rule.yaml │ ├── secrets-store-csi-driver-provider-aws │ │ ├── kustomization.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ └── repo.yaml │ ├── secrets-store-csi-driver │ │ ├── kustomization.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ └── repo.yaml │ └── snapshot-controller │ │ ├── app-repo.yaml │ │ ├── app.yaml │ │ ├── crd-repo.yaml │ │ ├── crd.yaml │ │ ├── kustomization.yaml │ │ └── netpol.yaml ├── kyverno │ ├── kustomization.yaml │ ├── kyverno.yaml │ └── namespace.yaml ├── loki │ ├── kustomization.yaml │ ├── loki-secret.yaml │ ├── loki.yaml │ ├── namespace.yaml │ └── networkpolicy.yaml ├── metallb-system │ ├── _namespace.yaml │ ├── ipaddresspools.yaml │ ├── kustomization.yaml │ └── metallb.yaml ├── mimir │ ├── kustomization.yaml │ ├── mimir-secret.yaml │ ├── mimir.yaml │ ├── namespace.yaml │ └── networkpolicy.yaml ├── miniflux │ ├── .taskfile.yaml │ ├── app │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ └── secret.yaml │ ├── base │ │ ├── netpol.yaml │ │ └── ns.yaml │ ├── deps │ │ ├── netpol.yaml │ │ ├── postgres-secret-holder-sa.yaml │ │ ├── postgres-secret-holder.yaml │ │ ├── postgres-secret.yaml │ │ └── postgres.yaml │ ├── kustomization.yaml │ └── maintain │ │ └── postgres-restore.tmpl.yaml ├── mydata │ ├── base │ │ ├── helmrepo.yaml │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── netpol.yaml │ ├── immich │ │ ├── .taskfile.yaml │ │ ├── app │ │ │ ├── netpol.yaml │ │ │ ├── pvc.yaml │ │ │ ├── release.yaml │ │ │ └── secret.yaml │ │ ├── backup │ │ │ ├── backup.yaml │ │ │ ├── secret-hoder-sa.yaml │ │ │ ├── secret-holder.yaml │ │ │ └── secret.yaml │ │ ├── deps │ │ │ ├── netpol.yaml │ │ │ ├── postgres-secret-holder-sa.yaml │ │ │ ├── postgres-secret-holder.yaml │ │ │ ├── postgres-secret.yaml │ │ │ ├── postgres.yaml │ │ │ ├── valkey-secret.yaml │ │ │ └── valkey.yaml │ │ ├── kustomization.yaml │ │ └── maintain │ │ │ ├── data-manual-backup.tmpl.yaml │ │ │ ├── data-manual-restore.tmpl.yaml │ │ │ └── postgres-restore.tmpl.yaml │ ├── navidrome │ │ ├── .taskfile.yaml │ │ ├── app │ │ │ ├── data-pvc.yaml │ │ │ ├── db-pvc.yaml │ │ │ ├── netpol.yaml │ │ │ └── release.yaml │ │ ├── backup │ │ │ ├── data-backup.yaml │ │ │ ├── data-secret.yaml │ │ │ ├── db-backup.yaml │ │ │ ├── db-secret.yaml │ │ │ ├── secret-holder-sa.yaml │ │ │ └── secret-holder.yaml │ │ ├── kustomization.yaml │ │ └── maintain │ │ │ ├── data-manual-backup.tmpl.yaml │ │ │ ├── data-manual-restore.tmpl.yaml │ │ │ ├── db-manual-backup.tmpl.yaml │ │ │ └── db-manual-restore.tmpl.yaml │ └── nextcloud │ │ ├── .taskfile.yaml │ │ ├── app │ │ ├── config.yaml │ │ ├── data-pvc.yaml │ │ ├── install-pvc.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ └── secret.yaml │ │ ├── backup │ │ ├── data-backup.yaml │ │ ├── data-secret.yaml │ │ ├── install-backup.yaml │ │ ├── install-secret.yaml │ │ ├── secret-holder-sa.yaml │ │ └── secret-holder.yaml │ │ ├── deps │ │ ├── netpol.yaml │ │ ├── postgres-sa.yaml │ │ ├── postgres-secret-holder.yaml │ │ ├── postgres-secret.yaml │ │ ├── postgres.yaml │ │ ├── valkey-secret.yaml │ │ └── valkey.yaml │ │ ├── kustomization.yaml │ │ └── maintain │ │ ├── data-manual-backup.tmpl.yaml │ │ ├── data-manual-restore.tmpl.yaml │ │ ├── install-manual-backup.tmpl.yaml │ │ ├── install-manual-restore.tmpl.yaml │ │ └── postgres-restore.tmpl.yaml ├── node-exporter │ ├── kustomization.yaml │ ├── namespace.yaml │ └── node-exporter.yaml ├── prometheus │ ├── kube-prometheus-stack.yaml │ ├── kustomization.yaml │ └── namespace.yaml ├── promtail │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── networkpolicy.yaml │ └── promtail.yaml ├── reloader │ ├── kustomization.yaml │ ├── namespace.yaml │ └── reloader.yaml ├── rook-ceph │ ├── app │ │ ├── release.yaml │ │ └── repo.yaml │ ├── base │ │ └── ns.yaml │ ├── cluster │ │ ├── cephcluster.yaml │ │ └── rook-config-override.yaml │ ├── kustomization.yaml │ └── storage │ │ ├── block │ │ ├── cephblock.yaml │ │ ├── snapshotclass.yaml │ │ └── storageclass.yaml │ │ ├── filesystem │ │ ├── cephfs.yaml │ │ ├── snapshotclass.yaml │ │ └── storageclass.yaml │ │ └── object │ │ ├── cephobject.yaml │ │ └── objectuser.yaml ├── rustic-exporter │ ├── app │ │ ├── config.yaml │ │ ├── netpol.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ └── secret.yaml │ ├── base │ │ ├── netpol.yaml │ │ └── ns.yaml │ └── kustomization.yaml ├── smart-exporter │ ├── kustomization.yaml │ ├── namespace.yaml │ └── smart-exporter.yaml ├── snapscheduler │ ├── namespace.yaml │ └── snapscheduler.yaml ├── snmp-exporter-mikrotik │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── snmp-exporter-secret.yaml │ └── snmp-exporter.yaml ├── unifi-controller │ ├── .taskfile.yaml │ ├── app │ │ ├── netpol.yaml │ │ ├── pvc.yaml │ │ ├── release.yaml │ │ └── repo.yaml │ ├── backup │ │ ├── backup.yaml │ │ ├── secret-holder-sa.yaml │ │ ├── secret-holder.yaml │ │ └── secret.yaml │ ├── base │ │ ├── netpol.yaml │ │ └── ns.yaml │ ├── kustomization.yaml │ └── maintain │ │ ├── manual-backup.tmpl.yaml │ │ └── manual-restore.tmpl.yaml ├── unpoller │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── networkpolicy.yaml │ ├── unpoller-config.yaml │ ├── unpoller-secret.yaml │ └── unpoller.yaml ├── vaultwarden │ ├── .taskfile.yaml │ ├── app │ │ ├── netpol.yaml │ │ ├── pvc.yaml │ │ ├── release.yaml │ │ ├── repo.yaml │ │ └── secret.yaml │ ├── backup │ │ ├── backup.yaml │ │ ├── secret-holder-sa.yaml │ │ ├── secret-holder.yaml │ │ └── secret.yaml │ ├── base │ │ ├── netpol.yaml │ │ └── ns.yaml │ ├── kustomization.yaml │ └── maintain │ │ ├── manual-backup.tmpl.yaml │ │ └── manual-restore.tmpl.yaml ├── vector │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── vector-config.yaml │ └── vector.yaml └── volsync │ ├── kustomization.yaml │ ├── namespace.yaml │ └── volsync.yaml ├── renovate.json5 ├── talos ├── .taskfile.yaml ├── nuc11tnhi50l-1.yaml ├── nuc11tnhi50l-2.yaml ├── nuc11tnhi50l-3.yaml ├── pi4b-1.yaml ├── pi4b-spare.yaml ├── roles │ ├── controlplane.yaml │ └── worker.yaml └── schematics │ ├── nuc11tnhi50l.yaml │ └── raspi.yaml └── terraform ├── .taskfile.yaml ├── _remote-state ├── .terraform.lock.hcl └── main.tf ├── aws ├── .terraform.lock.hcl ├── data.tf ├── kubernetes-irsa.tf ├── kubernetes-oidc.tf └── main.tf ├── ceph ├── .terraform.lock.hcl ├── ceph-s3.tf ├── data.tf └── main.tf ├── cloudflare ├── .terraform.lock.hcl ├── README.md ├── data.tf ├── main.tf ├── record.tf └── zero-trust.tf └── grafana ├── .terraform.lock.hcl ├── data.tf └── main.tf /.github/ISSUE_TEMPLATE/cilium-upgrade.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-issue-forms.json 2 | name: Cilium upgrade 3 | title: Upgrade Cilium to {{1.16}} 4 | description: Cilium upgrade template 5 | body: 6 | - type: textarea 7 | attributes: 8 | label: Description 9 | value: | 10 | Cilium upgrade note. 11 | 12 | - [x] Related PR(s): 13 | - #pr-number 14 | - [x] Related Issue(s): 15 | - #issue-number 16 | 17 | ## Cilium {{1.16}} 18 | Support Kubernetes version {{1.27}}-{{1.30}} 19 | 20 | ### Features 21 | - feature-1 22 | 23 | ### Deprecated 24 | - drop-d1 25 | 26 | ## Upgrade process 27 | ### Pre-upgrade tasks 28 | - [ ] Check Cilium status 29 | ``` 30 | task kubernetes:cilium:status 31 | ``` 32 | 33 | ### Upgrade execution 34 | - [ ] Merge helm chart update PR, and flux will handle the upgrade 35 | 36 | ### Post-upgrade verification 37 | - [ ] Check Cilium status again 38 | ``` 39 | task kubernetes:cilium:status 40 | ``` 41 | 42 | ## References 43 | https://isovalent.com/blog/post/cilium-{{1-16}}/ 44 | https://docs.cilium.io/en/{{v1.16}}/operations/upgrade 45 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/rook-ceph-upgrade.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://json.schemastore.org/github-issue-forms.json 2 | name: Rook-ceph upgrade 3 | title: Upgrade Rook to {{v1.16}} and Ceph to {{v19}} 4 | description: Rook-ceph upgrade template 5 | body: 6 | - type: textarea 7 | attributes: 8 | label: Description 9 | value: | 10 | Rook-ceph upgrade note. 11 | 12 | - [x] Related PR(s): 13 | - #pr-number 14 | - [x] Related Issue(s): 15 | - #issue-number 16 | 17 | ## Rook {{v1.16}} 18 | Support Kubernetes version >= {{1.27}} 19 | Support Ceph version >= {{v18.2.0}} and >= {{v19.2.0}} 20 | 21 | ### Features 22 | - feature-1 23 | 24 | ### Deprecated 25 | - drop-d1 26 | 27 | ## Ceph {{v19}} 28 | 29 | ### Features 30 | - feature-1 31 | 32 | ### Deprecated 33 | - drop-d1 34 | 35 | ## Upgrade process 36 | 37 | ### Pre-upgrade Tasks 38 | - [ ] Check Ceph status 39 | ``` 40 | task kubernetes:rook-ceph:status 41 | ``` 42 | 43 | ### Upgrade execution 44 | - [ ] Merge helm chart update PR, and flux will handle the upgrade 45 | 46 | ### Post-upgrade verification 47 | - [ ] Check Cilium status again 48 | ``` 49 | task kubernetes:rook-ceph:status 50 | ``` 51 | 52 | ## References 53 | https://rook.io/docs/rook/{{v1.15}}/Upgrade/rook-upgrade/ 54 | https://ceph.io/en/news/blog/{{2024/v19-2-0-squid-released}}/ 55 | -------------------------------------------------------------------------------- /.github/workflows/flux-local.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: flux-local 4 | 5 | on: 6 | pull_request: 7 | 8 | jobs: 9 | lint: 10 | name: Flux local 11 | runs-on: ubuntu-latest 12 | strategy: 13 | matrix: 14 | resource: ["helmrelease", "kustomization"] 15 | steps: 16 | - name: Setup Flux CLI 17 | uses: fluxcd/flux2/action@v2.2.2 18 | - uses: allenporter/flux-local/action/diff@4.3.1 19 | id: diff 20 | with: 21 | path: kubernetes/flux-system 22 | sources: homelab 23 | resource: ${{ matrix.resource }} 24 | - name: PR Comments 25 | uses: mshick/add-pr-comment@v2 26 | if: ${{ steps.diff.outputs.diff != '' }} 27 | with: 28 | repo-token: ${{ secrets.GITHUB_TOKEN }} 29 | message-id: "${{ github.event.pull_request.number }}/${{ matrix.resource }}" 30 | message-failure: flux-local diff is not successful 31 | message: | 32 | `````diff 33 | ${{ steps.diff.outputs.diff }} 34 | ````` 35 | -------------------------------------------------------------------------------- /.github/workflows/format-check.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: format-check 4 | 5 | on: 6 | pull_request: 7 | 8 | jobs: 9 | lint: 10 | name: Format check 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 14 | - uses: dprint/check@2f1cf31537886c3bfb05591c031f7744e48ba8a1 # v2.2 15 | -------------------------------------------------------------------------------- /.github/workflows/renovate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: renovate 4 | "on": 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - "main" 9 | paths: 10 | - "renovate.json5" 11 | - ".renovate/**" 12 | schedule: 13 | - cron: "0 0 * * *" # every 08:00 UTC+8 14 | jobs: 15 | renovate: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Renovate 19 | uses: renovatebot/github-action@v40.3.6 20 | env: 21 | LOG_LEVEL: debug 22 | RENOVATE_REPOSITORIES: ${{ github.repository }} 23 | RENOVATE_PLATFORM: github 24 | RENOVATE_USERNAME: timtor-bot 25 | RENOVATE_GIT_AUTHOR: Timtor-bot 26 | RENOVATE_TOKEN: ${{ secrets.BOT_USER_TOKEN }} 27 | RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.BOT_USER_GPG_KEY }} 28 | -------------------------------------------------------------------------------- /.github/workflows/yaml-schema-check.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json 3 | name: yaml-schema-check 4 | 5 | on: 6 | pull_request: 7 | 8 | jobs: 9 | check: 10 | name: Yaml schema check 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 14 | - run: npx --yes yaml-ls-check@1.4 ./ 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .terraform 2 | .decrypted~* 3 | *.tfstate* 4 | 5 | .DS_Store -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | repos: 3 | - repo: https://github.com/zricethezav/gitleaks 4 | rev: v8.8.2 5 | hooks: 6 | - id: gitleaks 7 | - repo: local 8 | hooks: 9 | - id: format-docs 10 | name: Format docs 11 | entry: dprint fmt 12 | language: system 13 | pass_filenames: false 14 | -------------------------------------------------------------------------------- /.renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "automerge": true, 6 | "matchDepNames": [ 7 | "deluan/navidrome", 8 | "ghcr.io/dani-garcia/vaultwarden", 9 | "ghcr.io/immich-app/immich-**", 10 | "miniflux/miniflux", 11 | "cloudflare/cloudflared", 12 | "matusnovak/prometheus-smartctl", 13 | "jacobalberty/unifi", 14 | "ghcr.io/unpoller/unpoller" 15 | ], 16 | "matchUpdateTypes": ["patch"], 17 | "automergeType": "branch" 18 | }, 19 | { 20 | "automerge": true, 21 | "matchDepNames": ["grafana"], 22 | "matchUpdateTypes": ["minor", "patch"], 23 | "automergeType": "branch" 24 | } 25 | ] 26 | } -------------------------------------------------------------------------------- /.renovate/customManagers.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "customManagers": [ 4 | // talos installer 5 | { 6 | "customType": "regex", 7 | "fileMatch": ["^talos/.*\\.yaml$"], 8 | "datasourceTemplate": "docker", 9 | "matchStrings": [ 10 | "# renovate: depName=(?.*?)\n *image: factory\\.talos\\.dev\/installer\/[a-z0-9]+:(?v[\\d\\.]+)" 11 | ] 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /.tasks/aws.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | s3-ls: 8 | internal: true 9 | cmd: | 10 | REPO="{{.REPO}}" 11 | aws s3 ls "$REPO" | tr -s ' ' 12 | -------------------------------------------------------------------------------- /.tasks/cilium.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | ui: 8 | cmd: cilium hubble ui 9 | 10 | port-forward: 11 | cmd: cilium hubble port-forward 12 | 13 | observe: 14 | cmd: hubble observe {{.CLI_ARGS}} 15 | 16 | status: 17 | cmd: cilium status 18 | -------------------------------------------------------------------------------- /.tasks/dprint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | check: 8 | cmd: dprint check {{.CLI_ARGS}} 9 | 10 | fmt: 11 | cmd: dprint fmt {{.CLI_ARGS}} 12 | -------------------------------------------------------------------------------- /.tasks/kubernetes.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | # yamllint enable 8 | # yamllint disable rule:line-length 9 | delete-unused-persistentvolume: 10 | internal: true 11 | prompt: "Delete of all unused Persistence Volume and its data... contiune?" 12 | cmd: | 13 | kubectl get pv -o yaml | \ 14 | yq '.items[] | select(.status.phase != "Bound" ) | .spec.persistentVolumeReclaimPolicy = "Delete" | split_doc' | \ 15 | kubectl apply -f - 16 | # yamllint enable 17 | -------------------------------------------------------------------------------- /.tasks/restic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | list: 8 | internal: true 9 | dir: "{{.DIR}}" 10 | cmd: | 11 | REPO="{{.REPO}}" 12 | PASSWORD="{{.PASSWORD}}" 13 | RESTIC_PASSWORD="$PASSWORD" restic snapshots --quiet --compact -r "$REPO" 14 | 15 | unlock: 16 | internal: true 17 | dir: "{{.DIR}}" 18 | cmd: | 19 | REPO="{{.REPO}}" 20 | PASSWORD="{{.PASSWORD}}" 21 | RESTIC_PASSWORD="$PASSWORD" restic unlock --quiet -r "$REPO" 22 | -------------------------------------------------------------------------------- /.tasks/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | status: 8 | cmd: kubectl rook-ceph ceph status 9 | 10 | osd-status: 11 | cmd: kubectl rook-ceph ceph osd status 12 | 13 | list-crush-rule: 14 | cmd: kubectl rook-ceph ceph osd crush rule dump 15 | 16 | direct-mount:install: 17 | cmd: | 18 | kubectl apply -f https://raw.githubusercontent.com/rook/rook/master/deploy/examples/direct-mount.yaml 19 | kubectl wait -n rook-ceph deploy/rook-direct-mount --for=condition=available --timeout=60s 20 | direct-mount:shell: 21 | deps: [direct-mount:install] 22 | cmd: | 23 | kubectl exec -it -n rook-ceph deploy/rook-direct-mount -- /bin/bash 24 | direct-mount:uninstall: 25 | cmd: | 26 | kubectl delete -n rook-ceph deploy/rook-direct-mount 27 | 28 | toolbox:install: 29 | cmd: | 30 | kubectl apply -f https://raw.githubusercontent.com/rook/rook/master/deploy/examples/toolbox.yaml 31 | kubectl wait -n rook-ceph deploy/rook-ceph-tools --for=condition=available --timeout=60s 32 | toolbox:shell: 33 | deps: [toolbox:install] 34 | cmd: | 35 | kubectl exec -it -n rook-ceph deploy/rook-ceph-tools -- /bin/bash 36 | toolbox:uninstall: 37 | cmd: | 38 | kubectl delete -n rook-ceph deploy/rook-ceph-tools 39 | -------------------------------------------------------------------------------- /.tasks/terraform.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | init: 8 | internal: true 9 | dir: "{{.DIR}}" 10 | cmds: 11 | - terraform init -upgrade 12 | switch-init: 13 | internal: true 14 | dir: "{{.DIR}}" 15 | cmds: 16 | - tfswitch 17 | - terraform init -upgrade 18 | plan: 19 | internal: true 20 | dir: "{{.DIR}}" 21 | cmd: terraform plan 22 | apply: 23 | internal: true 24 | dir: "{{.DIR}}" 25 | cmd: terraform apply 26 | output: 27 | internal: true 28 | dir: "{{.DIR}}" 29 | cmd: terraform output 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020, Timtor Chen 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /Taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | includes: 7 | terraform: 8 | taskfile: terraform/.taskfile.yaml 9 | dir: terraform 10 | talos: 11 | taskfile: talos/.taskfile.yaml 12 | dir: talos 13 | kubernetes: kubernetes/.taskfile.yaml 14 | format: .tasks/dprint.yaml 15 | 16 | tasks: 17 | pre-commit:init: 18 | desc: Initiate and install dependencies 19 | cmds: 20 | - pre-commit install 21 | 22 | pre-commit:check: 23 | desc: Check all pre-commit hooks 24 | cmds: 25 | - pre-commit run -a 26 | 27 | renovate: 28 | desc: Run renovate on local directory 29 | env: 30 | LOG_LEVEL: debug 31 | cmds: 32 | - npx --yes renovate --platform=local 33 | -------------------------------------------------------------------------------- /docs/src/arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/timtorChen/homelab/b1b2f837eb03e1f5a60353fe0cc7703ad87be849/docs/src/arch.png -------------------------------------------------------------------------------- /docs/src/rack-20231206.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/timtorChen/homelab/b1b2f837eb03e1f5a60353fe0cc7703ad87be849/docs/src/rack-20231206.jpg -------------------------------------------------------------------------------- /docs/src/rack-20241103.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/timtorChen/homelab/b1b2f837eb03e1f5a60353fe0cc7703ad87be849/docs/src/rack-20241103.jpg -------------------------------------------------------------------------------- /dprint.json: -------------------------------------------------------------------------------- 1 | { 2 | "plugins": [ 3 | "https://plugins.dprint.dev/json-0.15.3.wasm", 4 | "https://plugins.dprint.dev/markdown-0.13.3.wasm", 5 | "https://plugins.dprint.dev/g-plane/pretty_yaml-v0.5.0.wasm" 6 | ] 7 | } 8 | -------------------------------------------------------------------------------- /kubernetes/archive/external-secrets/_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: external-secrets 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/archive/external-secrets/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - _namespace.yaml 7 | - external-secrets.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/archive/wego/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - wego-secret.yaml 8 | - wego.yaml 9 | - group/amethyst-wego-admin.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/archive/wego/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: wego 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/archive/wego/wego-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: wego 7 | name: wego-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/wego 15 | jmesPath: 16 | - path: clientID 17 | objectAlias: clientID 18 | - path: clientSecret 19 | objectAlias: clientSecret 20 | - path: issuerURL 21 | objectAlias: issuerURL 22 | - path: claimUsername 23 | objectAlias: claimUsername 24 | - path: claimGroups 25 | objectAlias: claimGroups 26 | - path: redirectURL 27 | objectAlias: redirectURL 28 | - path: tokenDuration 29 | objectAlias: tokenDuration 30 | secretObjects: 31 | - ## wego secret name is mandatory to oidc-auth 32 | secretName: oidc-auth 33 | type: Opaque 34 | data: 35 | - key: clientID 36 | objectName: clientID 37 | - key: clientSecret 38 | objectName: clientSecret 39 | - key: issuerURL 40 | objectName: issuerURL 41 | - key: claimUsername 42 | objectName: claimUsername 43 | - key: claimGroups 44 | objectName: claimGroups 45 | - key: redirectURL 46 | objectName: redirectURL 47 | - key: tokenDuration 48 | objectName: tokenDuration 49 | -------------------------------------------------------------------------------- /kubernetes/argo-workflows/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # WIP 3 | -------------------------------------------------------------------------------- /kubernetes/argo-workflows/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: argo-workflows 7 | name: argo 8 | spec: 9 | url: https://argoproj.github.io/argo-helm 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/argo-workflows/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: argo-workflows 7 | name: &name argo-workflows-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | #yaml 13 | - objectType: ssmparameter 14 | objectName: /kubernetes/argo-workflows 15 | jmesPath: 16 | - path: CLIENT_ID 17 | objectAlias: CLIENT_ID 18 | - path: CLIENT_SECRET 19 | objectAlias: CLIENT_SECRET 20 | secretObjects: 21 | - secretName: *name 22 | type: Opaque 23 | data: 24 | - key: CLIENT_ID 25 | objectName: CLIENT_ID 26 | - key: CLIENT_SECRET 27 | objectName: CLIENT_SECRET 28 | -------------------------------------------------------------------------------- /kubernetes/argo-workflows/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: argo-workflows 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/argo-workflows/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - app/netpol.yaml 8 | - app/repo.yaml 9 | - app/release.yaml 10 | - app/secret.yaml 11 | - sso-rbac/admin.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/argo-workflows/sso-rbac/admin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: argo-workflows 7 | name: argo-workflows-admin 8 | annotations: 9 | workflows.argoproj.io/rbac-rule: "'argo-workflows-admin' in groups" 10 | workflows.argoproj.io/service-account-token.name: argo-workflows-admin-token 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/secret-v1.json 13 | apiVersion: v1 14 | kind: Secret 15 | metadata: 16 | namespace: argo-workflows 17 | name: argo-workflows-admin-token 18 | annotations: 19 | kubernetes.io/service-account.name: argo-workflows-admin 20 | type: kubernetes.io/service-account-token 21 | --- 22 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/clusterrolebinding-rbac-v1.json 23 | apiVersion: rbac.authorization.k8s.io/v1 24 | kind: ClusterRoleBinding 25 | metadata: 26 | name: argo-workflows-admin 27 | roleRef: 28 | apiGroup: rbac.authorization.k8s.io 29 | # ClusterRole created by default in argo-workflows chart 30 | kind: ClusterRole 31 | name: argo-workflows-admin 32 | subjects: 33 | - kind: ServiceAccount 34 | namespace: argo-workflows 35 | name: argo-workflows-admin 36 | -------------------------------------------------------------------------------- /kubernetes/aws-identity-webhook/aws-identity-webhook.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: aws-identity-webhook 7 | name: jkroepke 8 | spec: 9 | url: https://jkroepke.github.io/helm-charts/ 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: aws-identity-webhook 17 | name: aws-identity-webhook 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: jkroepke 24 | chart: amazon-eks-pod-identity-webhook 25 | version: 2.5.1 26 | interval: 1h 27 | maxHistory: 1 28 | values: 29 | config: 30 | # follow the EKS convention 31 | annotationPrefix: eks.amazonaws.com 32 | # disable default region 33 | defaultAwsRegion: "" 34 | stsRegionalEndpoint: false 35 | pki: 36 | certManager: 37 | enabled: true 38 | securityContext: 39 | runAsNonRoot: true 40 | runAsUser: 65534 41 | runAsGroup: 65534 42 | allowPrivilegeEscalation: false 43 | readOnlyRootFilesystem: true 44 | capabilities: 45 | drop: ["ALL"] 46 | seccompProfile: 47 | type: RuntimeDefault 48 | -------------------------------------------------------------------------------- /kubernetes/aws-identity-webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - aws-identity-webhook.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/aws-identity-webhook/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: aws-identity-webhook 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/cert-manager/_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: cert-manager 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/cert-manager/cert-manager-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: cert-manager 7 | name: &name cert-manager-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/cert-manager 15 | jmesPath: 16 | - path: CLOUDFLARE_TOKEN 17 | objectAlias: CLOUDFLARE_TOKEN 18 | secretObjects: 19 | - secretName: *name 20 | type: Opaque 21 | data: 22 | - key: CLOUDFLARE_TOKEN 23 | objectName: CLOUDFLARE_TOKEN 24 | -------------------------------------------------------------------------------- /kubernetes/cert-manager/clusterissuer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cert-manager.io/clusterissuer_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: ClusterIssuer 5 | metadata: 6 | name: timtor.dev-le-dns01 7 | spec: 8 | acme: 9 | server: https://acme-v02.api.letsencrypt.org/directory 10 | privateKeySecretRef: 11 | name: acme-account-private-key 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | apiTokenSecretRef: 16 | name: cert-manager-secret 17 | key: CLOUDFLARE_TOKEN 18 | -------------------------------------------------------------------------------- /kubernetes/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - _namespace.yaml 7 | - cert-manager-secret.yaml 8 | - clusterissuer.yaml 9 | - cert-manager.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/cloudflared/cloudflared-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/configmap-v1.json 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | namespace: cloudflared 7 | name: cloudflared-config 8 | data: 9 | tunnel.yaml: | 10 | tunnel: homelab 11 | credentials-file: /secret/homelab.json 12 | warp-routing: 13 | enabled: true 14 | metrics: 0.0.0.0:2000 15 | ingress: 16 | # bottom to default match all 17 | - service: http_status:404 18 | -------------------------------------------------------------------------------- /kubernetes/cloudflared/cloudflared-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: cloudflared 7 | name: cloudflared-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectAlias: homelab.json 15 | objectName: /amethyst/cloudflared 16 | -------------------------------------------------------------------------------- /kubernetes/cloudflared/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - cloudflared-secret.yaml 8 | - cloudflared-config.yaml 9 | - cloudflared.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/cloudflared/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: cloudflared 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/cnpg/cnpg.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: cnpg 7 | name: cnpg 8 | spec: 9 | url: https://cloudnative-pg.github.io/charts 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: cnpg 17 | name: cnpg 18 | spec: 19 | interval: 1h 20 | chart: 21 | spec: 22 | sourceRef: 23 | kind: HelmRepository 24 | namespace: cnpg 25 | name: cnpg 26 | chart: cloudnative-pg 27 | version: 0.23.2 28 | install: 29 | crds: CreateReplace 30 | upgrade: 31 | crds: CreateReplace 32 | values: 33 | crds: 34 | create: true 35 | -------------------------------------------------------------------------------- /kubernetes/cnpg/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - cnpg.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/cnpg/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: cnpg 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/.taskfile.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/go-task/task/refs/heads/main/website/static/schema.json 3 | version: "3" 4 | silent: true 5 | 6 | tasks: 7 | trigger: 8 | cmd: | 9 | NAMESPACE="etcd-backup" 10 | CRONJOB="cronjob/etcd-backup" 11 | NAME="manual" 12 | TIMESTAMP="$(date +%Y%m%d%H%M%S%z)" 13 | TIMESTAMP="${TIMESTAMP/+/plus}" 14 | TIMESTAMP="${TIMESTAMP/-/minus}" 15 | FULLNAME="$NAME-$TIMESTAMP" 16 | TIMEOUT="5m" 17 | 18 | kubectl create job -n "$NAMESPACE" --from "$CRONJOB" "$FULLNAME" 19 | echo "Waiting for etcd-backup..." 20 | kubectl wait --for=condition=complete --timeout "$TIMEOUT" -n "$NAMESPACE" "job/$FULLNAME" 21 | kubectl delete -n "$NAMESPACE" "job/$FULLNAME" 22 | echo "Etcd-backup is completed" 23 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/app/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/configmap-v1.json 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | namespace: etcd-backup 7 | name: rustic-config 8 | data: 9 | rustic.toml: | #toml 10 | [repository] 11 | repository = "opendal:s3" 12 | # password = RUSTIC_PASSWORD 13 | 14 | [repository.options] 15 | endpoint = "https://s3.us-east-005.backblazeb2.com" 16 | # access_key_id = OPENDAL_ACCESS_KEY_ID 17 | # secret_access_key = OPENDAL_SECRET_ACCESS_KEY 18 | bucket = "timtor-homelab-etcd-backup" 19 | root = "/" 20 | region = "us-east-005" 21 | 22 | [forget] 23 | keep-daily = 5 24 | keep-weekly = 4 25 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: etcd-backup 7 | name: etcd-backup-app-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: 11 | app.kubernetes.io/name: etcd-backup 12 | egress: 13 | # allow dns connection 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: kube-system 17 | k8s-app: kube-dns 18 | toPorts: 19 | - ports: 20 | - protocol: ANY 21 | port: "53" 22 | rules: 23 | dns: 24 | - matchName: talos.default.svc.cluster.local. 25 | - matchName: &s3 s3.us-east-005.backblazeb2.com 26 | # allow connection to master node 27 | - toEntities: 28 | - remote-node 29 | # allow connection to b2 30 | - toFQDNs: 31 | - matchName: *s3 32 | toPorts: 33 | - ports: 34 | - protocol: TCP 35 | port: "443" 36 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: etcd-backup 7 | name: bjw-s 8 | spec: 9 | url: https://bjw-s.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: etcd-backup 7 | name: &name rustic-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /kubernetes/etcd-backup 15 | jmesPath: 16 | - path: RUSTIC_PASSWORD 17 | objectAlias: RUSTIC_PASSWORD 18 | - path: OPENDAL_ACCESS_KEY_ID 19 | objectAlias: OPENDAL_ACCESS_KEY_ID 20 | - path: OPENDAL_SECRET_ACCESS_KEY 21 | objectAlias: OPENDAL_SECRET_ACCESS_KEY 22 | secretObjects: 23 | - secretName: *name 24 | type: Opaque 25 | data: 26 | - key: RUSTIC_PASSWORD 27 | objectName: RUSTIC_PASSWORD 28 | - key: OPENDAL_ACCESS_KEY_ID 29 | objectName: OPENDAL_ACCESS_KEY_ID 30 | - key: OPENDAL_SECRET_ACCESS_KEY 31 | objectName: OPENDAL_SECRET_ACCESS_KEY 32 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/app/talos-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: talos.dev/v1alpha1 3 | kind: ServiceAccount 4 | metadata: 5 | namespace: etcd-backup 6 | name: etcd-backup-talos-sa 7 | spec: 8 | roles: 9 | - os:etcd:backup 10 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/base/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: etcd-backup 7 | name: etcd-backup-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: etcd-backup 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/etcd-backup/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - base/netpol.yaml 8 | - app/repo.yaml 9 | - app/talos-sa.yaml 10 | - app/config.yaml 11 | - app/secret.yaml 12 | - app/netpol.yaml 13 | - app/release.yaml 14 | -------------------------------------------------------------------------------- /kubernetes/flux-system/app/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/notification.toolkit.fluxcd.io/receiver_v1.json 3 | apiVersion: notification.toolkit.fluxcd.io/v1 4 | kind: Receiver 5 | metadata: 6 | namespace: flux-system 7 | name: homelab 8 | spec: 9 | type: github 10 | events: 11 | - "ping" 12 | - "push" 13 | secretRef: 14 | name: webhook-token 15 | resources: 16 | - apiVersion: source.toolkit.fluxcd.io/v1 17 | kind: GitRepository 18 | name: homelab 19 | -------------------------------------------------------------------------------- /kubernetes/flux-system/app/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: flux-system 7 | name: flux2 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: fluxcd-community 14 | chart: flux2 15 | version: 2.14.1 16 | install: 17 | crds: CreateReplace 18 | upgrade: 19 | crds: CreateReplace 20 | interval: 1h 21 | maxHistory: 1 22 | timeout: 1m0s 23 | values: 24 | installCRDs: true 25 | policies: 26 | create: false 27 | notificationController: 28 | serviceAccount: 29 | create: true 30 | automount: true 31 | annotations: 32 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-notification-controller 33 | eks.amazonaws.com/audience: sts.amazonaws.com 34 | volumes: 35 | - name: &n webhook-token 36 | csi: 37 | driver: secrets-store.csi.k8s.io 38 | readOnly: true 39 | volumeAttributes: 40 | secretProviderClass: *n 41 | volumeMounts: 42 | - name: *n 43 | mountPath: /secret 44 | readOnly: true 45 | webhookReceiver: 46 | ingress: 47 | create: true 48 | ingressClassName: nginx 49 | hosts: 50 | - host: flux.timtor.dev 51 | paths: 52 | - path: / 53 | pathType: ImplementationSpecific 54 | -------------------------------------------------------------------------------- /kubernetes/flux-system/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: flux-system 7 | name: fluxcd-community 8 | spec: 9 | url: https://fluxcd-community.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/flux-system/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: flux-system 7 | name: &name webhook-token 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /kubernetes/flux-system/webhook-token 15 | jmesPath: 16 | - path: TOKEN 17 | objectAlias: TOKEN 18 | secretObjects: 19 | - secretName: *name 20 | type: Opaque 21 | data: 22 | - key: token 23 | objectName: TOKEN 24 | -------------------------------------------------------------------------------- /kubernetes/flux-system/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: flux-system 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - app/repo.yaml 8 | - app/release.yaml 9 | - app/boostrap.yaml 10 | - app/receiver.yaml 11 | - app/secret.yaml 12 | -------------------------------------------------------------------------------- /kubernetes/grafana/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: grafana 7 | name: grafana 8 | spec: 9 | url: https://grafana.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/grafana/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: grafana 7 | name: &name grafana-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/grafana 15 | jmesPath: 16 | - path: ADMIN_USER 17 | objectAlias: ADMIN_USER 18 | - path: ADMIN_PASSWORD 19 | objectAlias: ADMIN_PASSWORD 20 | - path: POSTGRES_URL 21 | objectAlias: POSTGRES_URL 22 | - path: JUMPCLOUD_OIDC_CLIENT_ID 23 | objectAlias: JUMPCLOUD_OIDC_CLIENT_ID 24 | - path: JUMPCLOUD_OIDC_CLIENT_SECRET 25 | objectAlias: JUMPCLOUD_OIDC_CLIENT_SECRET 26 | secretObjects: 27 | - secretName: *name 28 | type: Opaque 29 | data: 30 | - key: ADMIN_USER 31 | objectName: ADMIN_USER 32 | - key: ADMIN_PASSWORD 33 | objectName: ADMIN_PASSWORD 34 | - key: POSTGRES_URL 35 | objectName: POSTGRES_URL 36 | - key: JUMPCLOUD_OIDC_CLIENT_ID 37 | objectName: JUMPCLOUD_OIDC_CLIENT_ID 38 | - key: JUMPCLOUD_OIDC_CLIENT_SECRET 39 | objectName: JUMPCLOUD_OIDC_CLIENT_SECRET 40 | -------------------------------------------------------------------------------- /kubernetes/grafana/base/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: grafana 7 | name: grafana-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | -------------------------------------------------------------------------------- /kubernetes/grafana/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: grafana 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/grafana/deps/postgres-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: grafana 7 | name: &name grafana-postgres-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/grafana-postgres 15 | jmesPath: 16 | - path: POSTGRES_BOOSTRAP_USERNAME 17 | objectAlias: POSTGRES_BOOSTRAP_USERNAME 18 | - path: POSTGRES_BOOSTRAP_PASSWORD 19 | objectAlias: POSTGRES_BOOSTRAP_PASSWORD 20 | - path: POSTGRES_B2_ACCESS_KEY_ID 21 | objectAlias: POSTGRES_B2_ACCESS_KEY_ID 22 | - path: POSTGRES_B2_ACCESS_SECRET_KEY 23 | objectAlias: POSTGRES_B2_ACCESS_SECRET_KEY 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: username 29 | objectName: POSTGRES_BOOSTRAP_USERNAME 30 | - key: password 31 | objectName: POSTGRES_BOOSTRAP_PASSWORD 32 | - key: POSTGRES_B2_ACCESS_KEY_ID 33 | objectName: POSTGRES_B2_ACCESS_KEY_ID 34 | - key: POSTGRES_B2_ACCESS_SECRET_KEY 35 | objectName: POSTGRES_B2_ACCESS_SECRET_KEY 36 | -------------------------------------------------------------------------------- /kubernetes/grafana/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - base/netpol.yaml 8 | - app/repo.yaml 9 | - app/release.yaml 10 | - app/secret.yaml 11 | - app/netpol.yaml 12 | - deps/netpol.yaml 13 | - deps/postgres-secret.yaml 14 | - deps/postgres.yaml 15 | -------------------------------------------------------------------------------- /kubernetes/grafana/maintain/postgres-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/postgresql.cnpg.io/cluster_v1.json 3 | apiVersion: postgresql.cnpg.io/v1 4 | kind: Cluster 5 | metadata: 6 | namespace: grafana 7 | name: &name grafana-postgres 8 | spec: 9 | imageName: ghcr.io/cloudnative-pg/postgresql:15.6 10 | instances: 2 11 | storage: 12 | pvcTemplate: 13 | storageClassName: fs-fast 14 | resources: 15 | requests: 16 | storage: 10Gi 17 | accessModes: ["ReadWriteOnce"] 18 | bootstrap: 19 | recovery: 20 | source: clusterBackup 21 | recoveryTarget: 22 | ## timezone should be in +00:00 23 | ## or barman-cloud-wal-restore will return "invalid value for parameter" 24 | # targetTime: "2024-02-14 10:00:00.00000+00" 25 | {} 26 | externalClusters: 27 | - name: clusterBackup 28 | barmanObjectStore: 29 | endpointURL: https://s3.us-east-005.backblazeb2.com 30 | destinationPath: s3://homelab-amethyst-grafana/ 31 | serverName: *name 32 | s3Credentials: 33 | accessKeyId: 34 | name: grafana-postgres-secret 35 | key: POSTGRES_B2_ACCESS_KEY_ID 36 | secretAccessKey: 37 | name: grafana-postgres-secret 38 | key: POSTGRES_B2_ACCESS_SECRET_KEY 39 | wal: 40 | maxParallel: 8 41 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: ingress-nginx 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cert-manager.io/certificate_v1.json 3 | apiVersion: cert-manager.io/v1 4 | kind: Certificate 5 | metadata: 6 | namespace: ingress-nginx 7 | name: timtor.dev-wildcard-certificate 8 | spec: 9 | secretName: timtor.dev-wildcard-certificate-secret 10 | dnsNames: 11 | - timtor.dev 12 | - "*.timtor.dev" 13 | issuerRef: 14 | kind: ClusterIssuer 15 | name: timtor.dev-le-dns01 16 | -------------------------------------------------------------------------------- /kubernetes/ingress-nginx/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - _namespace.yaml 7 | - ingress-nginx.yaml 8 | - certificate.yaml 9 | - policy.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/intel-device-system/app/intel-device-plugins-gpu.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: intel-device-system 7 | name: intel-device-plugins-gpu 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: intel 14 | version: 0.29.0 15 | chart: intel-device-plugins-gpu 16 | interval: 1h 17 | maxHistory: 1 18 | timeout: 1m0s 19 | install: 20 | crds: CreateReplace 21 | upgrade: 22 | crds: CreateReplace 23 | values: 24 | name: daemon 25 | nodeSelector: 26 | intel.feature.node.kubernetes.io/gpu: "true" 27 | sharedDevNum: 4 28 | resourceManager: true 29 | -------------------------------------------------------------------------------- /kubernetes/intel-device-system/app/intel-device-plugins-operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: intel-device-system 7 | name: intel-device-plugins-operator 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: intel 14 | version: 0.29.0 15 | chart: intel-device-plugins-operator 16 | interval: 1h 17 | maxHistory: 1 18 | timeout: 1m0s 19 | install: 20 | crds: CreateReplace 21 | upgrade: 22 | crds: CreateReplace 23 | values: {} 24 | -------------------------------------------------------------------------------- /kubernetes/intel-device-system/base/helmrepo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: intel-device-system 7 | name: intel 8 | spec: 9 | url: https://intel.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/intel-device-system/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: intel-device-system 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/warn: privileged 11 | -------------------------------------------------------------------------------- /kubernetes/intel-device-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/namespace.yaml 7 | - base/helmrepo.yaml 8 | - app/intel-device-plugins-gpu.yaml 9 | - app/intel-device-plugins-operator.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/kromgo/app/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: kromgo 7 | name: kromgo-app-policy 8 | specs: 9 | # allow connection from ingress-nginx 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: kromgo 13 | ingress: 14 | - fromEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: ingress-nginx 17 | toPorts: 18 | - ports: 19 | - protocol: TCP 20 | port: "8080" 21 | # allow kromgo to mimir 22 | - endpointSelector: *self 23 | egress: 24 | - toEndpoints: 25 | - matchLabels: 26 | k8s:io.kubernetes.pod.namespace: kube-system 27 | k8s-app: kube-dns 28 | toPorts: 29 | - ports: 30 | - protocol: ANY 31 | port: "53" 32 | rules: 33 | dns: 34 | - matchPattern: "mimir-query-frontend.mimir.svc.cluster.local." 35 | - toEndpoints: 36 | - matchLabels: 37 | k8s:io.kubernetes.pod.namespace: mimir 38 | app.kubernetes.io/component: query-frontend 39 | toPorts: 40 | - ports: 41 | - protocol: TCP 42 | port: "8080" 43 | -------------------------------------------------------------------------------- /kubernetes/kromgo/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: kromgo 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/kromgo/base/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: kromgo 7 | name: kromgo-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | -------------------------------------------------------------------------------- /kubernetes/kromgo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/namespace.yaml 7 | - base/networkpolicy.yaml 8 | - app/kromgo-config.yaml 9 | - app/kromgo.yaml 10 | - app/networkpolicy.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/kube-system/base/ns.yaml: -------------------------------------------------------------------------------- 1 | # Default privileged namespace 2 | -------------------------------------------------------------------------------- /kubernetes/kube-system/cilium/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - repo.yaml 7 | - release.yaml 8 | - netpol.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/kube-system/cilium/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: kube-system 7 | name: cilium 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: cilium 14 | chart: cilium 15 | version: 1.16.6 16 | interval: 1h 17 | maxHistory: 1 18 | values: 19 | ipam: 20 | mode: kubernetes 21 | kubeProxyReplacement: true 22 | securityContext: 23 | capabilities: 24 | ciliumAgent: 25 | - CHOWN 26 | - KILL 27 | - NET_ADMIN 28 | - NET_RAW 29 | - IPC_LOCK 30 | - SYS_ADMIN 31 | - SYS_RESOURCE 32 | - DAC_OVERRIDE 33 | - FOWNER 34 | - SETGID 35 | - SETUID 36 | cleanCiliumState: 37 | - NET_ADMIN 38 | - SYS_ADMIN 39 | - SYS_RESOURCE 40 | updateStrategy: 41 | type: RollingUpdate 42 | rollingUpdate: 43 | maxSurge: 0 44 | maxUnavailable: 1 45 | cgroup: 46 | autoMount: 47 | enabled: false 48 | hostRoot: /sys/fs/cgroup 49 | k8sServiceHost: localhost 50 | k8sServicePort: 7745 51 | hubble: 52 | enabled: true 53 | relay: 54 | enabled: true 55 | ui: 56 | enabled: true 57 | envoy: 58 | enabled: true 59 | -------------------------------------------------------------------------------- /kubernetes/kube-system/cilium/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: kube-system 7 | name: cilium 8 | spec: 9 | url: https://helm.cilium.io 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/kube-system/metrics-server/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - repo.yaml 7 | - release.yaml 8 | - netpol.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/kube-system/metrics-server/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: kube-system 7 | name: metrics-server-policy 8 | specs: 9 | # default 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: metrics-server 13 | ingress: 14 | - {} 15 | egress: 16 | - {} 17 | # allow connection to kube-apiserver 18 | - endpointSelector: *self 19 | egress: 20 | - toEntities: [kube-apiserver] 21 | toPorts: 22 | - ports: 23 | - protocol: TCP 24 | port: "6443" 25 | # allow connection to kubelets 26 | - endpointSelector: *self 27 | egress: 28 | - toEntities: ["host", "remote-node"] 29 | toPorts: 30 | - ports: 31 | - protocol: TCP 32 | port: "10250" 33 | # allow connection from kube-apiserver 34 | # possible ISSUE: https://github.com/cilium/cilium/issues/31711 35 | - endpointSelector: *self 36 | ingress: 37 | - fromEntities: ["host", "remote-node"] 38 | toPorts: 39 | - ports: 40 | - protocol: TCP 41 | port: "10250" 42 | -------------------------------------------------------------------------------- /kubernetes/kube-system/metrics-server/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: kube-system 7 | name: metrics-server 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: metrics-server 14 | chart: metrics-server 15 | version: 3.12.2 16 | interval: 1h 17 | maxHistory: 1 18 | values: 19 | apiSevice: 20 | insecureSkipTLSVerify: false 21 | replicas: 2 22 | resources: 23 | limits: 24 | memory: 50Mi 25 | requests: 26 | cpu: 10m 27 | memory: 50Mi 28 | args: 29 | # https://github.com/siderolabs/talos/issues/7317 30 | - --kubelet-insecure-tls 31 | -------------------------------------------------------------------------------- /kubernetes/kube-system/metrics-server/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: kube-system 7 | name: metrics-server 8 | spec: 9 | url: https://kubernetes-sigs.github.io/metrics-server/ 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/kube-system/node-feature-discovery/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - repo.yaml 7 | - release.yaml 8 | - rule.yaml 9 | - netpol.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/kube-system/node-feature-discovery/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: kube-system 7 | name: node-feature-discovery-policy 8 | specs: 9 | # default 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: node-feature-discovery 13 | ingress: 14 | - {} 15 | egress: 16 | - {} 17 | # allow connection to kube-api server 18 | - endpointSelector: *self 19 | egress: 20 | - toEntities: [kube-apiserver] 21 | toPorts: 22 | - ports: 23 | - protocol: TCP 24 | port: "6443" 25 | -------------------------------------------------------------------------------- /kubernetes/kube-system/node-feature-discovery/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: kube-system 7 | name: node-feature-discovery 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: node-feature-discovery 14 | version: 0.15.4 15 | chart: node-feature-discovery 16 | interval: 1h 17 | maxHistory: 1 18 | timeout: 1m0s 19 | install: 20 | crds: CreateReplace 21 | upgrade: 22 | crds: CreateReplace 23 | values: 24 | enableNodeFeatureApi: true 25 | master: 26 | enable: true 27 | worker: 28 | enable: true 29 | gc: 30 | enable: true 31 | -------------------------------------------------------------------------------- /kubernetes/kube-system/node-feature-discovery/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: kube-system 7 | name: node-feature-discovery 8 | spec: 9 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver-provider-aws/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - repo.yaml 7 | - release.yaml 8 | - netpol.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver-provider-aws/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: kube-system 7 | name: secrets-store-csi-driver-provider-aws-policy 8 | specs: 9 | # default 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: secrets-store-csi-driver-provider-aws 13 | ingress: 14 | - {} 15 | egress: 16 | - {} 17 | # allow connection to AWS STS and SSM 18 | - endpointSelector: *self 19 | egress: 20 | - toEndpoints: 21 | - matchLabels: 22 | k8s:io.kubernetes.pod.namespace: kube-system 23 | k8s-app: kube-dns 24 | toPorts: 25 | - ports: 26 | - protocol: ANY 27 | port: "53" 28 | rules: 29 | dns: &services 30 | - matchPattern: sts.*.amazonaws.com 31 | - matchPattern: ssm.*.amazonaws.com 32 | - toFQDNs: *services 33 | toPorts: 34 | - ports: 35 | - protocol: TCP 36 | port: "443" 37 | # allow connection to kube-api server 38 | - endpointSelector: *self 39 | egress: 40 | - toEntities: [kube-apiserver] 41 | toPorts: 42 | - ports: 43 | - protocol: TCP 44 | port: "6443" 45 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver-provider-aws/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: kube-system 7 | name: secrets-store-csi-driver-provider-aws 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: aws-secrets-manager 14 | chart: secrets-store-csi-driver-provider-aws 15 | version: 0.3.11 16 | interval: 1h 17 | maxHistory: 1 18 | values: 19 | securityContext: 20 | runAsNonRoot: false 21 | allowPrivilegeEscalation: false 22 | readOnlyRootFilesystem: true 23 | capabilities: 24 | drop: ["ALL"] 25 | seccompProfile: 26 | type: RuntimeDefault 27 | resources: 28 | requests: 29 | cpu: 50m 30 | memory: 100Mi 31 | limits: 32 | cpu: 50m 33 | memory: 100Mi 34 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver-provider-aws/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: kube-system 7 | name: aws-secrets-manager 8 | spec: 9 | url: https://aws.github.io/secrets-store-csi-driver-provider-aws 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - repo.yaml 7 | - release.yaml 8 | - netpol.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: kube-system 7 | name: secrets-store-csi-driver-policy 8 | specs: 9 | # default 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: secrets-store-csi-driver 13 | ingress: 14 | - {} 15 | egress: 16 | - {} 17 | # allow connection to kube-api server 18 | - endpointSelector: *self 19 | egress: 20 | - toEntities: [kube-apiserver] 21 | toPorts: 22 | - ports: 23 | - protocol: TCP 24 | port: "6443" 25 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: kube-system 7 | name: secrets-store-csi-driver 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: secrets-store-csi-driver 14 | chart: secrets-store-csi-driver 15 | version: 1.5.1 16 | install: 17 | crds: CreateReplace 18 | upgrade: 19 | crds: CreateReplace 20 | interval: 1h 21 | maxHistory: 1 22 | values: 23 | linux: 24 | enabled: true 25 | crds: 26 | enabled: true 27 | # add sync secret related k8s permission 28 | syncSecret: 29 | enabled: true 30 | enableSecretRotation: true 31 | rotationPollInterval: 1h 32 | -------------------------------------------------------------------------------- /kubernetes/kube-system/secrets-store-csi-driver/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: kube-system 7 | name: secrets-store-csi-driver 8 | spec: 9 | url: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/kube-system/snapshot-controller/app-repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/gitrepository_v1.json 3 | ## Workloads 4 | ## TODO: Check Talos upstream implementation 5 | apiVersion: source.toolkit.fluxcd.io/v1 6 | kind: GitRepository 7 | metadata: 8 | namespace: kube-system 9 | name: snapshot-controller 10 | spec: 11 | interval: 5m 12 | url: https://github.com/kubernetes-csi/external-snapshotter 13 | ref: 14 | tag: v6.3.3 15 | ignore: | 16 | /* 17 | # include the manifest folder 18 | !/deploy/kubernetes/snapshot-controller 19 | -------------------------------------------------------------------------------- /kubernetes/kube-system/snapshot-controller/app.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | namespace: kube-system 7 | name: snapshot-controller 8 | spec: 9 | interval: 10m 10 | targetNamespace: kube-system 11 | prune: false 12 | sourceRef: 13 | kind: GitRepository 14 | namespace: kube-system 15 | name: snapshot-controller 16 | -------------------------------------------------------------------------------- /kubernetes/kube-system/snapshot-controller/crd-repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/gitrepository_v1.json 3 | ## CRD 4 | ## TODO: Check Talos upstream implementation 5 | apiVersion: source.toolkit.fluxcd.io/v1 6 | kind: GitRepository 7 | metadata: 8 | namespace: kube-system 9 | name: external-snapshotter-crd 10 | spec: 11 | interval: 5m 12 | url: https://github.com/kubernetes-csi/external-snapshotter 13 | ref: 14 | tag: v6.3.3 15 | ignore: | 16 | /* 17 | # include the crd folder 18 | !/client/config/crd 19 | -------------------------------------------------------------------------------- /kubernetes/kube-system/snapshot-controller/crd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/kustomize.toolkit.fluxcd.io/kustomization_v1.json 3 | apiVersion: kustomize.toolkit.fluxcd.io/v1 4 | kind: Kustomization 5 | metadata: 6 | namespace: kube-system 7 | name: external-snapshotter-crd 8 | spec: 9 | interval: 10m 10 | prune: false 11 | sourceRef: 12 | kind: GitRepository 13 | name: external-snapshotter-crd 14 | -------------------------------------------------------------------------------- /kubernetes/kube-system/snapshot-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - crd-repo.yaml 7 | - crd.yaml 8 | - app-repo.yaml 9 | - app.yaml 10 | - netpol.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/kube-system/snapshot-controller/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: kube-system 7 | name: snapshot-controller-policy 8 | specs: 9 | # default 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: snapshot-controller 13 | ingress: 14 | - {} 15 | egress: 16 | - {} 17 | # allow connection to kube-api server 18 | - endpointSelector: *self 19 | egress: 20 | - toEntities: [kube-apiserver] 21 | toPorts: 22 | - ports: 23 | - protocol: TCP 24 | port: "6443" 25 | -------------------------------------------------------------------------------- /kubernetes/kyverno/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - kyverno.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/kyverno/kyverno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: kyverno 7 | name: kyverno 8 | spec: 9 | url: https://kyverno.github.io/kyverno 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: kyverno 17 | name: kyverno 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: kyverno 24 | version: 3.0.1 25 | chart: kyverno 26 | install: 27 | crds: CreateReplace 28 | upgrade: 29 | crds: CreateReplace 30 | interval: 1h 31 | maxHistory: 1 32 | values: 33 | crds: 34 | install: true 35 | config: 36 | # Exclude namespaces 37 | excludeKyvernoNamespace: true 38 | webhooks: 39 | - namespaceSelector: 40 | matchExpressions: 41 | - key: kubernetes.io/metadata.name 42 | operator: NotIn 43 | values: 44 | - kube-system 45 | -------------------------------------------------------------------------------- /kubernetes/kyverno/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: kyverno 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/loki/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - loki-secret.yaml 8 | - loki.yaml 9 | - networkpolicy.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/loki/loki-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: loki 7 | name: &name loki-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/loki 15 | jmesPath: 16 | - path: APP_S3_ACCESS_KEY_ID 17 | objectAlias: APP_S3_ACCESS_KEY_ID 18 | - path: APP_S3_SECRET_ACCESS_KEY 19 | objectAlias: APP_S3_SECRET_ACCESS_KEY 20 | secretObjects: 21 | - secretName: *name 22 | type: Opaque 23 | data: 24 | - key: APP_S3_ACCESS_KEY_ID 25 | objectName: APP_S3_ACCESS_KEY_ID 26 | - key: APP_S3_SECRET_ACCESS_KEY 27 | objectName: APP_S3_SECRET_ACCESS_KEY 28 | -------------------------------------------------------------------------------- /kubernetes/loki/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: loki 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/metallb-system/_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: metallb-system 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/warn: privileged 11 | -------------------------------------------------------------------------------- /kubernetes/metallb-system/ipaddresspools.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta1 3 | kind: IPAddressPool 4 | metadata: 5 | namespace: metallb-system 6 | name: default 7 | spec: 8 | addresses: 9 | - 192.168.253.100-192.168.253.110 10 | --- 11 | apiVersion: metallb.io/v1beta1 12 | kind: L2Advertisement 13 | metadata: 14 | namespace: metallb-system 15 | name: default 16 | spec: 17 | ipAddressPools: 18 | - default 19 | interfaces: 20 | - eth0 21 | -------------------------------------------------------------------------------- /kubernetes/metallb-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - _namespace.yaml 7 | - metallb.yaml 8 | - ipaddresspools.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/metallb-system/metallb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: metallb-system 7 | name: metallb 8 | spec: 9 | url: https://metallb.github.io/metallb 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: metallb-system 17 | name: metallb 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: metallb 24 | version: 0.14.9 25 | chart: metallb 26 | interval: 1h 27 | maxHistory: 1 28 | install: 29 | crds: CreateReplace 30 | upgrade: 31 | crds: CreateReplace 32 | values: 33 | crds: 34 | enabled: false 35 | speaker: 36 | frr: 37 | enabled: false 38 | -------------------------------------------------------------------------------- /kubernetes/mimir/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - mimir-secret.yaml 8 | - mimir.yaml 9 | - networkpolicy.yaml 10 | -------------------------------------------------------------------------------- /kubernetes/mimir/mimir-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mimir 7 | name: &name mimir-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/mimir 15 | jmesPath: 16 | - path: APP_S3_ACCESS_KEY_ID 17 | objectAlias: APP_S3_ACCESS_KEY_ID 18 | - path: APP_S3_SECRET_ACCESS_KEY 19 | objectAlias: APP_S3_SECRET_ACCESS_KEY 20 | secretObjects: 21 | - secretName: *name 22 | type: Opaque 23 | data: 24 | - key: APP_S3_ACCESS_KEY_ID 25 | objectName: APP_S3_ACCESS_KEY_ID 26 | - key: APP_S3_SECRET_ACCESS_KEY 27 | objectName: APP_S3_SECRET_ACCESS_KEY 28 | -------------------------------------------------------------------------------- /kubernetes/mimir/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: mimir 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/miniflux/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: miniflux 7 | name: miniflux-app-policy 8 | specs: 9 | # allow connection from ingress-nginx 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: miniflux 13 | ingress: 14 | - fromEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: ingress-nginx 17 | toPorts: 18 | - ports: 19 | - protocol: TCP 20 | port: "8080" 21 | # allow connection to postgres, OIDC provider, and rss sites 22 | - endpointSelector: *self 23 | egress: 24 | - toEndpoints: 25 | - matchLabels: 26 | k8s:io.kubernetes.pod.namespace: kube-system 27 | k8s-app: kube-dns 28 | toPorts: 29 | - ports: 30 | - protocol: ANY 31 | port: "53" 32 | rules: 33 | dns: 34 | - matchPattern: "*" 35 | - toEndpoints: 36 | - matchLabels: 37 | cnpg.io/cluster: miniflux-postgres 38 | toPorts: 39 | - ports: 40 | - protocol: TCP 41 | port: "5432" 42 | - toEntities: ["world"] 43 | toPorts: 44 | - ports: 45 | - protocol: TCP 46 | port: "443" 47 | -------------------------------------------------------------------------------- /kubernetes/miniflux/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: miniflux 7 | name: bjw-s 8 | spec: 9 | url: https://bjw-s.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/miniflux/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: miniflux 7 | name: &name miniflux-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /kubernetes/miniflux/miniflux 15 | jmesPath: 16 | - path: DATABASE_URL 17 | objectAlias: DATABASE_URL 18 | - path: ADMIN_USERNAME 19 | objectAlias: ADMIN_USERNAME 20 | - path: ADMIN_PASSWORD 21 | objectAlias: ADMIN_PASSWORD 22 | - path: OAUTH2_CLIENT_ID 23 | objectAlias: OAUTH2_CLIENT_ID 24 | - path: OAUTH2_CLIENT_SECRET 25 | objectAlias: OAUTH2_CLIENT_SECRET 26 | secretObjects: 27 | - secretName: *name 28 | type: Opaque 29 | data: 30 | - key: DATABASE_URL 31 | objectName: DATABASE_URL 32 | - key: ADMIN_USERNAME 33 | objectName: ADMIN_USERNAME 34 | - key: ADMIN_PASSWORD 35 | objectName: ADMIN_PASSWORD 36 | - key: OAUTH2_CLIENT_ID 37 | objectName: OAUTH2_CLIENT_ID 38 | - key: OAUTH2_CLIENT_SECRET 39 | objectName: OAUTH2_CLIENT_SECRET 40 | -------------------------------------------------------------------------------- /kubernetes/miniflux/base/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: miniflux 7 | name: miniflux-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | -------------------------------------------------------------------------------- /kubernetes/miniflux/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: miniflux 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/miniflux/deps/postgres-secret-holder-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: miniflux 7 | name: miniflux-postgres-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-miniflux-postgres-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/miniflux/deps/postgres-secret-holder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/deployment-apps-v1.json 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | namespace: miniflux 7 | name: &n miniflux-postgres-secret-holder 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: *n 13 | template: 14 | metadata: 15 | labels: 16 | app: *n 17 | spec: 18 | serviceAccount: *n 19 | volumes: 20 | - name: &s miniflux-postgres-secret 21 | csi: 22 | driver: secrets-store.csi.k8s.io 23 | readOnly: true 24 | volumeAttributes: 25 | secretProviderClass: *s 26 | containers: 27 | - name: *n 28 | image: busybox:latest 29 | command: ["sleep", "infinity"] 30 | volumeMounts: 31 | - name: *s 32 | mountPath: /secret 33 | readOnly: true 34 | securityContext: 35 | runAsNonRoot: true 36 | runAsUser: 65534 37 | runAsGroup: 65534 38 | allowPrivilegeEscalation: false 39 | readOnlyRootFilesystem: true 40 | capabilities: 41 | drop: ["ALL"] 42 | seccompProfile: 43 | type: RuntimeDefault 44 | resources: {} 45 | -------------------------------------------------------------------------------- /kubernetes/miniflux/deps/postgres-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: miniflux 7 | name: &name miniflux-postgres-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /kubernetes/miniflux/miniflux-postgres 15 | jmesPath: 16 | - path: POSTGRES_BOOSTRAP_USERNAME 17 | objectAlias: POSTGRES_BOOSTRAP_USERNAME 18 | - path: POSTGRES_BOOSTRAP_PASSWORD 19 | objectAlias: POSTGRES_BOOSTRAP_PASSWORD 20 | - path: POSTGRES_B2_ACCESS_KEY_ID 21 | objectAlias: POSTGRES_B2_ACCESS_KEY_ID 22 | - path: POSTGRES_B2_ACCESS_SECRET_KEY 23 | objectAlias: POSTGRES_B2_ACCESS_SECRET_KEY 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: username 29 | objectName: POSTGRES_BOOSTRAP_USERNAME 30 | - key: password 31 | objectName: POSTGRES_BOOSTRAP_PASSWORD 32 | - key: POSTGRES_B2_ACCESS_KEY_ID 33 | objectName: POSTGRES_B2_ACCESS_KEY_ID 34 | - key: POSTGRES_B2_ACCESS_SECRET_KEY 35 | objectName: POSTGRES_B2_ACCESS_SECRET_KEY 36 | -------------------------------------------------------------------------------- /kubernetes/miniflux/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - base/netpol.yaml 8 | - app/repo.yaml 9 | - app/release.yaml 10 | - app/secret.yaml 11 | - app/netpol.yaml 12 | - deps/netpol.yaml 13 | - deps/postgres-secret-holder-sa.yaml 14 | - deps/postgres-secret-holder.yaml 15 | - deps/postgres-secret.yaml 16 | - deps/postgres.yaml 17 | -------------------------------------------------------------------------------- /kubernetes/miniflux/maintain/postgres-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/postgresql.cnpg.io/cluster_v1.json 3 | apiVersion: postgresql.cnpg.io/v1 4 | kind: Cluster 5 | metadata: 6 | namespace: miniflux 7 | name: &name miniflux-postgres 8 | spec: 9 | imageName: ghcr.io/cloudnative-pg/postgresql:15.6 10 | instances: 2 11 | storage: 12 | pvcTemplate: 13 | storageClassName: fs-fast 14 | resources: 15 | requests: 16 | storage: 10Gi 17 | accessModes: ["ReadWriteOnce"] 18 | bootstrap: 19 | recovery: 20 | source: clusterBackup 21 | recoveryTarget: 22 | ## timezone should be in UTC 23 | ## or barman-cloud-wal-restore will return "invalid value for parameter" 24 | # targetTime: "2024-02-14 10:00:00.00000+00" 25 | {} 26 | externalClusters: 27 | - name: clusterBackup 28 | barmanObjectStore: 29 | endpointURL: https://s3.us-east-005.backblazeb2.com 30 | destinationPath: s3://homelab-amethyst-miniflux/ 31 | serverName: *name 32 | s3Credentials: 33 | accessKeyId: 34 | name: miniflux-postgres-secret 35 | key: POSTGRES_B2_ACCESS_KEY_ID 36 | secretAccessKey: 37 | name: miniflux-postgres-secret 38 | key: POSTGRES_B2_ACCESS_SECRET_KEY 39 | wal: 40 | maxParallel: 8 41 | -------------------------------------------------------------------------------- /kubernetes/mydata/base/helmrepo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: mydata 7 | name: bjw-s 8 | spec: 9 | url: https://bjw-s.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/mydata/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - netpol.yaml 8 | - helmrepo.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/mydata/base/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: mydata 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/mydata/base/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: mydata 7 | name: mydata-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 17 | apiVersion: cilium.io/v2 18 | kind: CiliumNetworkPolicy 19 | metadata: 20 | namespace: mydata 21 | name: mydata-backup-policy 22 | specs: 23 | - endpointSelector: 24 | matchLabels: 25 | app.kubernetes.io/created-by: volsync 26 | egress: 27 | - toEndpoints: 28 | - matchLabels: 29 | k8s:io.kubernetes.pod.namespace: kube-system 30 | k8s-app: kube-dns 31 | toPorts: 32 | - ports: 33 | - protocol: ANY 34 | port: "53" 35 | rules: 36 | dns: &b2 37 | - matchPattern: s3.us-east-005.backblazeb2.com 38 | - toFQDNs: *b2 39 | toPorts: 40 | - ports: 41 | - protocol: TCP 42 | port: "443" 43 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | namespace: mydata 7 | name: immich-data 8 | spec: 9 | storageClassName: fs-fast 10 | resources: 11 | requests: 12 | storage: 100Gi 13 | accessModes: 14 | - ReadWriteMany 15 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name immich-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/immich 15 | jmesPath: 16 | - path: DB_URL 17 | objectAlias: DB_URL 18 | - path: REDIS_USERNAME 19 | objectAlias: REDIS_USERNAME 20 | - path: REDIS_PASSWORD 21 | objectAlias: REDIS_PASSWORD 22 | 23 | secretObjects: 24 | - secretName: *name 25 | type: Opaque 26 | data: 27 | - key: DB_URL 28 | objectName: DB_URL 29 | - key: REDIS_USERNAME 30 | objectName: REDIS_USERNAME 31 | - key: REDIS_PASSWORD 32 | objectName: REDIS_PASSWORD 33 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/backup/backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | namespace: mydata 6 | name: immich-backup 7 | spec: 8 | sourcePVC: immich-data 9 | trigger: 10 | schedule: "0 0/12 * * *" 11 | restic: 12 | pruneIntervalDays: 14 13 | repository: immich-backup-secret 14 | retain: 15 | daily: 5 16 | weekly: 4 17 | monthly: 3 18 | copyMethod: Snapshot 19 | volumeSnapshotClassName: rook-ceph-fs 20 | storageClassName: fs-fast-ec 21 | accessModes: ["ReadWriteOnce"] 22 | cacheStorageClassName: rbd-fast-ec 23 | cacheAccessModes: ["ReadWriteOnce"] 24 | cacheCapacity: 1Gi 25 | moverSecurityContext: 26 | runAsNonRoot: true 27 | runAsUser: 65534 28 | runAsGroup: 65534 29 | fsGroup: 65534 30 | seccompProfile: 31 | type: RuntimeDefault 32 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/backup/secret-hoder-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: mydata 7 | name: immich-backup-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich-backup-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/backup/secret-holder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/deployment-apps-v1.json 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | namespace: mydata 7 | name: &n immich-backup-secret-holder 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: *n 13 | template: 14 | metadata: 15 | labels: 16 | app: *n 17 | spec: 18 | serviceAccount: *n 19 | volumes: 20 | - name: &s immich-backup-secret 21 | csi: 22 | driver: secrets-store.csi.k8s.io 23 | readOnly: true 24 | volumeAttributes: 25 | secretProviderClass: *s 26 | containers: 27 | - name: *n 28 | image: busybox:latest 29 | command: ["sleep", "infinity"] 30 | volumeMounts: 31 | - name: *s 32 | mountPath: /immich-backup-secret 33 | readOnly: true 34 | securityContext: 35 | runAsNonRoot: true 36 | runAsUser: 65534 37 | runAsGroup: 65534 38 | allowPrivilegeEscalation: false 39 | readOnlyRootFilesystem: true 40 | capabilities: 41 | drop: ["ALL"] 42 | seccompProfile: 43 | type: RuntimeDefault 44 | resources: {} 45 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/backup/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name immich-backup-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/immich-backup 15 | jmesPath: 16 | - path: RESTIC_REPOSITORY 17 | objectAlias: RESTIC_REPOSITORY 18 | - path: AWS_ACCESS_KEY_ID 19 | objectAlias: AWS_ACCESS_KEY_ID 20 | - path: AWS_SECRET_ACCESS_KEY 21 | objectAlias: AWS_SECRET_ACCESS_KEY 22 | - path: RESTIC_PASSWORD 23 | objectAlias: RESTIC_PASSWORD 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: RESTIC_REPOSITORY 29 | objectName: RESTIC_REPOSITORY 30 | - key: AWS_ACCESS_KEY_ID 31 | objectName: AWS_ACCESS_KEY_ID 32 | - key: AWS_SECRET_ACCESS_KEY 33 | objectName: AWS_SECRET_ACCESS_KEY 34 | - key: RESTIC_PASSWORD 35 | objectName: RESTIC_PASSWORD 36 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/deps/postgres-secret-holder-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: mydata 7 | name: immich-postgres-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich-postgres-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/deps/postgres-secret-holder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/deployment-apps-v1.json 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | namespace: mydata 7 | name: &n immich-postgres-secret-holder 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: *n 13 | template: 14 | metadata: 15 | labels: 16 | app: *n 17 | spec: 18 | serviceAccount: *n 19 | volumes: 20 | - name: &s immich-postgres-secret 21 | csi: 22 | driver: secrets-store.csi.k8s.io 23 | readOnly: true 24 | volumeAttributes: 25 | secretProviderClass: *s 26 | containers: 27 | - name: *n 28 | image: busybox:latest 29 | command: ["sleep", "infinity"] 30 | volumeMounts: 31 | - name: *s 32 | mountPath: /immich-postgres-secret 33 | readOnly: true 34 | securityContext: 35 | runAsNonRoot: true 36 | runAsUser: 65534 37 | runAsGroup: 65534 38 | allowPrivilegeEscalation: false 39 | readOnlyRootFilesystem: true 40 | capabilities: 41 | drop: ["ALL"] 42 | seccompProfile: 43 | type: RuntimeDefault 44 | resources: {} 45 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/deps/postgres-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name immich-postgres-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/immich-postgres 15 | jmesPath: 16 | - path: POSTGRES_BOOSTRAP_USERNAME 17 | objectAlias: POSTGRES_BOOSTRAP_USERNAME 18 | - path: POSTGRES_BOOSTRAP_PASSWORD 19 | objectAlias: POSTGRES_BOOSTRAP_PASSWORD 20 | - path: POSTGRES_B2_ACCESS_KEY_ID 21 | objectAlias: POSTGRES_B2_ACCESS_KEY_ID 22 | - path: POSTGRES_B2_ACCESS_SECRET_KEY 23 | objectAlias: POSTGRES_B2_ACCESS_SECRET_KEY 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: username 29 | objectName: POSTGRES_BOOSTRAP_USERNAME 30 | - key: password 31 | objectName: POSTGRES_BOOSTRAP_PASSWORD 32 | - key: POSTGRES_B2_ACCESS_KEY_ID 33 | objectName: POSTGRES_B2_ACCESS_KEY_ID 34 | - key: POSTGRES_B2_ACCESS_SECRET_KEY 35 | objectName: POSTGRES_B2_ACCESS_SECRET_KEY 36 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/deps/valkey-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: immich-valkey-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/immich-valkey 15 | objectAlias: users.acl 16 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ../base 7 | - app/release.yaml 8 | - app/pvc.yaml 9 | - app/secret.yaml 10 | - app/netpol.yaml 11 | - deps/valkey-secret.yaml 12 | - deps/valkey.yaml 13 | - deps/postgres-secret.yaml 14 | - deps/postgres.yaml 15 | - deps/netpol.yaml 16 | - backup/backup.yaml 17 | - backup/secret-hoder-sa.yaml 18 | - backup/secret-holder.yaml 19 | - backup/secret.yaml 20 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/maintain/data-manual-backup.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | # namespace: mydata 6 | # name: immich-data-manual-backup 7 | {} 8 | spec: 9 | sourcePVC: immich-data 10 | trigger: 11 | # manual: immich-data-manual-backup 12 | {} 13 | restic: 14 | pruneIntervalDays: 14 15 | repository: immich-backup-secret 16 | retain: 17 | daily: 5 18 | weekly: 4 19 | monthly: 3 20 | copyMethod: Snapshot 21 | volumeSnapshotClassName: rook-ceph-fs 22 | storageClassName: fs-fast-ec 23 | accessModes: ["ReadWriteOnce"] 24 | cacheStorageClassName: rbd-fast-ec 25 | cacheAccessModes: ["ReadWriteOnce"] 26 | cacheCapacity: 1Gi 27 | moverSecurityContext: 28 | runAsNonRoot: true 29 | runAsUser: 65534 30 | runAsGroup: 65534 31 | fsGroup: 65534 32 | seccompProfile: 33 | type: RuntimeDefault 34 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/maintain/data-manual-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | # namespace: mydata 6 | # name: immich-data-manual-restore 7 | {} 8 | spec: 9 | trigger: 10 | # manual: immich-data-manual-restore 11 | {} 12 | restic: 13 | repository: immich-backup-secret 14 | # previous: 0 15 | # restoreAsOf: 2024-02-14T08:52:28+08:00 16 | copyMethod: Direct 17 | destinationPVC: immich-data 18 | cacheStorageClassName: rbd-fast-delete 19 | cacheCapacity: 1Gi 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | moverSecurityContext: 22 | runAsNonRoot: true 23 | runAsUser: 65534 24 | runAsGroup: 65534 25 | fsGroup: 65534 26 | seccompProfile: 27 | type: RuntimeDefault 28 | -------------------------------------------------------------------------------- /kubernetes/mydata/immich/maintain/postgres-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/postgresql.cnpg.io/cluster_v1.json 3 | apiVersion: postgresql.cnpg.io/v1 4 | kind: Cluster 5 | metadata: 6 | namespace: mydata 7 | name: &name immich-postgres 8 | spec: 9 | imageName: ghcr.io/cloudnative-pg/postgresql:15.6 10 | instances: 2 11 | storage: 12 | pvcTemplate: 13 | storageClassName: fs-fast 14 | resources: 15 | requests: 16 | storage: 5Gi 17 | accessModes: ["ReadWriteOnce"] 18 | bootstrap: 19 | recovery: 20 | source: clusterBackup 21 | recoveryTarget: 22 | ## timezone should be in +00:00 23 | ## or barman-cloud-wal-restore will return "invalid value for parameter" 24 | # targetTime: "2024-02-14 10:00:00.00000+00" 25 | {} 26 | externalClusters: 27 | - name: clusterBackup 28 | barmanObjectStore: 29 | endpointURL: https://s3.us-east-005.backblazeb2.com 30 | destinationPath: s3://homelab-amethyst-immich/ 31 | serverName: *name 32 | s3Credentials: 33 | accessKeyId: 34 | name: immich-postgres-secret 35 | key: POSTGRES_B2_ACCESS_KEY_ID 36 | secretAccessKey: 37 | name: immich-postgres-secret 38 | key: POSTGRES_B2_ACCESS_SECRET_KEY 39 | wal: 40 | maxParallel: 8 41 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/app/data-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | namespace: mydata 7 | name: navidrome-data 8 | spec: 9 | storageClassName: fs-fast 10 | resources: 11 | requests: 12 | storage: 50Gi 13 | accessModes: 14 | - ReadWriteMany 15 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/app/db-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | namespace: mydata 7 | name: navidrome-db 8 | spec: 9 | storageClassName: fs-fast 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | accessModes: 14 | - ReadWriteOnce 15 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: mydata 7 | name: navidrome-policy 8 | specs: 9 | # navidrome connection from ingress-nginx 10 | - endpointSelector: 11 | matchLabels: 12 | app.kubernetes.io/name: navidrome 13 | ingress: 14 | - fromEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: ingress-nginx 17 | app.kubernetes.io/name: ingress-nginx 18 | toPorts: 19 | - ports: 20 | - protocol: TCP 21 | port: "4533" 22 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/backup/data-backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | namespace: mydata 6 | name: navidrome-data-backup 7 | spec: 8 | sourcePVC: navidrome-data 9 | trigger: 10 | schedule: "0 0/12 * * *" 11 | restic: 12 | pruneIntervalDays: 14 13 | repository: navidrome-data-backup-secret 14 | retain: 15 | daily: 5 16 | weekly: 4 17 | monthly: 3 18 | copyMethod: Snapshot 19 | volumeSnapshotClassName: rook-ceph-fs 20 | storageClassName: fs-fast-ec 21 | accessModes: ["ReadWriteOnce"] 22 | cacheStorageClassName: rbd-fast-ec 23 | cacheAccessModes: ["ReadWriteOnce"] 24 | cacheCapacity: 1Gi 25 | moverSecurityContext: 26 | runAsNonRoot: true 27 | runAsUser: 65534 28 | runAsGroup: 65534 29 | fsGroup: 65534 30 | seccompProfile: 31 | type: RuntimeDefault 32 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/backup/data-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name navidrome-data-backup-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/navidrome-backup 15 | jmesPath: 16 | - path: RESTIC_REPOSITORY_DATA 17 | objectAlias: RESTIC_REPOSITORY_DATA 18 | - path: AWS_ACCESS_KEY_ID 19 | objectAlias: AWS_ACCESS_KEY_ID 20 | - path: AWS_SECRET_ACCESS_KEY 21 | objectAlias: AWS_SECRET_ACCESS_KEY 22 | - path: RESTIC_PASSWORD 23 | objectAlias: RESTIC_PASSWORD 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: RESTIC_REPOSITORY 29 | objectName: RESTIC_REPOSITORY_DATA 30 | - key: AWS_ACCESS_KEY_ID 31 | objectName: AWS_ACCESS_KEY_ID 32 | - key: AWS_SECRET_ACCESS_KEY 33 | objectName: AWS_SECRET_ACCESS_KEY 34 | - key: RESTIC_PASSWORD 35 | objectName: RESTIC_PASSWORD 36 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/backup/db-backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | namespace: mydata 6 | name: navidrome-db-backup 7 | spec: 8 | sourcePVC: navidrome-db 9 | trigger: 10 | schedule: "0 0/12 * * *" 11 | restic: 12 | pruneIntervalDays: 14 13 | repository: navidrome-db-backup-secret 14 | retain: 15 | daily: 5 16 | weekly: 4 17 | monthly: 3 18 | copyMethod: Snapshot 19 | # volume created from snapshot 20 | volumeSnapshotClassName: rook-ceph-fs 21 | storageClassName: fs-fast-ec 22 | accessModes: ["ReadWriteOnce"] 23 | cacheStorageClassName: rbd-fast-ec 24 | cacheAccessModes: ["ReadWriteOnce"] 25 | cacheCapacity: 1Gi 26 | moverSecurityContext: 27 | runAsNonRoot: true 28 | runAsUser: 65534 29 | runAsGroup: 65534 30 | fsGroup: 65534 31 | seccompProfile: 32 | type: RuntimeDefault 33 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/backup/db-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name navidrome-db-backup-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/navidrome-backup 15 | jmesPath: 16 | - path: RESTIC_REPOSITORY_DB 17 | objectAlias: RESTIC_REPOSITORY_DB 18 | - path: AWS_ACCESS_KEY_ID 19 | objectAlias: AWS_ACCESS_KEY_ID 20 | - path: AWS_SECRET_ACCESS_KEY 21 | objectAlias: AWS_SECRET_ACCESS_KEY 22 | - path: RESTIC_PASSWORD 23 | objectAlias: RESTIC_PASSWORD 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: RESTIC_REPOSITORY 29 | objectName: RESTIC_REPOSITORY_DB 30 | - key: AWS_ACCESS_KEY_ID 31 | objectName: AWS_ACCESS_KEY_ID 32 | - key: AWS_SECRET_ACCESS_KEY 33 | objectName: AWS_SECRET_ACCESS_KEY 34 | - key: RESTIC_PASSWORD 35 | objectName: RESTIC_PASSWORD 36 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/backup/secret-holder-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: mydata 7 | name: navidrome-backup-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-navidrome-backup-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ../base 7 | - app/release.yaml 8 | - app/netpol.yaml 9 | - app/data-pvc.yaml 10 | - app/db-pvc.yaml 11 | - backup/data-backup.yaml 12 | - backup/data-secret.yaml 13 | - backup/db-backup.yaml 14 | - backup/db-secret.yaml 15 | - backup/secret-holder-sa.yaml 16 | - backup/secret-holder.yaml 17 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/maintain/data-manual-backup.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | # namespace: mydata 6 | # name: navidrome-data-manual-backup 7 | {} 8 | spec: 9 | sourcePVC: navidrome-data 10 | trigger: 11 | # manual: navidrome-data-manual-backup 12 | {} 13 | restic: 14 | pruneIntervalDays: 14 15 | repository: navidrome-data-backup-secret 16 | retain: 17 | daily: 5 18 | weekly: 4 19 | monthly: 3 20 | copyMethod: Snapshot 21 | volumeSnapshotClassName: rook-ceph-fs 22 | storageClassName: fs-fast-ec 23 | accessModes: ["ReadWriteOnce"] 24 | cacheStorageClassName: rbd-fast-ec 25 | cacheAccessModes: ["ReadWriteOnce"] 26 | cacheCapacity: 1Gi 27 | moverSecurityContext: 28 | runAsNonRoot: true 29 | runAsUser: 65534 30 | runAsGroup: 65534 31 | fsGroup: 65534 32 | seccompProfile: 33 | type: RuntimeDefault 34 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/maintain/data-manual-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | # namespace: mydata 6 | # name: navidrome-data-manual-restore 7 | {} 8 | spec: 9 | trigger: 10 | # manual: navidrome-data-manual-restore 11 | {} 12 | restic: 13 | repository: navidrome-data-backup-secret 14 | previous: 0 15 | # restoreAsOf: 2024-02-14T18:00:24+08:00 16 | copyMethod: Direct 17 | destinationPVC: navidrome-data 18 | cacheStorageClassName: rbd-fast-delete 19 | cacheCapacity: 1Gi 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | moverSecurityContext: 22 | runAsNonRoot: true 23 | runAsUser: 65534 24 | runAsGroup: 65534 25 | fsGroup: 65534 26 | seccompProfile: 27 | type: RuntimeDefault 28 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/maintain/db-manual-backup.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | # namespace: mydata 6 | # name: navidrome-db-manual-backup 7 | {} 8 | spec: 9 | sourcePVC: navidrome-db 10 | trigger: 11 | # manual: navidrome-db-manual-backup 12 | {} 13 | restic: 14 | pruneIntervalDays: 14 15 | repository: navidrome-db-backup-secret 16 | retain: 17 | daily: 5 18 | weekly: 4 19 | monthly: 3 20 | copyMethod: Snapshot 21 | # volume created from snapshot 22 | volumeSnapshotClassName: rook-ceph-fs 23 | storageClassName: fs-fast-ec 24 | accessModes: ["ReadWriteOnce"] 25 | cacheStorageClassName: rbd-fast-ec 26 | cacheAccessModes: ["ReadWriteOnce"] 27 | cacheCapacity: 1Gi 28 | moverSecurityContext: 29 | runAsNonRoot: true 30 | runAsUser: 65534 31 | runAsGroup: 65534 32 | fsGroup: 65534 33 | seccompProfile: 34 | type: RuntimeDefault 35 | -------------------------------------------------------------------------------- /kubernetes/mydata/navidrome/maintain/db-manual-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | # namespace: mydata 6 | # name: navidrome-db-manual-restore 7 | {} 8 | spec: 9 | trigger: 10 | # manual: navidrome-db-manual-restore 11 | {} 12 | restic: 13 | repository: navidrome-db-backup-secret 14 | previous: 0 15 | # restoreAsOf: 2024-02-14T18:00:24+08:00 16 | copyMethod: Direct 17 | destinationPVC: navidrome-db 18 | cacheStorageClassName: rbd-fast-delete 19 | cacheCapacity: 1Gi 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | moverSecurityContext: 22 | runAsNonRoot: true 23 | runAsUser: 65534 24 | runAsGroup: 65534 25 | fsGroup: 65534 26 | seccompProfile: 27 | type: RuntimeDefault 28 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/app/data-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | namespace: mydata 7 | name: nextcloud-data 8 | spec: 9 | storageClassName: fs-fast 10 | resources: 11 | requests: 12 | storage: 500Gi 13 | accessModes: 14 | - ReadWriteMany 15 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/app/install-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | namespace: mydata 7 | name: nextcloud-install 8 | spec: 9 | storageClassName: fs-fast 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | accessModes: 14 | - ReadWriteMany 15 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/backup/data-backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | namespace: mydata 6 | name: nextcloud-data-backup 7 | spec: 8 | sourcePVC: nextcloud-data 9 | trigger: 10 | schedule: "0 0 * * *" 11 | restic: 12 | pruneIntervalDays: 14 13 | repository: nextcloud-data-backup-secret 14 | retain: 15 | daily: 5 16 | weekly: 4 17 | copyMethod: Snapshot 18 | volumeSnapshotClassName: rook-ceph-fs 19 | storageClassName: fs-fast-ec 20 | accessModes: ["ReadWriteOnce"] 21 | cacheStorageClassName: rbd-fast-ec 22 | cacheAccessModes: ["ReadWriteOnce"] 23 | cacheCapacity: 20Gi 24 | moverSecurityContext: 25 | runAsNonRoot: true 26 | runAsUser: 65534 27 | runAsGroup: 65534 28 | fsGroup: 65534 29 | seccompProfile: 30 | type: RuntimeDefault 31 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/backup/data-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name nextcloud-data-backup-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/nextcloud-backup 15 | jmesPath: 16 | - path: RESTIC_REPOSITORY_DATA 17 | objectAlias: RESTIC_REPOSITORY_DATA 18 | - path: AWS_ACCESS_KEY_ID 19 | objectAlias: AWS_ACCESS_KEY_ID 20 | - path: AWS_SECRET_ACCESS_KEY 21 | objectAlias: AWS_SECRET_ACCESS_KEY 22 | - path: RESTIC_PASSWORD 23 | objectAlias: RESTIC_PASSWORD 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: RESTIC_REPOSITORY 29 | objectName: RESTIC_REPOSITORY_DATA 30 | - key: AWS_ACCESS_KEY_ID 31 | objectName: AWS_ACCESS_KEY_ID 32 | - key: AWS_SECRET_ACCESS_KEY 33 | objectName: AWS_SECRET_ACCESS_KEY 34 | - key: RESTIC_PASSWORD 35 | objectName: RESTIC_PASSWORD 36 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/backup/install-backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | namespace: mydata 6 | name: nextcloud-install-backup 7 | spec: 8 | sourcePVC: nextcloud-install 9 | trigger: 10 | schedule: "0 0 * * *" 11 | restic: 12 | pruneIntervalDays: 14 13 | repository: nextcloud-install-backup-secret 14 | retain: 15 | daily: 5 16 | weekly: 4 17 | copyMethod: Snapshot 18 | volumeSnapshotClassName: rook-ceph-fs 19 | storageClassName: fs-fast-ec 20 | accessModes: ["ReadWriteOnce"] 21 | cacheStorageClassName: rbd-fast-ec 22 | cacheAccessModes: ["ReadWriteOnce"] 23 | cacheCapacity: 1Gi 24 | moverSecurityContext: 25 | runAsNonRoot: true 26 | runAsUser: 65534 27 | runAsGroup: 65534 28 | fsGroup: 65534 29 | seccompProfile: 30 | type: RuntimeDefault 31 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/backup/install-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name nextcloud-install-backup-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/nextcloud-backup 15 | jmesPath: 16 | - path: RESTIC_REPOSITORY_INSTALL 17 | objectAlias: RESTIC_REPOSITORY_INSTALL 18 | - path: AWS_ACCESS_KEY_ID 19 | objectAlias: AWS_ACCESS_KEY_ID 20 | - path: AWS_SECRET_ACCESS_KEY 21 | objectAlias: AWS_SECRET_ACCESS_KEY 22 | - path: RESTIC_PASSWORD 23 | objectAlias: RESTIC_PASSWORD 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: RESTIC_REPOSITORY 29 | objectName: RESTIC_REPOSITORY_INSTALL 30 | - key: AWS_ACCESS_KEY_ID 31 | objectName: AWS_ACCESS_KEY_ID 32 | - key: AWS_SECRET_ACCESS_KEY 33 | objectName: AWS_SECRET_ACCESS_KEY 34 | - key: RESTIC_PASSWORD 35 | objectName: RESTIC_PASSWORD 36 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/backup/secret-holder-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: mydata 7 | name: nextcloud-backup-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud-backup-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/deps/postgres-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: mydata 7 | name: nextcloud-postgres-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud-postgres-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/deps/postgres-secret-holder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/deployment-apps-v1.json 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | namespace: mydata 7 | name: &n nextcloud-postgres-secret-holder 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: *n 13 | template: 14 | metadata: 15 | labels: 16 | app: *n 17 | spec: 18 | serviceAccount: *n 19 | volumes: 20 | - name: &s nextcloud-postgres-secret 21 | csi: 22 | driver: secrets-store.csi.k8s.io 23 | readOnly: true 24 | volumeAttributes: 25 | secretProviderClass: *s 26 | containers: 27 | - name: *n 28 | image: busybox:latest 29 | command: ["sleep", "infinity"] 30 | volumeMounts: 31 | - name: *s 32 | mountPath: /nextcloud-postgres-secret 33 | readOnly: true 34 | securityContext: 35 | runAsNonRoot: true 36 | runAsUser: 65534 37 | runAsGroup: 65534 38 | allowPrivilegeEscalation: false 39 | readOnlyRootFilesystem: true 40 | capabilities: 41 | drop: ["ALL"] 42 | seccompProfile: 43 | type: RuntimeDefault 44 | resources: {} 45 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/deps/postgres-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: &name nextcloud-postgres-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/nextcloud-postgres 15 | jmesPath: 16 | - path: POSTGRES_BOOSTRAP_USERNAME 17 | objectAlias: POSTGRES_BOOSTRAP_USERNAME 18 | - path: POSTGRES_BOOSTRAP_PASSWORD 19 | objectAlias: POSTGRES_BOOSTRAP_PASSWORD 20 | - path: POSTGRES_B2_ACCESS_KEY_ID 21 | objectAlias: POSTGRES_B2_ACCESS_KEY_ID 22 | - path: POSTGRES_B2_ACCESS_SECRET_KEY 23 | objectAlias: POSTGRES_B2_ACCESS_SECRET_KEY 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: username 29 | objectName: POSTGRES_BOOSTRAP_USERNAME 30 | - key: password 31 | objectName: POSTGRES_BOOSTRAP_PASSWORD 32 | - key: POSTGRES_B2_ACCESS_KEY_ID 33 | objectName: POSTGRES_B2_ACCESS_KEY_ID 34 | - key: POSTGRES_B2_ACCESS_SECRET_KEY 35 | objectName: POSTGRES_B2_ACCESS_SECRET_KEY 36 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/deps/valkey-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: mydata 7 | name: nextcloud-valkey-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/nextcloud-valkey 15 | objectAlias: users.acl 16 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ../base 7 | - app/release.yaml 8 | - app/secret.yaml 9 | - app/config.yaml 10 | - app/data-pvc.yaml 11 | - app/install-pvc.yaml 12 | - app/netpol.yaml 13 | - backup/data-backup.yaml 14 | - backup/data-secret.yaml 15 | - backup/install-backup.yaml 16 | - backup/install-secret.yaml 17 | - backup/secret-holder-sa.yaml 18 | - backup/secret-holder.yaml 19 | - deps/postgres.yaml 20 | - deps/postgres-secret.yaml 21 | - deps/postgres-secret-holder.yaml 22 | - deps/postgres-sa.yaml 23 | - deps/valkey.yaml 24 | - deps/valkey-secret.yaml 25 | - deps/netpol.yaml 26 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/maintain/data-manual-backup.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | # namespace: mydata 6 | # name: nextcloud-data-manual-backup 7 | {} 8 | spec: 9 | sourcePVC: nextcloud-data 10 | trigger: 11 | # manual: nextcloud-data-manual-backup 12 | {} 13 | restic: 14 | pruneIntervalDays: 14 15 | repository: nextcloud-data-backup-secret 16 | retain: 17 | daily: 5 18 | weekly: 4 19 | copyMethod: Snapshot 20 | volumeSnapshotClassName: rook-ceph-fs 21 | storageClassName: fs-fast-ec 22 | accessModes: ["ReadWriteOnce"] 23 | cacheStorageClassName: rbd-fast-ec 24 | cacheAccessModes: ["ReadWriteOnce"] 25 | cacheCapacity: 1Gi 26 | moverSecurityContext: 27 | runAsNonRoot: true 28 | runAsUser: 65534 29 | runAsGroup: 65534 30 | fsGroup: 65534 31 | seccompProfile: 32 | type: RuntimeDefault 33 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/maintain/data-manual-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | # namespace: mydata 6 | # name: nextcloud-data-manual-restore 7 | {} 8 | spec: 9 | trigger: 10 | # manual: nextcloud-data-manual-restore 11 | {} 12 | restic: 13 | repository: nextcloud-data-backup-secret 14 | # previous: 0 15 | # restoreAsOf: 2024-02-14T08:52:28+08:00 16 | copyMethod: Direct 17 | destinationPVC: nextcloud-data 18 | cacheStorageClassName: rbd-fast-delete 19 | cacheCapacity: 1Gi 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | moverSecurityContext: 22 | runAsNonRoot: true 23 | runAsUser: 33 24 | runAsGroup: 33 25 | fsGroup: 33 26 | seccompProfile: 27 | type: RuntimeDefault 28 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/maintain/install-manual-backup.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | # namespace: mydata 6 | # name: nextcloud-install-manual-backup 7 | {} 8 | spec: 9 | sourcePVC: nextcloud-install 10 | trigger: 11 | # manual: nextcloud-install-manual-backup 12 | {} 13 | restic: 14 | pruneIntervalDays: 14 15 | repository: nextcloud-install-backup-secret 16 | retain: 17 | daily: 5 18 | weekly: 4 19 | copyMethod: Snapshot 20 | volumeSnapshotClassName: rook-ceph-fs 21 | storageClassName: fs-fast-ec 22 | accessModes: ["ReadWriteOnce"] 23 | cacheStorageClassName: rbd-fast-ec 24 | cacheAccessModes: ["ReadWriteOnce"] 25 | cacheCapacity: 1Gi 26 | moverSecurityContext: 27 | runAsNonRoot: true 28 | runAsUser: 65534 29 | runAsGroup: 65534 30 | fsGroup: 65534 31 | seccompProfile: 32 | type: RuntimeDefault 33 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/maintain/install-manual-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | # namespace: mydata 6 | # name: nextcloud-install-manual-restore 7 | {} 8 | spec: 9 | trigger: 10 | # manual: nextcloud-install-manual-restore 11 | {} 12 | restic: 13 | repository: nextcloud-install-backup-secret 14 | # previous: 0 15 | # restoreAsOf: 2024-02-14T08:52:28+08:00 16 | copyMethod: Direct 17 | destinationPVC: nextcloud-install 18 | cacheStorageClassName: rbd-fast-delete 19 | cacheCapacity: 1Gi 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | moverSecurityContext: 22 | runAsNonRoot: true 23 | runAsUser: 33 24 | runAsGroup: 33 25 | fsGroup: 33 26 | seccompProfile: 27 | type: RuntimeDefault 28 | -------------------------------------------------------------------------------- /kubernetes/mydata/nextcloud/maintain/postgres-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/postgresql.cnpg.io/cluster_v1.json 3 | apiVersion: postgresql.cnpg.io/v1 4 | kind: Cluster 5 | metadata: 6 | namespace: mydata 7 | name: &name nextcloud-postgres 8 | spec: 9 | imageName: ghcr.io/cloudnative-pg/postgresql:15.6 10 | instances: 2 11 | storage: 12 | pvcTemplate: 13 | storageClassName: fs-fast 14 | resources: 15 | requests: 16 | storage: 10Gi 17 | accessModes: ["ReadWriteOnce"] 18 | bootstrap: 19 | recovery: 20 | source: clusterBackup 21 | recoveryTarget: 22 | ## timezone should be in +00:00 23 | ## or barman-cloud-wal-restore will return "invalid value for parameter" 24 | # targetTime: "2024-02-14 10:00:00.00000+00" 25 | {} 26 | externalClusters: 27 | - name: clusterBackup 28 | barmanObjectStore: 29 | endpointURL: https://s3.us-east-005.backblazeb2.com 30 | destinationPath: s3://homelab-amethyst-nextcloud/ 31 | serverName: *name 32 | s3Credentials: 33 | accessKeyId: 34 | name: nextcloud-postgres-secret 35 | key: POSTGRES_B2_ACCESS_KEY_ID 36 | secretAccessKey: 37 | name: nextcloud-postgres-secret 38 | key: POSTGRES_B2_ACCESS_SECRET_KEY 39 | wal: 40 | maxParallel: 8 41 | -------------------------------------------------------------------------------- /kubernetes/node-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - node-exporter.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/node-exporter/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: node-exporter 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/warn: privileged 11 | -------------------------------------------------------------------------------- /kubernetes/node-exporter/node-exporter.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: node-exporter 7 | name: prometheus-community 8 | spec: 9 | url: https://prometheus-community.github.io/helm-charts 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: node-exporter 17 | name: node-exporter 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: prometheus-community 24 | chart: prometheus-node-exporter 25 | version: 4.46.1 26 | interval: 1h 27 | maxHistory: 1 28 | values: 29 | resources: 30 | requests: 31 | cpu: 10m 32 | memory: 32Mi 33 | prometheus: 34 | monitor: 35 | enabled: true 36 | interval: 1m 37 | metricRelabelings: 38 | - sourceLabels: [__name__] 39 | action: drop 40 | regex: ^(go|process|promhttp).* 41 | -------------------------------------------------------------------------------- /kubernetes/prometheus/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - kube-prometheus-stack.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/prometheus/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: prometheus 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/promtail/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - promtail.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/promtail/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: promtail 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/warn: privileged 11 | -------------------------------------------------------------------------------- /kubernetes/promtail/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: promtail 7 | name: promtail-policy 8 | spec: 9 | endpointSelector: 10 | matchLabels: 11 | app.kubernetes.io/name: promtail 12 | ingress: 13 | # deny all ingress traffic 14 | - {} 15 | egress: 16 | # kube-api 17 | - toEntities: [kube-apiserver] 18 | toPorts: 19 | - ports: 20 | - protocol: TCP 21 | port: "6443" 22 | # dns resolution 23 | - toEndpoints: 24 | - matchLabels: 25 | k8s:io.kubernetes.pod.namespace: kube-system 26 | k8s-app: kube-dns 27 | toPorts: 28 | - ports: 29 | - protocol: ANY 30 | port: "53" 31 | rules: 32 | dns: 33 | - matchName: "loki-write-headless.loki.svc.cluster.local." 34 | # loki-write 35 | - toEndpoints: 36 | - matchLabels: 37 | k8s:io.kubernetes.pod.namespace: loki 38 | app.kubernetes.io/instance: loki 39 | app.kubernetes.io/component: write 40 | toPorts: 41 | - ports: 42 | - protocol: TCP 43 | port: "3100" 44 | -------------------------------------------------------------------------------- /kubernetes/promtail/promtail.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: promtail 7 | name: grafana 8 | spec: 9 | url: https://grafana.github.io/helm-charts 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: promtail 17 | name: promtail 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: grafana 24 | chart: promtail 25 | version: 6.16.6 26 | interval: 1h 27 | maxHistory: 1 28 | values: 29 | configmap: 30 | enabled: true 31 | config: 32 | clients: 33 | - url: http://loki-write-headless.loki.svc:3100/loki/api/v1/push 34 | external_labels: 35 | project: amethyst 36 | containerSecurityContext: 37 | runAsUser: 0 38 | runAsGroup: 0 39 | readOnlyRootFilesystem: true 40 | allowPrivilegeEscalation: false 41 | capabilities: 42 | drop: ["ALL"] 43 | 44 | resources: 45 | limits: 46 | memory: 128Mi 47 | requests: 48 | cpu: 50m 49 | memory: 128Mi 50 | 51 | serviceMonitor: 52 | enabled: false 53 | -------------------------------------------------------------------------------- /kubernetes/reloader/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - reloader.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/reloader/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: reloader 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/warn: privileged 11 | -------------------------------------------------------------------------------- /kubernetes/reloader/reloader.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: reloader 7 | name: stakater 8 | spec: 9 | url: https://stakater.github.io/stakater-charts 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: reloader 17 | name: reloader 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: stakater 24 | chart: reloader 25 | version: 2.1.3 26 | interval: 1h 27 | maxHistory: 1 28 | values: 29 | reloader: 30 | watchGlobally: true 31 | reloadStrategy: default 32 | readOnlyRootFileSystem: true 33 | deployment: 34 | securityContext: 35 | runAsNonRoot: true 36 | runAsUser: 65534 37 | runAsGroup: 65534 38 | allowPrivilegeEscalation: false 39 | readOnlyRootFilesystem: true 40 | capabilities: 41 | drop: ["ALL"] 42 | seccompProfile: 43 | type: RuntimeDefault 44 | replicas: 1 45 | resources: 46 | requests: 47 | cpu: 10m 48 | memory: 100Mi 49 | serviceMonitor: 50 | enabled: true 51 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/app/release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 3 | apiVersion: helm.toolkit.fluxcd.io/v2 4 | kind: HelmRelease 5 | metadata: 6 | namespace: rook-ceph 7 | name: rook-ceph 8 | spec: 9 | chart: 10 | spec: 11 | sourceRef: 12 | kind: HelmRepository 13 | name: rook-ceph 14 | chart: rook-ceph 15 | version: v1.16.7 16 | install: 17 | crds: CreateReplace 18 | upgrade: 19 | crds: CreateReplace 20 | interval: 1h 21 | maxHistory: 1 22 | values: 23 | crds: 24 | enabled: true 25 | currentNamespaceOnly: true 26 | resources: 27 | limits: 28 | memory: 256Mi 29 | requests: 30 | cpu: 100m 31 | memory: 256Mi 32 | monitoring: 33 | enabled: true 34 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: rook-ceph 7 | name: rook-ceph 8 | spec: 9 | url: https://charts.rook.io/release 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: rook-ceph 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/warn: privileged 11 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/cluster/rook-config-override.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/configmap-v1.json 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: rook-config-override 7 | namespace: rook-ceph 8 | data: 9 | config: | 10 | [global] 11 | public network = 192.168.253.11/21, 192.168.254.12/21, 192.168.254.13/21 12 | cluster network = 192.168.253.101/21, 192.168.254.102/21, 192.168.254.103/21 13 | public addr = "" 14 | cluster addr = "" 15 | [mon] 16 | mon_warn_on_pool_no_redundancy = false 17 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - app/repo.yaml 8 | - app/release.yaml 9 | # cluster 10 | - cluster/cephcluster.yaml 11 | - cluster/rook-config-override.yaml 12 | # block 13 | - storage/block/cephblock.yaml 14 | - storage/block/snapshotclass.yaml 15 | - storage/block/storageclass.yaml 16 | # fs 17 | - storage/filesystem/cephfs.yaml 18 | - storage/filesystem/snapshotclass.yaml 19 | - storage/filesystem/storageclass.yaml 20 | # object 21 | - storage/object/cephobject.yaml 22 | - storage/object/objectuser.yaml 23 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/storage/block/cephblock.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephblockpool_v1.json 3 | ## rbd-fast pool 4 | apiVersion: ceph.rook.io/v1 5 | kind: CephBlockPool 6 | metadata: 7 | namespace: rook-ceph 8 | name: rbd-fast 9 | spec: 10 | failureDomain: host 11 | deviceClass: nvme 12 | replicated: 13 | size: 3 14 | requireSafeReplicaSize: true 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephblockpool_v1.json 17 | ## rbd-fast-ec-metadata pool (ec pool do not support omap, it need a replicated pool for metadata) 18 | apiVersion: ceph.rook.io/v1 19 | kind: CephBlockPool 20 | metadata: 21 | namespace: rook-ceph 22 | name: rbd-fast-ec-metadata 23 | spec: 24 | failureDomain: host 25 | deviceClass: nvme 26 | replicated: 27 | size: 3 28 | requireSafeReplicaSize: true 29 | --- 30 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephblockpool_v1.json 31 | ## rbd-fast-ec pool 32 | apiVersion: ceph.rook.io/v1 33 | kind: CephBlockPool 34 | metadata: 35 | namespace: rook-ceph 36 | name: rbd-fast-ec 37 | spec: 38 | failureDomain: host 39 | deviceClass: nvme 40 | erasureCoded: 41 | dataChunks: 2 42 | codingChunks: 1 43 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/storage/block/snapshotclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/snapshot.storage.k8s.io/volumesnapshotclass_v1.json 3 | ## VolumeSnapshotClass rook-ceph-rbd 4 | apiVersion: snapshot.storage.k8s.io/v1 5 | kind: VolumeSnapshotClass 6 | metadata: 7 | name: rook-ceph-rbd 8 | driver: rook-ceph.rbd.csi.ceph.com 9 | parameters: 10 | clusterID: rook-ceph 11 | csi.storage.k8s.io/snapshotter-secret-name: rook-csi-rbd-provisioner 12 | csi.storage.k8s.io/snapshotter-secret-namespace: rook-ceph 13 | deletionPolicy: Delete 14 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/storage/filesystem/cephfs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephfilesystem_v1.json 3 | apiVersion: ceph.rook.io/v1 4 | kind: CephFilesystem 5 | metadata: 6 | namespace: rook-ceph 7 | name: fs 8 | spec: 9 | preserveFilesystemOnDelete: true 10 | # fs-metadata pool 11 | metadataPool: 12 | failureDomain: host 13 | deviceClass: nvme 14 | replicated: 15 | size: 3 16 | requireSafeReplicaSize: true 17 | dataPools: 18 | - # fs-default pool, left the default data pool unused 19 | name: default 20 | failureDomain: host 21 | deviceClass: nvme 22 | replicated: 23 | size: 3 24 | requireSafeReplicaSize: true 25 | - # fs-fast pool 26 | name: fast 27 | failureDomain: host 28 | deviceClass: nvme 29 | replicated: 30 | size: 3 31 | requireSafeReplicaSize: true 32 | - # fs-fast-ec pool 33 | name: fast-ec 34 | failureDomain: host 35 | deviceClass: nvme 36 | erasureCoded: 37 | dataChunks: 2 38 | codingChunks: 1 39 | metadataServer: 40 | # rook will create instance in activeCount*2 41 | # setup one active and one warm standby MDS 42 | activeCount: 1 43 | activeStandby: true 44 | resources: 45 | requests: 46 | cpu: 500m 47 | memory: 1Gi 48 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/storage/filesystem/snapshotclass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/snapshot.storage.k8s.io/volumesnapshotclass_v1.json 3 | ## VolumeSnapshotClass rook-ceph-fs 4 | apiVersion: snapshot.storage.k8s.io/v1 5 | kind: VolumeSnapshotClass 6 | metadata: 7 | name: rook-ceph-fs 8 | driver: rook-ceph.cephfs.csi.ceph.com 9 | parameters: 10 | clusterID: rook-ceph # namespace:cluster 11 | csi.storage.k8s.io/snapshotter-secret-name: rook-csi-cephfs-provisioner 12 | csi.storage.k8s.io/snapshotter-secret-namespace: rook-ceph 13 | deletionPolicy: Delete 14 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/storage/object/cephobject.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephobjectstore_v1.json 3 | apiVersion: ceph.rook.io/v1 4 | kind: CephObjectStore 5 | metadata: 6 | namespace: rook-ceph 7 | name: fast 8 | spec: 9 | metadataPool: 10 | failureDomain: host 11 | deviceClass: nvme 12 | replicated: 13 | size: 3 14 | requireSafeReplicaSize: true 15 | dataPool: 16 | failureDomain: host 17 | deviceClass: nvme 18 | replicated: 19 | size: 3 20 | requireSafeReplicaSize: true 21 | gateway: 22 | port: 8080 23 | instances: 2 24 | --- 25 | apiVersion: networking.k8s.io/v1 26 | kind: Ingress 27 | metadata: 28 | namespace: rook-ceph 29 | name: s3-fast 30 | spec: 31 | ingressClassName: nginx 32 | rules: 33 | - host: s3-fast.timtor.dev 34 | http: 35 | paths: 36 | - pathType: Prefix 37 | path: / 38 | backend: 39 | service: 40 | name: rook-ceph-rgw-fast 41 | port: 42 | number: 8080 43 | -------------------------------------------------------------------------------- /kubernetes/rook-ceph/storage/object/objectuser.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephobjectstoreuser_v1.json 3 | apiVersion: ceph.rook.io/v1 4 | kind: CephObjectStoreUser 5 | metadata: 6 | name: admin 7 | namespace: rook-ceph 8 | spec: 9 | store: fast 10 | displayName: admin 11 | capabilities: 12 | user: "*" 13 | bucket: "*" 14 | --- 15 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephobjectstoreuser_v1.json 16 | apiVersion: ceph.rook.io/v1 17 | kind: CephObjectStoreUser 18 | metadata: 19 | name: loki 20 | namespace: rook-ceph 21 | spec: 22 | store: fast 23 | displayName: loki 24 | --- 25 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/ceph.rook.io/cephobjectstoreuser_v1.json 26 | apiVersion: ceph.rook.io/v1 27 | kind: CephObjectStoreUser 28 | metadata: 29 | name: mimir 30 | namespace: rook-ceph 31 | spec: 32 | store: fast 33 | displayName: mimir 34 | -------------------------------------------------------------------------------- /kubernetes/rustic-exporter/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: rustic-exporter 7 | name: rustic-exporter-policy 8 | specs: 9 | - # allow rustic-exporter to b2 10 | endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: rustic-exporter 13 | egress: 14 | - toEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: kube-system 17 | k8s-app: kube-dns 18 | toPorts: 19 | - ports: 20 | - protocol: ANY 21 | port: "53" 22 | rules: 23 | dns: &b2 24 | - matchName: s3.us-east-005.backblazeb2.com 25 | - toFQDNs: *b2 26 | toPorts: 27 | - ports: 28 | - protocol: TCP 29 | port: "443" 30 | - # allow metrcis probe from prometheus 31 | endpointSelector: *self 32 | ingress: 33 | - fromEndpoints: 34 | - matchLabels: 35 | k8s:io.kubernetes.pod.namespace: prometheus 36 | app.kubernetes.io/name: prometheus 37 | toPorts: 38 | - ports: 39 | - protocol: TCP 40 | port: "8080" 41 | -------------------------------------------------------------------------------- /kubernetes/rustic-exporter/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: rustic-exporter 7 | name: bjw-s 8 | spec: 9 | url: https://bjw-s.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/rustic-exporter/base/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: rustic-exporter 7 | name: rustic-exporter-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | -------------------------------------------------------------------------------- /kubernetes/rustic-exporter/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: rustic-exporter 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/rustic-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - base/netpol.yaml 8 | - app/config.yaml 9 | - app/secret.yaml 10 | - app/repo.yaml 11 | - app/release.yaml 12 | - app/netpol.yaml 13 | -------------------------------------------------------------------------------- /kubernetes/smart-exporter/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - smart-exporter.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/smart-exporter/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: smart-exporter 7 | labels: 8 | pod-security.kubernetes.io/enforce: privileged 9 | pod-security.kubernetes.io/audit: privileged 10 | pod-security.kubernetes.io/warn: privileged 11 | -------------------------------------------------------------------------------- /kubernetes/snapscheduler/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: snapscheduler 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/snapscheduler/snapscheduler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: snapscheduler 7 | name: backube 8 | spec: 9 | url: https://backube.github.io/helm-charts/ 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: snapscheduler 17 | name: snapscheduler 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: backube 24 | chart: snapscheduler 25 | version: 3.4.0 26 | install: 27 | crds: CreateReplace 28 | upgrade: 29 | crds: CreateReplace 30 | interval: 1h 31 | maxHistory: 1 32 | values: 33 | manageCRDs: true 34 | securityContext: 35 | runAsNonRoot: true 36 | readOnlyRootFilesystem: false 37 | allowPrivilegeEscalation: false 38 | capabilities: 39 | drop: ["ALL"] 40 | seccompProfile: 41 | type: RuntimeDefault 42 | resources: {} 43 | nodeSelector: {} 44 | -------------------------------------------------------------------------------- /kubernetes/snmp-exporter-mikrotik/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - snmp-exporter-secret.yaml 8 | - snmp-exporter.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/snmp-exporter-mikrotik/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: snmp-exporter-mikrotik 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/snmp-exporter-mikrotik/snmp-exporter-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: snmp-exporter-mikrotik 7 | name: snmp-exporter-mikrotik-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectAlias: mikrotik-secret.yml 15 | objectName: /amethyst/snmp-exporter-mikrotik 16 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: unifi-controller 7 | name: unifi-controller-policy 8 | specs: 9 | # allow connection from ingress-nginx 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: unifi-controller 13 | ingress: 14 | - fromEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: ingress-nginx 17 | app.kubernetes.io/name: ingress-nginx 18 | toPorts: 19 | - ports: 20 | - protocol: TCP 21 | port: "8443" 22 | - protocol: TCP 23 | port: "8080" 24 | # allow connection from unpoller 25 | - endpointSelector: *self 26 | ingress: 27 | - fromEndpoints: 28 | - matchLabels: 29 | k8s:io.kubernetes.pod.namespace: unpoller 30 | app.kubernetes.io/name: unpoller 31 | toPorts: 32 | - ports: 33 | - protocol: TCP 34 | port: "8443" 35 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | namespace: unifi-controller 7 | name: unifi-controller-data 8 | spec: 9 | storageClassName: fs-fast 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | accessModes: 14 | - ReadWriteOnce 15 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: unifi-controller 7 | name: bjw-s 8 | spec: 9 | url: https://bjw-s.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/backup/backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | namespace: unifi-controller 6 | name: unifi-controller-data-backup 7 | spec: 8 | sourcePVC: unifi-controller-data 9 | trigger: 10 | schedule: "0 0/12 * * *" 11 | restic: 12 | pruneIntervalDays: 14 13 | repository: unifi-controller-backup-secret 14 | retain: 15 | daily: 5 16 | weekly: 4 17 | monthly: 3 18 | copyMethod: Snapshot 19 | volumeSnapshotClassName: rook-ceph-fs 20 | storageClassName: fs-fast-ec 21 | accessModes: ["ReadWriteOnce"] 22 | cacheStorageClassName: rbd-fast-ec 23 | cacheAccessModes: ["ReadWriteOnce"] 24 | cacheCapacity: 1Gi 25 | moverSecurityContext: 26 | runAsNonRoot: true 27 | runAsUser: 65534 28 | runAsGroup: 65534 29 | fsGroup: 65534 30 | seccompProfile: 31 | type: RuntimeDefault 32 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/backup/secret-holder-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: unifi-controller 7 | name: unifi-controller-backup-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-unifi-controller-backup-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/backup/secret-holder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/deployment-apps-v1.json 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | namespace: unifi-controller 7 | name: unifi-controller-backup-secret-holder 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: unifi-controller-backup-secret-holder 13 | template: 14 | metadata: 15 | labels: 16 | app: unifi-controller-backup-secret-holder 17 | spec: 18 | serviceAccount: unifi-controller-backup-secret-holder 19 | volumes: 20 | - name: secret 21 | csi: 22 | driver: secrets-store.csi.k8s.io 23 | readOnly: true 24 | volumeAttributes: 25 | secretProviderClass: unifi-controller-backup-secret 26 | containers: 27 | - name: unifi-controller-backup-secret-holder 28 | image: busybox:latest 29 | command: ["sleep", "infinity"] 30 | volumeMounts: 31 | - name: secret 32 | mountPath: /secret 33 | readOnly: true 34 | securityContext: 35 | runAsNonRoot: true 36 | runAsUser: 65534 37 | runAsGroup: 65534 38 | allowPrivilegeEscalation: false 39 | readOnlyRootFilesystem: true 40 | capabilities: 41 | drop: ["ALL"] 42 | seccompProfile: 43 | type: RuntimeDefault 44 | resources: {} 45 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/backup/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: unifi-controller 7 | name: &name unifi-controller-backup-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/unifi-controller-backup 15 | jmesPath: 16 | - path: RESTIC_REPOSITORY 17 | objectAlias: RESTIC_REPOSITORY 18 | - path: AWS_ACCESS_KEY_ID 19 | objectAlias: AWS_ACCESS_KEY_ID 20 | - path: AWS_SECRET_ACCESS_KEY 21 | objectAlias: AWS_SECRET_ACCESS_KEY 22 | - path: RESTIC_PASSWORD 23 | objectAlias: RESTIC_PASSWORD 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: RESTIC_REPOSITORY 29 | objectName: RESTIC_REPOSITORY 30 | - key: AWS_ACCESS_KEY_ID 31 | objectName: AWS_ACCESS_KEY_ID 32 | - key: AWS_SECRET_ACCESS_KEY 33 | objectName: AWS_SECRET_ACCESS_KEY 34 | - key: RESTIC_PASSWORD 35 | objectName: RESTIC_PASSWORD 36 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/base/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: unifi-controller 7 | name: unifi-controller-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 17 | apiVersion: cilium.io/v2 18 | kind: CiliumNetworkPolicy 19 | metadata: 20 | namespace: unifi-controller 21 | name: unifi-controller-backup-policy 22 | specs: 23 | - endpointSelector: 24 | matchLabels: 25 | app.kubernetes.io/created-by: volsync 26 | egress: 27 | - toEndpoints: 28 | - matchLabels: 29 | k8s:io.kubernetes.pod.namespace: kube-system 30 | k8s-app: kube-dns 31 | toPorts: 32 | - ports: 33 | - protocol: ANY 34 | port: "53" 35 | rules: 36 | dns: &b2 37 | - matchPattern: s3.us-east-005.backblazeb2.com 38 | - toFQDNs: *b2 39 | toPorts: 40 | - ports: 41 | - protocol: TCP 42 | port: "443" 43 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: unifi-controller 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - base/netpol.yaml 8 | - app/repo.yaml 9 | - app/release.yaml 10 | - app/pvc.yaml 11 | - app/netpol.yaml 12 | - backup/backup.yaml 13 | - backup/secret.yaml 14 | - backup/secret-holder.yaml 15 | - backup/secret-holder-sa.yaml 16 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/maintain/manual-backup.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | # namespace: unifi-controller 6 | # name: unifi-controller-manual-backup 7 | {} 8 | spec: 9 | trigger: 10 | # manual: unifi-controller-manual-backup 11 | {} 12 | sourcePVC: unifi-controller-data 13 | restic: 14 | pruneIntervalDays: 14 15 | repository: unifi-controller-backup-secret 16 | retain: 17 | daily: 5 18 | weekly: 4 19 | monthly: 3 20 | copyMethod: Snapshot 21 | volumeSnapshotClassName: rook-ceph-fs 22 | storageClassName: fs-fast-ec 23 | accessModes: ["ReadWriteOnce"] 24 | cacheStorageClassName: rbd-fast-ec 25 | cacheAccessModes: ["ReadWriteOnce"] 26 | cacheCapacity: 1Gi 27 | moverSecurityContext: 28 | runAsNonRoot: true 29 | runAsUser: 65534 30 | runAsGroup: 65534 31 | fsGroup: 65534 32 | seccompProfile: 33 | type: RuntimeDefault 34 | -------------------------------------------------------------------------------- /kubernetes/unifi-controller/maintain/manual-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | # namespace: unifi-controller 6 | # name: unifi-controller-restore 7 | {} 8 | spec: 9 | trigger: 10 | # manual: unifi-controller-restore 11 | {} 12 | restic: 13 | repository: unifi-controller-backup-secret 14 | # previous: 0 15 | # restoreAsOf: 2024-02-14T18:00:24+08:00 16 | copyMethod: Direct 17 | destinationPVC: unifi-controller-data 18 | cacheStorageClassName: rbd-fast-delete 19 | cacheCapacity: 1Gi 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | moverSecurityContext: 22 | runAsNonRoot: true 23 | runAsUser: 999 24 | runAsGroup: 999 25 | fsGroup: 999 26 | seccompProfile: 27 | type: RuntimeDefault 28 | -------------------------------------------------------------------------------- /kubernetes/unpoller/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - unpoller-config.yaml 8 | - unpoller-secret.yaml 9 | - unpoller.yaml 10 | - networkpolicy.yaml 11 | -------------------------------------------------------------------------------- /kubernetes/unpoller/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: unpoller 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/unpoller/unpoller-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/configmap-v1.json 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | namespace: unpoller 7 | name: unpoller-config 8 | data: 9 | unpoller.yaml: | 10 | poller: 11 | debug: false 12 | quiet: false 13 | prometheus: 14 | http_listen: 0.0.0.0:9130 15 | influxdb: 16 | disable: true 17 | unifi: 18 | controllers: 19 | - url: https://unifi-controller.unifi-controller.svc:8443 20 | verify_ssl: false 21 | # user: APP_UP_UNIFI_CONTROLLER_0_USER 22 | # pass: APP_UP_UNIFI_CONTROLLER_0_PASS 23 | sites: 24 | - all 25 | -------------------------------------------------------------------------------- /kubernetes/unpoller/unpoller-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: unpoller 7 | name: &name unpoller-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/unpoller 15 | jmesPath: 16 | - path: UP_UNIFI_CONTROLLER_0_USER 17 | objectAlias: UP_UNIFI_CONTROLLER_0_USER 18 | - path: UP_UNIFI_CONTROLLER_0_PASS 19 | objectAlias: UP_UNIFI_CONTROLLER_0_PASS 20 | secretObjects: 21 | - secretName: *name 22 | type: Opaque 23 | data: 24 | - key: UP_UNIFI_CONTROLLER_0_USER 25 | objectName: UP_UNIFI_CONTROLLER_0_USER 26 | - key: UP_UNIFI_CONTROLLER_0_PASS 27 | objectName: UP_UNIFI_CONTROLLER_0_PASS 28 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/app/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: vaultwarden 7 | name: vaultwarden-policy 8 | specs: 9 | # allow connection from ingress-nginx 10 | - endpointSelector: &self 11 | matchLabels: 12 | app.kubernetes.io/name: vaultwarden 13 | ingress: 14 | - fromEndpoints: 15 | - matchLabels: 16 | k8s:io.kubernetes.pod.namespace: ingress-nginx 17 | toPorts: 18 | - ports: 19 | - protocol: TCP 20 | port: "8080" 21 | # allow connection to push notification server 22 | - endpointSelector: *self 23 | egress: 24 | - toEndpoints: 25 | - matchLabels: 26 | k8s:io.kubernetes.pod.namespace: kube-system 27 | k8s-app: kube-dns 28 | toPorts: 29 | - ports: 30 | - protocol: ANY 31 | port: "53" 32 | rules: 33 | dns: &push 34 | - matchName: push.bitwarden.com 35 | - matchName: identity.bitwarden.com 36 | - toFQDNs: *push 37 | toPorts: 38 | - ports: 39 | - protocol: TCP 40 | port: "443" 41 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/app/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/persistentvolumeclaim-v1.json 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | namespace: vaultwarden 7 | name: vaultwarden-data 8 | spec: 9 | storageClassName: fs-fast 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | accessModes: 14 | - ReadWriteOnce 15 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/app/repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: vaultwarden 7 | name: bjw-s 8 | spec: 9 | url: https://bjw-s.github.io/helm-charts 10 | interval: 24h 11 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/app/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: vaultwarden 7 | name: &name vaultwarden-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/vaultwarden 15 | jmesPath: 16 | - path: ADMIN_TOKEN 17 | objectAlias: ADMIN_TOKEN 18 | - path: PUSH_INSTALLATION_ID 19 | objectAlias: PUSH_INSTALLATION_ID 20 | - path: PUSH_INSTALLATION_KEY 21 | objectAlias: PUSH_INSTALLATION_KEY 22 | secretObjects: 23 | - secretName: *name 24 | type: Opaque 25 | data: 26 | - key: ADMIN_TOKEN 27 | objectName: ADMIN_TOKEN 28 | - key: PUSH_INSTALLATION_ID 29 | objectName: PUSH_INSTALLATION_ID 30 | - key: PUSH_INSTALLATION_KEY 31 | objectName: PUSH_INSTALLATION_KEY 32 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/backup/backup.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | namespace: vaultwarden 6 | name: vaultwarden-backup 7 | spec: 8 | sourcePVC: vaultwarden-data 9 | trigger: 10 | schedule: "0 * * * *" 11 | restic: 12 | pruneIntervalDays: 14 13 | repository: vaultwarden-backup-secret 14 | retain: 15 | hourly: 6 16 | daily: 5 17 | weekly: 4 18 | monthly: 3 19 | copyMethod: Snapshot 20 | # volume created from snapshot 21 | volumeSnapshotClassName: rook-ceph-fs 22 | storageClassName: fs-fast-ec 23 | accessModes: ["ReadWriteOnce"] 24 | cacheStorageClassName: rbd-fast-ec 25 | cacheAccessModes: ["ReadWriteOnce"] 26 | cacheCapacity: 1Gi 27 | moverSecurityContext: 28 | runAsNonRoot: true 29 | runAsUser: 65534 30 | runAsGroup: 65534 31 | fsGroup: 65534 32 | seccompProfile: 33 | type: RuntimeDefault 34 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/backup/secret-holder-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/serviceaccount-v1.json 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | namespace: vaultwarden 7 | name: vaultwarden-backup-secret-holder 8 | annotations: 9 | eks.amazonaws.com/audience: sts.amazonaws.com 10 | eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-vaultwarden-backup-secret-holder 11 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/backup/secret-holder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/deployment-apps-v1.json 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | namespace: vaultwarden 7 | name: &n vaultwarden-backup-secret-holder 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: *n 13 | template: 14 | metadata: 15 | labels: 16 | app: *n 17 | spec: 18 | serviceAccount: *n 19 | volumes: 20 | - name: &s vaultwarden-backup-secret 21 | csi: 22 | driver: secrets-store.csi.k8s.io 23 | readOnly: true 24 | volumeAttributes: 25 | secretProviderClass: *s 26 | containers: 27 | - name: *n 28 | image: busybox:latest 29 | command: ["sleep", "infinity"] 30 | volumeMounts: 31 | - name: *s 32 | mountPath: /vaultwarden-backup-secret 33 | readOnly: true 34 | securityContext: 35 | runAsNonRoot: true 36 | runAsUser: 65534 37 | runAsGroup: 65534 38 | allowPrivilegeEscalation: false 39 | readOnlyRootFilesystem: true 40 | capabilities: 41 | drop: ["ALL"] 42 | seccompProfile: 43 | type: RuntimeDefault 44 | resources: {} 45 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/backup/secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/secrets-store.csi.x-k8s.io/secretproviderclass_v1.json 3 | apiVersion: secrets-store.csi.x-k8s.io/v1 4 | kind: SecretProviderClass 5 | metadata: 6 | namespace: vaultwarden 7 | name: &name vaultwarden-backup-secret 8 | spec: 9 | provider: aws 10 | parameters: 11 | region: us-west-2 12 | objects: | 13 | - objectType: ssmparameter 14 | objectName: /amethyst/vaultwarden-backup 15 | jmesPath: 16 | - path: RESTIC_REPOSITORY 17 | objectAlias: RESTIC_REPOSITORY 18 | - path: AWS_ACCESS_KEY_ID 19 | objectAlias: AWS_ACCESS_KEY_ID 20 | - path: AWS_SECRET_ACCESS_KEY 21 | objectAlias: AWS_SECRET_ACCESS_KEY 22 | - path: RESTIC_PASSWORD 23 | objectAlias: RESTIC_PASSWORD 24 | secretObjects: 25 | - secretName: *name 26 | type: Opaque 27 | data: 28 | - key: RESTIC_REPOSITORY 29 | objectName: RESTIC_REPOSITORY 30 | - key: AWS_ACCESS_KEY_ID 31 | objectName: AWS_ACCESS_KEY_ID 32 | - key: AWS_SECRET_ACCESS_KEY 33 | objectName: AWS_SECRET_ACCESS_KEY 34 | - key: RESTIC_PASSWORD 35 | objectName: RESTIC_PASSWORD 36 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/base/netpol.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 3 | apiVersion: cilium.io/v2 4 | kind: CiliumNetworkPolicy 5 | metadata: 6 | namespace: vaultwarden 7 | name: vaultwarden-default-policy 8 | specs: 9 | - endpointSelector: 10 | matchLabels: {} 11 | ingress: 12 | - {} 13 | egress: 14 | - {} 15 | --- 16 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/cilium.io/ciliumnetworkpolicy_v2.json 17 | apiVersion: cilium.io/v2 18 | kind: CiliumNetworkPolicy 19 | metadata: 20 | namespace: vaultwarden 21 | name: vaultwarden-backup-policy 22 | specs: 23 | - endpointSelector: 24 | matchLabels: 25 | app.kubernetes.io/created-by: volsync 26 | egress: 27 | - toEndpoints: 28 | - matchLabels: 29 | k8s:io.kubernetes.pod.namespace: kube-system 30 | k8s-app: kube-dns 31 | toPorts: 32 | - ports: 33 | - protocol: ANY 34 | port: "53" 35 | rules: 36 | dns: &b2 37 | - matchPattern: s3.us-east-005.backblazeb2.com 38 | - toFQDNs: *b2 39 | toPorts: 40 | - ports: 41 | - protocol: TCP 42 | port: "443" 43 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/base/ns.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: vaultwarden 7 | labels: 8 | # debug only 9 | # pod-security.kubernetes.io/enforce: baseline 10 | pod-security.kubernetes.io/enforce: restricted 11 | pod-security.kubernetes.io/audit: restricted 12 | pod-security.kubernetes.io/warn: restricted 13 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - base/ns.yaml 7 | - base/netpol.yaml 8 | - app/repo.yaml 9 | - app/release.yaml 10 | - app/pvc.yaml 11 | - app/secret.yaml 12 | - app/netpol.yaml 13 | - backup/backup.yaml 14 | - backup/secret.yaml 15 | - backup/secret-holder-sa.yaml 16 | - backup/secret-holder.yaml 17 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/maintain/manual-backup.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationSource 4 | metadata: 5 | # namespace: vaultwarden 6 | # name: vaultwarden-manual-backup 7 | {} 8 | spec: 9 | trigger: 10 | # manual: vaultwarden-manual-backup 11 | {} 12 | sourcePVC: vaultwarden-data 13 | restic: 14 | pruneIntervalDays: 14 15 | repository: vaultwarden-backup-secret 16 | retain: 17 | hourly: 6 18 | daily: 5 19 | weekly: 4 20 | monthly: 3 21 | copyMethod: Snapshot 22 | # volume created from snapshot 23 | volumeSnapshotClassName: rook-ceph-fs 24 | storageClassName: fs-fast-ec 25 | accessModes: ["ReadWriteOnce"] 26 | cacheStorageClassName: rbd-fast-ec 27 | cacheAccessModes: ["ReadWriteOnce"] 28 | cacheCapacity: 1Gi 29 | moverSecurityContext: 30 | runAsNonRoot: true 31 | runAsUser: 65534 32 | runAsGroup: 65534 33 | fsGroup: 65534 34 | seccompProfile: 35 | type: RuntimeDefault 36 | -------------------------------------------------------------------------------- /kubernetes/vaultwarden/maintain/manual-restore.tmpl.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: volsync.backube/v1alpha1 3 | kind: ReplicationDestination 4 | metadata: 5 | # namespace: vaultwarden 6 | # name: vaultwarden-restore 7 | {} 8 | spec: 9 | trigger: 10 | # manual: vaultwarden-restore 11 | {} 12 | restic: 13 | repository: vaultwarden-backup-secret 14 | # previous: 0 15 | # restoreAsOf: 2024-02-14T18:00:24+08:00 16 | copyMethod: Direct 17 | destinationPVC: vaultwarden-data 18 | cacheStorageClassName: rbd-fast-delete 19 | cacheCapacity: 1Gi 20 | cacheAccessModes: ["ReadWriteOnce"] 21 | moverSecurityContext: 22 | runAsNonRoot: true 23 | runAsUser: 65534 24 | runAsGroup: 65534 25 | fsGroup: 65534 26 | seccompProfile: 27 | type: RuntimeDefault 28 | -------------------------------------------------------------------------------- /kubernetes/vector/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - vector-config.yaml 8 | - vector.yaml 9 | -------------------------------------------------------------------------------- /kubernetes/vector/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: vector 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/volsync/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization.json 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - namespace.yaml 7 | - volsync.yaml 8 | -------------------------------------------------------------------------------- /kubernetes/volsync/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/master/namespace-v1.json 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: volsync 7 | labels: 8 | pod-security.kubernetes.io/enforce: restricted 9 | pod-security.kubernetes.io/audit: restricted 10 | pod-security.kubernetes.io/warn: restricted 11 | -------------------------------------------------------------------------------- /kubernetes/volsync/volsync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | namespace: volsync 7 | name: backube 8 | spec: 9 | url: https://backube.github.io/helm-charts/ 10 | interval: 24h 11 | --- 12 | # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json 13 | apiVersion: helm.toolkit.fluxcd.io/v2 14 | kind: HelmRelease 15 | metadata: 16 | namespace: volsync 17 | name: volsync 18 | spec: 19 | chart: 20 | spec: 21 | sourceRef: 22 | kind: HelmRepository 23 | name: backube 24 | chart: volsync 25 | version: 0.11.0 26 | install: 27 | crds: CreateReplace 28 | upgrade: 29 | crds: CreateReplace 30 | interval: 1h 31 | maxHistory: 1 32 | values: 33 | manageCRDs: true 34 | 35 | restic: 36 | repository: quay.io/backube/volsync 37 | tag: release-0.11 38 | 39 | podSecurityContext: 40 | runAsNonRoot: true 41 | seccompProfile: 42 | type: RuntimeDefault 43 | 44 | # manager container securityContext 45 | securityContext: 46 | runAsUser: 1001 47 | runAsGroup: 1001 48 | allowPrivilegeEscalation: false 49 | readOnlyRootFilesystem: true 50 | capabilities: 51 | drop: ["ALL"] 52 | 53 | resources: {} 54 | -------------------------------------------------------------------------------- /renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:recommended", 5 | ":disableRateLimiting", 6 | "github>timtorChen/homelab//.renovate/groups.json5", 7 | "github>timtorChen/homelab//.renovate/customManagers.json5", 8 | "github>timtorChen/homelab//.renovate/autoMerge.json5" 9 | ], 10 | "timezone": "Asia/Taipei", 11 | "dependencyDashboard": true, 12 | "kubernetes": { 13 | "fileMatch": ["^kubernetes/.*\\.yaml$"] 14 | }, 15 | "flux": { 16 | "fileMatch": ["^kubernetes/.*\\.yaml$"] 17 | }, 18 | "helm-values": { 19 | "fileMatch": ["^(kubernetes|talos)/.*\\.yaml$"] 20 | }, 21 | "ignorePaths": ["**/archive/**"], 22 | "customManagers": [ 23 | { 24 | "customType": "regex", 25 | "fileMatch": ["^talos/.*\\.yaml$"], 26 | "datasourceTemplate": "docker", 27 | "matchStrings": [ 28 | "# renovate: depName=(?.*?)\n *image: factory\\.talos\\.dev\/installer\/[a-z0-9]+:(?v[\\d\\.]+)" 29 | ] 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /talos/nuc11tnhi50l-1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Header for task scripts 3 | # ip: 192.168.253.11 4 | # includes: [roles/worker.yaml] 5 | machine: 6 | type: worker 7 | network: 8 | hostname: amethyst-nuc11tnhi50l-1 9 | udev: 10 | # check /usr/etc/udev/rules.d/99-talos.rules 11 | rules: 12 | - SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="48:21:0b:33:54:cb", NAME="eth0" 13 | - SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="48:21:0b:2c:f4:8c", NAME="eth1" 14 | install: 15 | disk: /dev/sda 16 | # renovate: depName=ghcr.io/siderolabs/installer 17 | image: factory.talos.dev/installer/ed036d0640097a4e7af413ee089851a12963cd2e2e1715f8866d551d17c2ec62:v1.9.0 18 | kubelet: 19 | image: ghcr.io/siderolabs/kubelet:v1.32.0 20 | -------------------------------------------------------------------------------- /talos/nuc11tnhi50l-2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Header for task scripts 3 | # ip: 192.168.253.12 4 | # includes: [roles/worker.yaml] 5 | machine: 6 | type: worker 7 | network: 8 | hostname: amethyst-nuc11tnhi50l-2 9 | udev: 10 | # check /usr/etc/udev/rules.d/99-talos.rules 11 | rules: 12 | - SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="48:21:0b:33:47:9d", NAME="eth0" 13 | - SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="48:21:0b:2c:f3:9b", NAME="eth1" 14 | install: 15 | disk: /dev/sda 16 | # renovate: depName=ghcr.io/siderolabs/installer 17 | image: factory.talos.dev/installer/ed036d0640097a4e7af413ee089851a12963cd2e2e1715f8866d551d17c2ec62:v1.9.0 18 | kubelet: 19 | image: ghcr.io/siderolabs/kubelet:v1.32.0 20 | -------------------------------------------------------------------------------- /talos/nuc11tnhi50l-3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Header for task scripts 3 | # ip: 192.168.253.13 4 | # includes: [roles/worker.yaml] 5 | machine: 6 | type: worker 7 | network: 8 | hostname: amethyst-nuc11tnhi50l-3 9 | udev: 10 | # check /usr/etc/udev/rules.d/99-talos.rules 11 | rules: 12 | - SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="48:21:0b:2d:15:87", NAME="eth0" 13 | - SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="54:b2:03:fd:73:0a", NAME="eth1" 14 | install: 15 | disk: /dev/sda 16 | # renovate: depName=ghcr.io/siderolabs/installer 17 | image: factory.talos.dev/installer/ed036d0640097a4e7af413ee089851a12963cd2e2e1715f8866d551d17c2ec62:v1.9.0 18 | kubelet: 19 | image: ghcr.io/siderolabs/kubelet:v1.32.0 20 | -------------------------------------------------------------------------------- /talos/pi4b-1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Header for task scripts 3 | # ip: 192.168.253.1 4 | # includes: [roles/controlplane.yaml] 5 | machine: 6 | type: controlplane 7 | network: 8 | hostname: amethyst-pi4b-1 9 | install: 10 | disk: /dev/sda 11 | # renovate: depName=ghcr.io/siderolabs/installer 12 | image: factory.talos.dev/installer/ee21ef4a5ef808a9b7484cc0dda0f25075021691c8c09a276591eedb638ea1f9:v1.9.0 13 | kubelet: 14 | image: ghcr.io/siderolabs/kubelet:v1.32.0 15 | cluster: 16 | apiServer: 17 | image: registry.k8s.io/kube-apiserver:v1.32.0 18 | controllerManager: 19 | image: registry.k8s.io/kube-controller-manager:v1.32.0 20 | scheduler: 21 | image: registry.k8s.io/kube-scheduler:v1.32.0 22 | coreDNS: 23 | image: docker.io/coredns/coredns:1.12.0 24 | etcd: 25 | image: gcr.io/etcd-development/etcd:v3.5.17-arm64 26 | -------------------------------------------------------------------------------- /talos/pi4b-spare.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Header for task scripts 3 | # ip: 192.168.253.2 4 | # includes: [roles/controlplane.yaml] 5 | machine: 6 | type: controlplane 7 | network: 8 | hostname: pi4b-spare 9 | -------------------------------------------------------------------------------- /talos/roles/worker.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | version: v1alpha1 3 | debug: false 4 | persist: true 5 | machine: 6 | # -- Setup 7 | type: worker 8 | token: ${machine_token} 9 | ca: 10 | crt: ${machine_ca_crt} 11 | key: "" 12 | certSANs: [] 13 | install: 14 | disk: "" 15 | image: "" 16 | wipe: false 17 | extraKernelArgs: 18 | - talos.logging.kernel=tcp://192.168.253.100:3001 19 | # disable predictable interface naming 20 | - net.ifnames=0 21 | network: {} 22 | logging: 23 | destinations: 24 | - endpoint: tcp://192.168.253.100:3002 25 | format: json_lines 26 | # -- Services 27 | kubelet: 28 | image: "" 29 | defaultRuntimeSeccompProfileEnabled: true 30 | disableManifestsDirectory: true 31 | # -- Talos features 32 | features: 33 | rbac: true 34 | stableHostname: true 35 | apidCheckExtKeyUsage: true 36 | kubePrism: 37 | enabled: true 38 | port: 7745 39 | cluster: 40 | # -- Setup 41 | controlPlane: 42 | endpoint: https://192.168.253.10:6443 43 | network: 44 | cni: 45 | name: none 46 | dnsDomain: cluster.local 47 | podSubnets: 48 | - 10.244.0.0/16 49 | serviceSubnets: 50 | - 10.96.0.0/12 51 | id: ${cluster_id} 52 | secret: ${cluster_secret} 53 | token: ${cluster_token} 54 | ca: 55 | crt: ${cluster_ca_crt} 56 | key: "" 57 | # -- Service 58 | proxy: 59 | disabled: true 60 | # -- Extras 61 | discovery: 62 | enabled: false 63 | -------------------------------------------------------------------------------- /talos/schematics/nuc11tnhi50l.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | overlay: {} 3 | customization: 4 | systemExtensions: 5 | officialExtensions: 6 | - siderolabs/i915-ucode 7 | -------------------------------------------------------------------------------- /talos/schematics/raspi.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | overlay: 3 | name: rpi_generic 4 | image: siderolabs/sbc-raspberrypi 5 | customization: 6 | systemExtensions: 7 | officialExtensions: [] 8 | -------------------------------------------------------------------------------- /terraform/_remote-state/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.11.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = "~> 5.97.0" 8 | } 9 | } 10 | } 11 | 12 | provider "aws" { 13 | allowed_account_ids = ["262264826613"] 14 | } 15 | 16 | resource "aws_s3_bucket" "backend" { 17 | bucket = "amethyst-terraform-backend" 18 | 19 | lifecycle { 20 | prevent_destroy = true 21 | } 22 | } 23 | 24 | resource "aws_s3_bucket_versioning" "backend" { 25 | bucket = aws_s3_bucket.backend.id 26 | 27 | versioning_configuration { 28 | status = "Enabled" 29 | } 30 | } 31 | 32 | resource "aws_dynamodb_table" "tfstate_lock" { 33 | name = "tfstate-lock" 34 | read_capacity = 1 35 | write_capacity = 1 36 | hash_key = "LockID" 37 | 38 | attribute { 39 | name = "LockID" 40 | type = "S" 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /terraform/aws/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "main" {} 2 | 3 | data "aws_region" "main" {} 4 | -------------------------------------------------------------------------------- /terraform/aws/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.11.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = "~> 5.97.0" 8 | } 9 | } 10 | backend "s3" { 11 | bucket = "amethyst-terraform-backend" 12 | key = "amethyst" 13 | dynamodb_table = "tfstate-lock" 14 | region = "us-west-2" 15 | } 16 | } 17 | 18 | provider "aws" { 19 | allowed_account_ids = ["262264826613"] 20 | region = "us-west-2" 21 | } 22 | 23 | locals { 24 | project = "amethyst" 25 | oidc_issuer_url = "https://raw.githubusercontent.com/timtorChen/homelab/main/amethyst" 26 | } 27 | -------------------------------------------------------------------------------- /terraform/ceph/ceph-s3.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket" "loki" { 2 | provider = aws.ceph-fast 3 | bucket = "${local.project}-loki" 4 | } 5 | 6 | resource "aws_s3_bucket_policy" "loki" { 7 | provider = aws.ceph-fast 8 | bucket = aws_s3_bucket.loki.id 9 | policy = jsonencode({ 10 | "Version" : "2012-10-17", 11 | "Statement" : [ 12 | { 13 | "Principal" : { 14 | "AWS" : ["arn:aws:iam:::user/loki"] 15 | } 16 | "Action" : [ 17 | "s3:ListBucket", 18 | "s3:PutObject", 19 | "s3:GetObject", 20 | "s3:DeleteObject" 21 | ], 22 | "Effect" : "Allow" 23 | "Resource" : [ 24 | "${aws_s3_bucket.loki.arn}", 25 | "${aws_s3_bucket.loki.arn}/*" 26 | ] 27 | } 28 | ] 29 | }) 30 | } 31 | 32 | resource "aws_s3_bucket" "mimir" { 33 | provider = aws.ceph-fast 34 | bucket = "${local.project}-mimir" 35 | } 36 | 37 | resource "aws_s3_bucket_policy" "mimir" { 38 | provider = aws.ceph-fast 39 | bucket = aws_s3_bucket.mimir.id 40 | policy = jsonencode({ 41 | "Version" : "2012-10-17", 42 | "Statement" : [ 43 | { 44 | "Principal" : { 45 | "AWS" : "arn:aws:iam:::user/mimir" 46 | } 47 | "Action" : [ 48 | "s3:ListBucket", 49 | "s3:PutObject", 50 | "s3:GetObject", 51 | "s3:DeleteObject" 52 | ], 53 | "Effect" : "Allow" 54 | "Resource" : [ 55 | "${aws_s3_bucket.mimir.arn}", 56 | "${aws_s3_bucket.mimir.arn}/*" 57 | ] 58 | } 59 | ] 60 | }) 61 | } 62 | 63 | -------------------------------------------------------------------------------- /terraform/ceph/data.tf: -------------------------------------------------------------------------------- 1 | # Parameter store secrets 2 | data "aws_ssm_parameter" "ceph-admin" { 3 | name = "/amethyst/ceph-admin" 4 | } 5 | 6 | locals { 7 | ceph_s3_access_key = jsondecode(data.aws_ssm_parameter.ceph-admin.value)["access_key"] 8 | ceph_s3_secret_key = jsondecode(data.aws_ssm_parameter.ceph-admin.value)["secret_key"] 9 | } -------------------------------------------------------------------------------- /terraform/ceph/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.11.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = "~> 5.97.0" 8 | } 9 | } 10 | backend "s3" { 11 | bucket = "amethyst-terraform-backend" 12 | key = "homelab/local" 13 | dynamodb_table = "tfstate-lock" 14 | region = "us-west-2" 15 | } 16 | } 17 | 18 | provider "aws" { 19 | allowed_account_ids = ["262264826613"] 20 | region = "us-west-2" 21 | } 22 | 23 | provider "aws" { 24 | alias = "ceph-fast" 25 | region = "us-east-1" # it just works 26 | endpoints { 27 | s3 = "https://s3-fast.timtor.dev" 28 | } 29 | access_key = local.ceph_s3_access_key 30 | secret_key = local.ceph_s3_secret_key 31 | skip_credentials_validation = true 32 | skip_requesting_account_id = true 33 | skip_metadata_api_check = true 34 | skip_region_validation = true 35 | s3_use_path_style = true 36 | } 37 | 38 | locals { 39 | project = "amethyst" 40 | oidc_issuer_url = "https://raw.githubusercontent.com/timtorChen/homelab/main/amethyst" 41 | } 42 | -------------------------------------------------------------------------------- /terraform/cloudflare/README.md: -------------------------------------------------------------------------------- 1 | ### Permission 2 | 3 | ``` 4 | timtor - Cloudflare Tunnel:Edit, Zero Trust:Edit, Account Settings:Read 5 | - All zones - DNS:Edit 6 | ``` 7 | -------------------------------------------------------------------------------- /terraform/cloudflare/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_ssm_parameter" "cloudflare" { 2 | name = "/terraform/cloudflare" 3 | } 4 | 5 | data "cloudflare_accounts" "main" {} 6 | 7 | data "cloudflare_zone" "main" { 8 | name = local.zone 9 | } 10 | -------------------------------------------------------------------------------- /terraform/cloudflare/record.tf: -------------------------------------------------------------------------------- 1 | resource "cloudflare_record" "homelab-public" { 2 | for_each = { for index, rule in local.homelab_public_ingress_rules : 3 | index => rule 4 | if try(rule.hostname, null) != null 5 | } 6 | 7 | zone_id = local.zone_id 8 | type = "CNAME" 9 | name = split(".", each.value.hostname)[0] 10 | content = "${cloudflare_zero_trust_tunnel_cloudflared.homelab.id}.cfargotunnel.com" 11 | proxied = true 12 | allow_overwrite = true 13 | 14 | } 15 | -------------------------------------------------------------------------------- /terraform/grafana/data.tf: -------------------------------------------------------------------------------- 1 | # Parameter store secrets 2 | data "aws_ssm_parameter" "grafana" { 3 | name = "/terraform/grafana" 4 | } 5 | 6 | locals { 7 | grafana_token = jsondecode(data.aws_ssm_parameter.grafana.value)["grafana_token"] 8 | } 9 | -------------------------------------------------------------------------------- /terraform/grafana/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 1.11.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = "~> 5.97.0" 8 | } 9 | grafana = { 10 | source = "grafana/grafana" 11 | version = "3.25.1" 12 | } 13 | } 14 | backend "s3" { 15 | bucket = "amethyst-terraform-backend" 16 | key = "homelab/grafana" 17 | dynamodb_table = "tfstate-lock" 18 | region = "us-west-2" 19 | } 20 | } 21 | 22 | provider "grafana" { 23 | url = "https://grafana.timtor.dev" 24 | auth = local.grafana_token 25 | } 26 | 27 | resource "grafana_data_source" "prometheus" { 28 | type = "prometheus" 29 | name = "prometheus" 30 | url = "http://mimir-query-frontend.mimir:8080/prometheus" 31 | } 32 | 33 | module "grafana_alert" { 34 | source = "timtorChen/grafana-alert/module" 35 | version = "~> 0.4.0" 36 | 37 | prom_datasource_uid = grafana_data_source.prometheus.uid 38 | enable_node_alert = true 39 | enable_smartprom_alert = true 40 | enable_etcd_alert = true 41 | enable_kubernetes_alert = true 42 | enable_ceph_alert = true 43 | } 44 | --------------------------------------------------------------------------------