SeanOMik/k3s-cluster
1
0
Fork 0
Code Issues 3 Pull requests 28 Activity

Compare commits

base: SeanOMik:main
Branches Tags
SeanOMik:main
SeanOMik:renovate/linuxserver-jellyfin-10.x
SeanOMik:renovate/ghcr.io-advplyr-audiobookshelf-2.x
SeanOMik:renovate/redis-20.x
SeanOMik:renovate/ghcr.io-onedr0p-radarr-develop-5.x
SeanOMik:renovate/kube-prometheus-stack-69.x
SeanOMik:renovate/grafana-8.x
SeanOMik:renovate/ghcr.io-onedr0p-home-assistant-2025.x
SeanOMik:renovate/alpine-3.x
SeanOMik:renovate/ghcr.io-onedr0p-prowlarr-develop-1.x
SeanOMik:renovate/nextcloud-30.x
SeanOMik:renovate/nginxinc-nginx-unprivileged-1.x
SeanOMik:renovate/cilium-1.x
SeanOMik:renovate/cert-manager-1.x
SeanOMik:renovate/ghcr.io-onedr0p-sonarr-develop-4.x
SeanOMik:renovate/app-template-3.x
SeanOMik:renovate/ghcr.io-immich-app-immich-server-1.x
SeanOMik:renovate/ghcr.io-immich-app-immich-machine-learning-1.x
SeanOMik:renovate/victoria-metrics-single-0.x
SeanOMik:renovate/bobokun-qbit_manage-4.x
SeanOMik:renovate/vaultwarden-server-1.x
SeanOMik:renovate/ghcr.io-onedr0p-tautulli-2.15.1
SeanOMik:renovate/traefik-34.x
SeanOMik:renovate/traefik-crd-source-34.x
SeanOMik:renovate/victoriametrics-vmagent-1.x
SeanOMik:renovate/victoriametrics-victoria-metrics-1.x
SeanOMik:renovate/kube-prometheus-stack-68.x
SeanOMik:renovate/qmcgaw-gluetun-3.x
SeanOMik:renovate/ghcr.io-tensorchord-cloudnative-pgvecto.rs-17.x
SeanOMik:fix/switch-to-forgejo-runner
SeanOMik:feat/thin-cluster
SeanOMik:feat/separate-huginn-agents
SeanOMik:wip/deluge
SeanOMik:feature/add-guacamole-again
SeanOMik:feature/readd-guacamole
SeanOMik:feature/zfs-alerts
SeanOMik:feature/bitnami-gitea-chart
..
compare: SeanOMik:feature/bitnami-gitea-chart
Branches Tags
SeanOMik:renovate/linuxserver-jellyfin-10.x
SeanOMik:renovate/ghcr.io-advplyr-audiobookshelf-2.x
SeanOMik:renovate/redis-20.x
SeanOMik:renovate/ghcr.io-onedr0p-radarr-develop-5.x
SeanOMik:renovate/kube-prometheus-stack-69.x
SeanOMik:renovate/grafana-8.x
SeanOMik:renovate/ghcr.io-onedr0p-home-assistant-2025.x
SeanOMik:renovate/alpine-3.x
SeanOMik:renovate/ghcr.io-onedr0p-prowlarr-develop-1.x
SeanOMik:renovate/nextcloud-30.x
SeanOMik:renovate/nginxinc-nginx-unprivileged-1.x
SeanOMik:renovate/cilium-1.x
SeanOMik:renovate/cert-manager-1.x
SeanOMik:renovate/ghcr.io-onedr0p-sonarr-develop-4.x
SeanOMik:renovate/app-template-3.x
SeanOMik:renovate/ghcr.io-immich-app-immich-server-1.x
SeanOMik:renovate/ghcr.io-immich-app-immich-machine-learning-1.x
SeanOMik:renovate/victoria-metrics-single-0.x
SeanOMik:renovate/bobokun-qbit_manage-4.x
SeanOMik:renovate/vaultwarden-server-1.x
SeanOMik:main
SeanOMik:renovate/ghcr.io-onedr0p-tautulli-2.15.1
SeanOMik:renovate/traefik-34.x
SeanOMik:renovate/traefik-crd-source-34.x
SeanOMik:renovate/victoriametrics-vmagent-1.x
SeanOMik:renovate/victoriametrics-victoria-metrics-1.x
SeanOMik:renovate/kube-prometheus-stack-68.x
SeanOMik:renovate/qmcgaw-gluetun-3.x
SeanOMik:renovate/ghcr.io-tensorchord-cloudnative-pgvecto.rs-17.x
SeanOMik:fix/switch-to-forgejo-runner
SeanOMik:feat/thin-cluster
SeanOMik:feat/separate-huginn-agents
SeanOMik:wip/deluge
SeanOMik:feature/add-guacamole-again
SeanOMik:feature/readd-guacamole
SeanOMik:feature/zfs-alerts
SeanOMik:feature/bitnami-gitea-chart

26 commits
main ... feature/bi

Author SHA1 Message Date
SeanOMik
e5442ac514
fix gitea 2023-06-04 02:35:25 -04:00
SeanOMik
d5ff9cad1c
fix gitea 2023-06-04 02:31:54 -04:00
SeanOMik
90d5fbcab4
fix gitea 2023-06-04 02:24:48 -04:00
SeanOMik
5c88686a54
fix gitea 2023-06-04 02:20:54 -04:00
SeanOMik
bb40c87bec
fix gitea 2023-06-04 02:17:25 -04:00
SeanOMik
5e687e1620
fix gitea 2023-06-04 02:15:16 -04:00
SeanOMik
0a430fe783
fix gitea 2023-06-04 02:13:03 -04:00
SeanOMik
f8c2d33030
fix gitea 2023-06-04 02:04:54 -04:00
SeanOMik
5a4e280ad8
fix gitea 2023-06-04 02:00:46 -04:00
SeanOMik
3368f50ab4
fix gitea 2023-06-04 01:39:51 -04:00
SeanOMik
d945b5d56b
fix gitea 2023-06-04 01:10:47 -04:00
SeanOMik
d4be3c16c1
fix gitea 2023-06-04 00:58:20 -04:00
SeanOMik
ee0ef7978a
fix gitea 2023-06-04 00:55:14 -04:00
SeanOMik
9a2ccab17e
fix gitea 2023-06-04 00:46:50 -04:00
SeanOMik
1038a36d29
fix gitea 2023-06-04 00:42:27 -04:00
SeanOMik
a6a68019b9
fix gitea 2023-06-04 00:35:06 -04:00
SeanOMik
ab00102fa3
fix deleted file error 2023-06-04 00:31:26 -04:00
SeanOMik
1f42289025
use bitnami chart for gitea 2023-06-04 00:27:24 -04:00
SeanOMik
82e4684d52
fix gitea 2023-06-03 14:38:14 -04:00
SeanOMik
76e036d5c4
pin gitea to specific version 2023-06-03 14:35:33 -04:00
SeanOMik
7288cbe246
try to get rootless gitea working 2023-06-03 14:33:06 -04:00
SeanOMik
2b5f388ded
specify gitea appini in a secret 2023-06-03 14:28:02 -04:00
SeanOMik
8e86d47f4c
make changes for upgrading from standard gitea image 2023-06-03 14:17:25 -04:00
SeanOMik
a2b82e8289
add encrypted gitea sidecar secrets 2023-06-03 14:05:54 -04:00
SeanOMik
80063122ae forgot to add 2023-06-03 13:54:56 -04:00
SeanOMik
a3ff591851 use gitea nightly rootless image 2023-06-03 13:53:29 -04:00
514 changed files with 9747 additions and 19998 deletions
Show stats Expand all files Collapse all files

209
.github/renovate.json5 vendored
View file

@ -1,209 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
"docker:enableMajor",
":disableRateLimiting",
":dependencyDashboard",
":semanticCommits",
":automergeBranch"
],
"dependencyDashboard": true,
"dependencyDashboardTitle": "Renovate Dashboard 🤖",
"suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
"rebaseWhen": "conflicted",
//"schedule": ["on saturday"],
"flux": {
"fileMatch": [
"(^|/)kubernetes/.+/.+\\.ya?ml(\\.j2)?$"
]
},
"helm-values": {
"fileMatch": [
"(^|/)kubernetes/.+/.+\\.ya?ml(\\.j2)?$"
]
},
"kubernetes": {
"fileMatch": [
"(^|/)kubernetes/.+/.+\\.ya?ml(\\.j2)?$"
]
},
"kustomize": {
"fileMatch": [
"(^|/)kustomization\\.ya?ml(\\.j2)?$"
]
},
// commit message topics
"commitMessageTopic": "{{depName}}",
"commitMessageExtra": "to {{newVersion}}",
"commitMessageSuffix": "",
// package rules
"packageRules": [
// automerge
{
"description": "Auto merge Github Actions",
"matchManagers": ["github-actions"],
"automerge": true,
"automergeType": "branch",
"ignoreTests": true,
"matchUpdateTypes": ["minor", "patch"]
},
// groups
{
"description": "Flux Group",
"groupName": "Flux",
"matchPackagePatterns": ["flux"],
"matchDatasources": ["docker", "github-tags"],
"versioning": "semver",
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
},
{
"description": "System Upgrade Controller Group",
"groupName": "System Upgrade Controller",
"matchPackagePatterns": ["rancher/system-upgrade-controller"],
"matchDatasources": ["docker", "github-releases"],
"group": {
"commitMessageTopic": "{{{groupName}}} group"
},
"separateMinorPatch": true
},
// custom versioning
{
"description": "Use custom versioning for k0s/k3s",
"matchDatasources": ["github-releases"],
"versioning": "regex:^v(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(?<compatibility>\\+k.s)\\.?(?<build>\\d+)$",
"matchPackagePatterns": ["k0s", "k3s"]
},
// commit message topics
{
"matchDatasources": ["helm"],
"commitMessageTopic": "chart {{depName}}"
},
{
"matchDatasources": ["docker"],
"commitMessageTopic": "image {{depName}}"
},
// commit messages
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(container)!: "
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["docker"],
"matchUpdateTypes": ["digest"],
"semanticCommitType": "chore",
"semanticCommitScope": "container"
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(helm)!: "
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "helm"
},
{
"matchDatasources": ["helm"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "helm"
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(github-release)!: "
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "github-release"
},
{
"matchDatasources": ["github-releases", "github-tags"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "github-release"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["major"],
"commitMessagePrefix": "feat(github-action)!: "
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["minor"],
"semanticCommitType": "feat",
"semanticCommitScope": "github-action"
},
{
"matchManagers": ["github-actions"],
"matchUpdateTypes": ["patch"],
"semanticCommitType": "fix",
"semanticCommitScope": "github-action"
},
// labels
{
"matchUpdateTypes": ["major"],
"labels": ["type/major"]
},
{
"matchUpdateTypes": ["minor"],
"labels": ["type/minor"]
},
{
"matchUpdateTypes": ["patch"],
"labels": ["type/patch"]
},
{
"matchDatasources": ["docker"],
"addLabels": ["renovate/container"]
},
{
"matchDatasources": ["helm"],
"addLabels": ["renovate/helm"]
},
{
"matchDatasources": ["github-releases", "github-tags"],
"addLabels": ["renovate/github-release"]
},
],
// custom managers
"customManagers": [
{
"customType": "regex",
"description": "Process various other dependencies",
"fileMatch": [
"(^|/)kubernetes/.+\\.ya?ml(\\.j2)?$"
],
"matchStrings": [
// Example:
// k3s_release_version: "v1.27.3+k3s1"
"datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( repository=(?<registryUrl>\\S+))?( extractVersion=(?<extractVersion>\\S+))?\n.*?\"(?<currentValue>.*)\"\n",
// Example:
// - https://github.com/rancher/system-upgrade-controller/releases/download/v0.11.0/crd.yaml
"datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)\n.*?-\\s(.*?)\/(?<currentValue>[^/]+)\/[^/]+\n",
],
"datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}"
}
]
}

1
.gitignore vendored
View file

@ -1 +0,0 @@
.projectile

6
.sops.yaml
View file

@ -1,7 +1,5 @@
creation_rules:
- encrypted_regex: "^(data|stringData)$"
# BD1A: new gpg key
# 6878: in cluster key
pgp: >-
BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD,
687802D4DFD8AA82EA55666CF7DADAC782D7663D
2CC2B3631D5C3393901335DB68F95C5D753EE1E5,
8DF31C9F48A24F525FFB1815FC96C52B59328E95

22
.taskfiles/Flux/Taskfile.yaml
View file

@ -1,22 +0,0 @@
---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3"
vars:
CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/sops-key.sops.yaml"
GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/forgejo-deploy-key.sops.yaml"
tasks:
bootstrap:
desc: Bootstrap Flux into a Kubernetes cluster
cmds:
- kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/common/bootstrap/flux
- sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename -
- sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename -
- kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/{{.CLUSTER}}/flux/config
preconditions:
- { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" }
reconcile:
desc: Force update Flux to pull in changes from the Git repository
cmd: flux reconcile --namespace flux-system kustomization cluster --with-source

18
Taskfile.yaml
View file

@ -1,18 +0,0 @@
---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3"
vars:
CLUSTERS_DIR: "{{.ROOT_DIR}}/kubernetes"
includes:
flux: .taskfiles/Flux/Taskfile.yaml
tasks:
execPostgres:
desc: Exec into the postgres pod as the postgres user
cmd: kubectl -n database exec -it postgresql-0 -- psql -d postgres -U postgres
execMysql:
desc: Exec into the mysql pod as the mysql user
cmd: kubectl -n database exec -it mysql-0 -- mysql -u root -p

62
cluster/apps/authentik/authentik-secrets.sops.yaml Normal file
View file

@ -0,0 +1,62 @@
apiVersion: v1
kind: Secret
metadata:
name: authentik-secrets
namespace: authentik
stringData:
pgsqlUserPassword: ENC[AES256_GCM,data:sfqoSPKzyYFt6GD27VgLVPPzfq1iu3Wr5CvX70ZrfVg=,iv:iVCRI/6D9MGEyYWUMwTuWt+0ofnQ4wwqTWiiS6ldTXw=,tag:2Az3CqT5cTYN2zRgDoKjFg==,type:str]
redisUserPassword: ENC[AES256_GCM,data:XasVsj+I0iuF/AXpws6sLThdqMCvPyMtTXxBHLAWlGM=,iv:Y0Soq5b19HkYWk4bdLMqazOgtLpgzD3saqUslXWvxv4=,tag:BL6arsBG0gkkdItQYRphEw==,type:str]
authentikSecretKey: ENC[AES256_GCM,data:soV0ekNUY5jTcOcbckIYjAUXhPu2bejRjUJGTOLhjOU=,iv:Cv4u6Mor5Y+v0hxQO482acMyyxT96fONEppPoo5zyrI=,tag:qs8ay5w0P0p4nByqvtinnw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-17T00:33:07Z"
mac: ENC[AES256_GCM,data:vvMLwuc4UOIUZttNUb3yO2OhRjEJfBRhgxJxBzLwQQRqPzQ3Ypc5bBUhZTdrWvAU17swG/G19DudC9aEbklynY+A0JhEy76hLdLFguwHnOTbRWKRvGBmKB3ihlcKsgrsAJXP6CDsjfbuEQQLVRLGnq9zst8uVYagXTnkfnIL5Y8=,iv:d1Awom8gD2fpGjPUioaf/G3X62EIIoIctT2tLzzneoI=,tag:QM+lz8hSR1E6dnnVNvhtlg==,type:str]
pgp:
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
/T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
pjU1GRaK5AlT
=mItp
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
/4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
/fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
fux0T5xDbgq5
=eiXM
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

83
cluster/apps/authentik/helm-release.yaml Normal file
View file

@ -0,0 +1,83 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authentik
namespace: authentik
labels:
needsDatabase: "yes"
spec:
interval: 5m
chart:
spec:
chart: authentik
version: 2023.3.1
sourceRef:
kind: HelmRepository
name: authentik-charts
namespace: flux-system
values:
containerSecurityContext: &securityContext
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
worker:
containerSecurityContext: *securityContext
geoip:
containerSecurityContext: *securityContext
authentik:
# secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
# This sends anonymous usage-data, stack traces on errors and
# performance data to sentry.beryju.org, and is fully opt-in
#log_level: debug
error_reporting:
enabled: true
environment: "k3s"
postgresql:
host: "postgresql.database"
name: "authentik" # database name
user: "authentik"
# password: "${SECRET_DATABASE_PGSQL_ADMIN_PASS}"
# port: 5432
redis:
host: "redis-master.database"
# password: "${SECRET_DATABASE_REDIS_PASS}"
env:
AUTHENTIK_HOST: &host "auth.${SECRET_NEW_DOMAIN}"
AUTHENTIK_HOST_BROWSER: *host
envValueFrom:
AUTHENTIK_SECRET_KEY:
secretKeyRef:
key: authentikSecretKey
name: authentik-secrets
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
key: pgsqlUserPassword
name: authentik-secrets
AUTHENTIK_REDIS__PASSWORD:
secretKeyRef:
key: redisUserPassword
name: authentik-secrets
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: *host
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: wildcard-main-tls
monitoring:
enabled: false # temporarily disable monitoring

2
kubernetes/main/apps/authentik/app/helm-repository.yaml → cluster/apps/authentik/helm-repository.yaml
View file

@ -1,4 +1,4 @@
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: authentik-charts

4
kubernetes/main/apps/authentik/app/kustomization.yaml → cluster/apps/authentik/kustomization.yaml
View file

@ -5,6 +5,6 @@ resources:
- ./authentik-secrets.sops.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
#- ./network_policy.yaml
- ./network_policy.yaml
- ./traefik-middleware.yaml
- ./dashboard.yaml
#- ./ldap-outpost

70
cluster/apps/authentik/ldap-outpost/helm-release.yaml Normal file
View file

@ -0,0 +1,70 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authentik-ldap
namespace: authentik
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: ghcr.io/goauthentik/ldap
tag: latest
env:
AUTHENTIK_HOST: "http://authentik.authentik:80"
AUTHENTIK_INSECURE: "true"
AUTHENTIK_HOST_BROWSER: "https://auth.${SECRET_DOMAIN}"
envFrom:
# Sets AUTHENTIK_TOKEN
- secretRef:
name: ldap-authentik-secret
service:
main:
enabled: true
ports:
# Disable http port
http:
enabled: false
ldap:
enabled: true
primary: true
port: 3389
targetPort: 389
protocol: TCP
ldaps:
enabled: true
primary: false
port: 6636
targetPort: 636
protocol: TCP
probes:
liveness:
enabled: false
startup:
enabled: false
ingress:
main:
enabled: false
resources:
requests:
cpu: 2m
memory: 80Mi
limits:
memory: 500Mi

2
kubernetes/common/apps/volsync-system/snapshot-controller/app/kustomization.yaml → cluster/apps/authentik/ldap-outpost/kustomization.yaml
View file

@ -1,5 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-repo.yaml
- ./ldap-secret.sops.yaml
- ./helm-release.yaml

60
cluster/apps/authentik/ldap-outpost/ldap-secret.sops.yaml Normal file
View file

@ -0,0 +1,60 @@
apiVersion: v1
kind: Secret
metadata:
name: ldap-authentik-secret
namespace: authentik
stringData:
AUTHENTIK_TOKEN: ENC[AES256_GCM,data:qBh9rgEbGBQj9yO1MVdtZtzdyhYdfTpsHUzeQd6RSDZsOEhRB2AMVXANoVh+EHeKnDdL6G4TQrsmIVZc,iv:0sFEKTyZOoR0IFGdroFCuyDBdPszqnlkYtV1nL+FCPE=,tag:bVc2MvsE0ePnBBfdc88Fqg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-09T19:41:26Z"
mac: ENC[AES256_GCM,data:SV/xyF9z5exA50GG3WJtaaGLaQ4s4eojEWR/UoDOcx09QcDtuRxtS/O0QPptQh4BoF1STIR+JuG9Yod7buVaVtbH8RQ9KimBWIEKHR8kuRl1AAXJiX4/Sr3xyD3k52oM1BIBpLKu4Osw7uG/+7so2l/vEHPlS1g3188yW6ICqH8=,iv:EPltYcBP+j+9z6JTZgrp26JY+yAkamZwUhn7We+hesk=,tag:0iwERzh8mJtSOm78FSQ9Ag==,type:str]
pgp:
- created_at: "2023-04-09T05:33:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/+OJxLqkHHWfoeLQChCMRq0owB8EJ8dcZZrJMS2hydFsIh
C/C0QT9RCY9QskAhCHC4MV4W0Nc7VzK3bngbKitd3p5yTeHoKkG8RZv3OwAvzNt0
5aN2l9dHU6R9o3xkPemCDvW0+iuP7eIoKShkjRlAVYHnwCBpfUGHl0WqWBdCUZQy
dtLblg4SQMMw29yo9h7Wh6o5d9IWJmPlu7p4jOm1oUiS3AMBG1QlBnYTJRwPQRxe
mMaMhm0tJtiiUrEXgDl58ski9uy+3VMjMPocCfE03L4n5gOmXH58WBqvkRWOqVp1
v7arWedvOyQN0VqsCFZQfE8UN0Da1CtvtOFiBtPHLbOzqzvdht1RALppJt2bxXID
8fE2vB8CotGvAJf91xO+Sn7Ztwy8+JtmiQIWdGH60dzOQh3tsnKtjbP6ELCbbum3
yUO+uidKKu1RShQrosCi3ApToEXVdKL1GMYciLZ8ljovnr0oW3D1Vp4QyxHrR78o
4XLIwkvkvxk50tGexh1e2H7twe6JPNMC/fZ8zi40lxgDPo7931XXLHGgP6OsrU9u
fDYtRH5NzZRHFm9stgRnAaZEzGFMV22K8GedIhVjcdpmAXHDgG05IjAzF9IQ7toI
01OXVHSqlNXB2ayzyj2j6UiOmkAGKYLvu6iafHz+xxtxuE6v/z4lwV5npXoxYKPU
ZgEJAhCc2+F6zND9pZePOy+A59RexDElbOelQzgbzynppRrNPAU9fGOgXXQ2AuXD
WuB+OthmQp68v7SvCQ0yW0FsPO44Yd6U4Rlf2TwSiMNZhc/a3dJYJiMTjKEtMbtH
jICOBFncJg==
=LmeK
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-09T05:33:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtARAApGMLK7YyBJ9aq+hwPOs7xFcMAoeTiJ/RF2zt/EFSiT4X
SgV3dXSIg0TFHPsvmthmvqS5cqFT9qUIkk2soFO7paAVYjav8oMJRNZxd5PyUrbr
Z1JODOFl7Ps7i/Gl0qpK9lokpKDo8L628cWus3HICykSOGIxq9QiSs0qrxjwq5PT
aJgiVdt0f5hCP8eMvSN9364WcP83dS+DA/1O/P1lx7DK32vJT1qwQVVkXiGlrkro
8v6naFQygG+2DGYh7vBBKcw+x1HJYs/694g+ziB5rrYTHWGyPBfkcTUIigzoDH7m
lYiB0hE1X1G3xGf0Pgd8N13dQy/A0cPUbRWoIbThG0dcMoyn1voqt2f5jHXlEiOH
q1mjafZikAZwKcU7TGtm9xCi9v+B4/fR8iIWZeFeDxwuUqTOKCvDPP3Scy4YStHO
dEX4SSmGj8AO5x93KNV41Ke+GSNYSzXpuOMhVEbhyrB+wtNzoIIYAsIdB8jXEqNp
ACMzynbLzZQChrkhPL/dOeH7oju/hJI9n8sAaQQq1wMjy1AOegO/szQ70/xtVCZ/
mb0bT2AHp92QntsQ5JYKaUyjvi9pEEoir782x+5nfxrf64misqHGdM8Siys+Zg4K
qmLEhrX5tjtrPaCRlIEMFgQxsolY/xim5PW97f822KmBWhMpnOCX/xhoYpHM/TnU
ZgEJAhBVV+JdHHzC3SgQ++/htkelvUQFU1Yni4/aLZC6SF+Xwvm9SVgKi743wGZu
u0t/8WVJGDCiHdIkdroFUKLvOAVIMBiTiPrCCi0BfQSfHGD5+VsQqFge3mMTZHg5
w57HlWC+IA==
=WLyV
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

0
kubernetes/main/apps/authentik/app/namespace.yaml → cluster/apps/authentik/namespace.yaml
View file

0
kubernetes/main/apps/authentik/app/network_policy.yaml → cluster/apps/authentik/network_policy.yaml
View file

8
kubernetes/main/apps/authentik/app/traefik-middleware.yaml → cluster/apps/authentik/traefik-middleware.yaml
View file

@ -1,11 +1,11 @@
apiVersion: traefik.io/v1alpha1
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
namespace: traefik
spec:
forwardAuth:
address: http://authentik-server.authentik/outpost.goauthentik.io/auth/traefik
address: http://authentik.authentik/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
@ -18,6 +18,4 @@ spec:
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
- X-WebAuth-User
- Remote-User
- X-authentik-meta-version

4
kubernetes/main/apps/database/kustomization.yaml → cluster/apps/database/kustomization.yaml
View file

@ -3,7 +3,7 @@ kind: Kustomization
resources:
- ./namespace.yaml
#- ./network_policy.yaml
- ./postgresql/ks.yaml
- ./postgresql
- ./redis
- ./minio
- ./mysql
#- ./mariadb

24
cluster/apps/database/mariadb/helm-release.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: mariadb
namespace: database
spec:
interval: 5m
chart:
spec:
chart: mariadb
version: 11.5.x
sourceRef:
kind: HelmRepository
name: bitnami-charts
namespace: flux-system
values:
auth:
username: k3scluster
existingSecret: "mariadb-secret"
primary:
persistence:
existingClaim: mariadb-pv-claim

3
kubernetes/main/apps/default/piwigo/app/kustomization.yaml → cluster/apps/database/mariadb/kustomization.yaml
View file

@ -1,5 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../../../common/templates/volsync
- ./mariadb-pv.yaml
- ./mariadb.sops.yaml
- ./helm-release.yaml

27
cluster/apps/database/mariadb/mariadb-pv.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: mariadb-pv
namespace: database
spec:
storageClassName: hostpath
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 12Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/MainPool/Kubernetes/databases/mariadb"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mariadb-pv-claim
namespace: database
spec:
storageClassName: hostpath
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 12Gi

62
cluster/apps/database/mariadb/mariadb.sops.yaml Normal file
View file

@ -0,0 +1,62 @@
apiVersion: v1
kind: Secret
metadata:
name: mariadb-secret
namespace: database
stringData:
mariadb-root-password: ENC[AES256_GCM,data:Fv/IBSYJ59NwAXIm4++j9ouW7QXAWMP8Et6qTtYZGWc=,iv:LpoL3VXqRMPR1jdtAG8hVRpslAZx5C4K1fxHyrjnrE0=,tag:0wi3E4snnKIxtDptgOSr4g==,type:str]
mariadb-replication-password: ENC[AES256_GCM,data:glOy5LsxWzngOjtH0cUrtH3KGA+6kOe0WJw5ul5BiQ4=,iv:URpyq5Sf3CCAqDOtPfM/EvgkMcejvM71gA69zgePlFM=,tag:OeZbv4wUBcoSVUMz1pSi5w==,type:str]
mariadb-password: ENC[AES256_GCM,data:FqraX9l4nFTWrZ3v9LnJJNFuhwURjBSrmMXLT/C9ej8=,iv:CLGc8XHUeLbixBN9Wdx81SJTe8L3HwPaHQ4Lc2iMFvY=,tag:voDFAnniUVshGRuv4+zYGw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-17T00:12:38Z"
mac: ENC[AES256_GCM,data:v7rimrwed+ElVHZyO7zdIQLoYR2tJrtZVNUgeBMwZUB6+/v52wa/OIIWoPrsXbGQe0W1w/e1t08ekB8tbanzItD1ftg9mYfAsfBkD2XQyyXornV2uDBbmifUq/yH3a89h97j26Ofzx8PZqFYYnFLSCTXHbdmDNsPHza70fYfk40=,iv:2A0pduramwAP4y3UUU73li9hzC5keGuAzmN2euPFSRI=,tag:tSygQLB9UyzFgR89An/j6w==,type:str]
pgp:
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
/T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
pjU1GRaK5AlT
=mItp
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
/4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
/fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
fux0T5xDbgq5
=eiXM
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

18
kubernetes/main/apps/database/minio/helm-release.yaml → cluster/apps/database/minio/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: minio
@ -39,20 +39,6 @@ spec:
enabled: true
port: &api-port 9000
serviceMonitor:
main:
enabled: true
labels:
release: kube-prometheus-stack
endpoints:
- port: api
interval: 15s
scrapeTimeout: 5s
path: /minio/v2/metrics/cluster
bearerTokenSecret:
name: minio-metrics-token
key: bearerToken
probes:
liveness: &probes
enabled: true
@ -85,6 +71,7 @@ spec:
tls:
- hosts:
- *console-host
secretName: wildcard-main-tls
s3:
enabled: true
@ -108,6 +95,7 @@ spec:
- hosts:
- *api-host
- *api-host-wildcard
secretName: wildcard-main-tls
podSecurityContext:
runAsUser: 10000

2
kubernetes/main/apps/download/qbit-manage/app/kustomization.yaml → cluster/apps/database/minio/kustomization.yaml
View file

@ -1,5 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./config.yaml
- ./minio.sops.yaml
- ./helm-release.yaml

66
kubernetes/main/apps/database/minio/minio.sops.yaml → cluster/apps/database/minio/minio.sops.yaml
View file

@ -24,47 +24,47 @@ sops:
lastmodified: "2023-05-02T01:04:37Z"
mac: ENC[AES256_GCM,data:gDdMq2TKdDFcB62nOeUImdE5+iUKTdg1Yy58NgaENnGytCven1zjHEEAB1gRFAMHrzpgEkYpMKmeamVduetDGFriZD0CCJzfm6FyTtzZ9h7l1KrXowJJtSrycI7PJSylx2cwdqCBBw0JJzrcVUWr1UcLMvOuKtnWNcajmQCqiCc=,iv:vXXPDmATomJ5gLESj+gJ5NCTWcNJxd0HFixN2oQrIXw=,tag:AHVUyQginmTkTS/+cnZ6YQ==,type:str]
pgp:
- created_at: "2023-06-19T18:35:26Z"
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ//f6zcNvXP6P6FOKIz74sQWdePUqj60/JipvQe9F7ZXR8u
JuhKUIlMngb90LrNkgKML9a3CmoDzGXOq/vLXV02D14JT6T+DNqhZcrmAP4pA1SX
HyzJgY4Eq5MgbbUsW3ml04m1rIeE24wv5I0wC4bd/3u+QpXdNpeHW0leK9ap25qT
fZjWdZhPWtqzudhPxuU4yrnQsBkIb5tSi7ghMhUTR7SZct3ToZ6rcqVlj4IZr3++
xFbVAwVq+LCSIJyUrixpZ6qw28XVUssIpm4ikYRy/ahHZPFFDa41JLEMbkTAKj43
R2m8+2Lo8DdmML+I0RPvllNOfp4VzPNZ8eyP5hQwPRknJ1wPU6xEdCyKldPByNyV
YhHP1iqwqYQbb5kheGiJQZe4rT/Gf5LQ3MdAMkm39GEjsdLVyrD5Gl/BXYAgYZG5
9qjj2aKfFDf8MaHGEn3DRgFVo3ZARZUZ767LsA49G1J0bIvRf7+3yDKNamZNsOgK
Y8REDHUnhn18SRBInkFESGJcY3gYrNlExE4GIiEqEoM4Lzm9OCp4lFP8dD2xeDVB
0DJShuqpdB6kvOYQlO73LBV5On5AacFMscLAo++G4Wzuj4laEvLBd+/aR9f6j29w
uIUmP5JwnsPx0tWx33gHH0eqZewI0AK1wBVd7o/L88ICBdj7pEmOedE1ch0q0O/U
aAEJAhC5BhpmJj99zylE6dJj2FZJ0PBEsM1Vrd9b/vZIEv/v5fwHzARFlxp5A8Yu
638NZD9eC+cxeBwzWFP2S/MjBuUr4yOGqp9dmmobXxRjZyDuh2bY0XWjrEEXKai6
y46e2L7DkK3P
=cwJG
hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
/T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
pjU1GRaK5AlT
=mItp
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-06-19T18:35:26Z"
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAy5t8IMoPu4VAQ//Z5eaHrEjMSCeyFOI/5Y5fLelGJjAqv+LYax5hpDfTk0F
5KZSZYOnr1nd/3GvK5V62REqNoP+QfiZQQiDrG3vnz/Z/YGCR2q6fRN2OHj2IsA9
sYaX9UyQzh4PKUWPuePgtx3o1RtUPcDIvzA6iNxSBaLuSVI2hXG0f0A3Q4TGsmfd
uhXRVb7QP31R6/+d4JzB+tAhhqXBVY0AZog1oRU5D4IDseJ0zPYkKQw8ER2TTL6J
M7bal5QV99SZMAeVyUjuQ+ryHrdIQrd3oKgQts+aCDEwviMrSntpWK7Aj4I0Qkvk
UgETA14+s15ziuV+IjwlfmbyFOcVpJJDGv/aND71iDmdLm+SFCL6uoCFhPGwWlt1
SHrycwn2sMRQxo7dS5GVAFtqdgoX5apHR0+Txy0gM9Biakqb+zkqBaqNHDD8tPhh
V1tk+IIKXoI4DQ8u8IFVACaeYh0iL1wLa4Ta785lKhNWpKPuY/Emnz8Hw+7gy72K
pkRn37Q1dxr5s3jpqpXcVCeNwFglHxW+OtSYts2auUVTdIo2gH7dTWMD9qi2Hlle
sImp+aKbuGac78ic0aQ5M0pafe929J44rYcPZZPEDWgGmXlZtNfijqHN33En1RRC
qBwNvnrNiLfhfXSGOcs+dWxWor0Ckcli9yGUsStPK2MAK6v4H3QCtTdQEbsjjOPU
aAEJAhDXtIlRgUFXChNcVtjdkQxAgNHy7YwztUxq2J/e/ai6TVa5MllvbJu+triS
QecWxpB5AFIoAuYHr0RFN2mKoaf0l3sYwyzO6lVvojiQQuXdJ24iaLUqqqjc1Bhc
Sth+m/y+3qUE
=8PO9
hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
/4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
/fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
fux0T5xDbgq5
=eiXM
-----END PGP MESSAGE-----
fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

0
kubernetes/main/apps/database/namespace.yaml → cluster/apps/database/namespace.yaml
View file

0
kubernetes/main/apps/database/network_policy.yaml → cluster/apps/database/network_policy.yaml
View file

15
kubernetes/thin/apps/database/postgresql/app/helm-release.yaml → cluster/apps/database/postgresql/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: postgresql
@ -8,7 +8,7 @@ spec:
chart:
spec:
chart: postgresql
version: 14.3.x
version: 12.2.x
sourceRef:
kind: HelmRepository
name: bitnami-charts
@ -20,23 +20,18 @@ spec:
adminPasswordKey: "adminPassword"
replicationPasswordKey: "replicationPassword"
serviceMonitor:
enabled: true
labels:
release: kube-prometheus-stack
volumePermissions:
enabled: true
primary:
persistence:
existingClaim: "postgresql-pvc"
existingClaim: "postgresql-pv-claim"
containerSecurityContext:
enabled: true
runAsUser: 655
runAsUser: 10000
readReplicas:
containerSecurityContext:
enabled: true
runAsUser: 655
runAsUser: 10000

2
kubernetes/thin/apps/database/postgresql/app/kustomization.yaml → cluster/apps/database/postgresql/kustomization.yaml
View file

@ -4,4 +4,4 @@ resources:
- ./pgsql-pv.yaml
- ./pgsql.sops.yaml
- ./helm-release.yaml
#- ./pgadmin4
- ./pgadmin4

27
kubernetes/thin/apps/database/postgresql/app/pgadmin4/helm-release.yaml → cluster/apps/database/postgresql/pgadmin4/helm-release.yaml
View file

@ -1,14 +1,16 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: pgadmin4
namespace: database
labels:
needsDatabase: "yes"
spec:
interval: 5m
chart:
spec:
chart: pgadmin4
version: "1.34.0"
version: 1.14.x
sourceRef:
kind: HelmRepository
name: runix-charts
@ -20,28 +22,11 @@ spec:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: &host pgadm.${SECRET_NEW_DOMAIN}
- host: &host pgsql.database.${SECRET_DOMAIN}
paths:
- path: "/"
pathType: Prefix
tls:
- hosts:
- *host
# securityContext:
# runAsUser: 10000
# runAsGroup: 10000
# fsGroup: 10000
#
# containerSecurityContext:
# enabled: true
# allowPrivilegeEscalation: false
# envVarsFromConfigMaps:
# - pgadmin4-secret
persistentVolume:
enabled: false
volumePermissions:
enabled: true
secretName: wildcard-main-tls

2
kubernetes/thin/apps/database/postgresql/app/pgadmin4/helm-repository.yaml → cluster/apps/database/postgresql/pgadmin4/helm-repository.yaml
View file

@ -1,4 +1,4 @@
apiVersion: source.toolkit.fluxcd.io/v1
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: runix-charts

0
kubernetes/common/apps/cert-manager/app/files/kustomization.yaml → cluster/apps/database/postgresql/pgadmin4/kustomization.yaml
View file

27
cluster/apps/database/postgresql/pgsql-pv.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: postgresql-pv
namespace: database
spec:
storageClassName: hostpath
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 12Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/MainPool/Kubernetes/databases/postgresql"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgresql-pv-claim
namespace: database
spec:
storageClassName: hostpath
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi

62
cluster/apps/database/postgresql/pgsql.sops.yaml Normal file
View file

@ -0,0 +1,62 @@
apiVersion: v1
kind: Secret
metadata:
name: pgsql-secrets
namespace: database
stringData:
adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str]
userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str]
replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-07T01:57:23Z"
mac: ENC[AES256_GCM,data:wvjHgGOMyuVpy4klW5/aO434NKABQJc0907BIwLOXMxSOuIsedAeRhCWdi70IJfv5m8gIcRCb/jWVtDgQePd6CALglH72VlA3NiZI5EQrdBLQUmpGSglLNScrLDOjqNrXG/UgmikATskO5R0vl/203jt1S4OupuEHiPqPRHSSdc=,iv:qHHpufOzzjk8NCuldShenJbC1BlzhMpy4Tz2wWBolvw=,tag:HpoB7PM1gZfv6qfun7ucRw==,type:str]
pgp:
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
/T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
pjU1GRaK5AlT
=mItp
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
/4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
/fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
fux0T5xDbgq5
=eiXM
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

30
kubernetes/main/apps/database/redis/helm-release.yaml → cluster/apps/database/redis/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: redis
@ -8,7 +8,7 @@ spec:
chart:
spec:
chart: redis
version: 20.6.x
version: 17.9.x
sourceRef:
kind: HelmRepository
name: bitnami-charts
@ -19,29 +19,21 @@ spec:
existingSecretPasswordKey: "password"
master:
podSecurityContext:
enabled: true
fsGroup: 10000
containerSecurityContext:
enabled: true
runAsUser: 10000
persistence:
enabled: true
storageClass: mainpool-hostpath
size: 8Gi
replica:
podSecurityContext:
enabled: true
fsGroup: 10000
containerSecurityContext:
enabled: true
runAsUser: 10000
persistence:
sentinel:
containerSecurityContext:
enabled: true
storageClass: mainpool-hostpath
size: 8Gi
runAsUser: 10000
metrics:
containerSecurityContext:
enabled: true
runAsUser: 10000

0
kubernetes/main/apps/database/redis/kustomization.yaml → cluster/apps/database/redis/kustomization.yaml
View file

60
cluster/apps/database/redis/redis.sops.yaml Normal file
View file

@ -0,0 +1,60 @@
apiVersion: v1
kind: Secret
metadata:
name: redis-secrets
namespace: database
stringData:
password: ENC[AES256_GCM,data:jjXsxyMKvPsAAr3wMhZWV/E/Qmmz/OYQvu6f8pRXasY=,iv:8K9IzAywC9CHiZ+ASoxhSqN14amL6APbzjpBtxPS50s=,tag:GbgcAhhDp+ob83Neyr/Lzw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-07T02:27:25Z"
mac: ENC[AES256_GCM,data:7/C0bTMeOXSWeP2ftsCrWRLk84U0RmmNBQgo8oWKKo82ELZq13UNjGyQovdnkSJQohmrf3NeYAqD1BEdkLnV1i8Fc0+UeVw0RIqApVXT0QuL1N9raw71TCZFpdIlB/QVqpnSByGquHtHeDVCU1XeVucq9SXbRQC+KXHIKKYRRWk=,iv:gG2zWKGmhCbz3iqfYUIpTvgx1Pkr3jnCPsopS1sWLWU=,tag:AAg40kPevQR+TsIpvarKRQ==,type:str]
pgp:
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
/T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
pjU1GRaK5AlT
=mItp
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
/4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
/fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
fux0T5xDbgq5
=eiXM
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

0
kubernetes/main/apps/default/cdn/configmap.yaml → cluster/apps/default/cdn/configmap.yaml
View file

66
cluster/apps/default/cdn/helm-release.yaml Normal file
View file

@ -0,0 +1,66 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: nginx-cdn
namespace: default
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: oci.seedno.de/seednode/nginx
tag: latest
args:
- -c
- /config/nginx.conf
service:
main:
ports:
http:
port: 6544
probes:
liveness:
enabled: false
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: &host "cdn.${SECRET_NEW_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
data:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Kubernetes/cdn/data
readOnly: true
mountPath: /data
config:
enabled: true
type: configMap
name: nginx-cdn-configmap
resources:
requests:
cpu: 1m

0
kubernetes/main/apps/default/cdn/kustomization.yaml → cluster/apps/default/cdn/kustomization.yaml
View file

122
cluster/apps/default/fireflyiii/env-secret.sops.yaml Normal file
View file

@ -0,0 +1,122 @@
apiVersion: v1
kind: Secret
metadata:
name: firefly-env-secret
namespace: default
stringData:
ALLOW_WEBHOOKS: ENC[AES256_GCM,data:qdisaso=,iv:rT7WID3kRMPEGmWJepNmrj1tutxsT5Arw5AN9oVFoXE=,tag:jkYkRaGLEB3iBEjEVIAVCg==,type:str]
APP_DEBUG: ENC[AES256_GCM,data:Jyo8QmI=,iv:Gq2Ldh+H+oturcglphQb7ERHX8jD/5j01qtEJDRPAn4=,tag:m96oouPtT9J5zQHPs2QaVw==,type:str]
APP_ENV: ENC[AES256_GCM,data:19kiyms=,iv:KLwsQOsDvg/7f18FEsg+e2rgnXSbsxwSNbItmgLGy8M=,tag:mUX/UeXFi0eeZ68bsJpq8Q==,type:str]
APP_KEY: ENC[AES256_GCM,data:PI70apm/K8/1el4lW3KR6wLgBDgj0YAQ6KwngqxSv2Y=,iv:S7xrpAeY3wM3moCL/i5R045yst7Zz8ahXbLyNfvacZ0=,tag:hOXR1kKdxVoQxZyjZu+ajg==,type:str]
APP_LOG_LEVEL: ENC[AES256_GCM,data:ZwJTcn8y,iv:wk+jX9Zp1TTn1EHv0OLgt+0alm5JBHdWcEtIn1dTI6o=,tag:gR1Ls7dFGyt4hKGiwLU5wQ==,type:str]
APP_NAME: ENC[AES256_GCM,data:yfd2OQk6NvjKcA==,iv:jLL2Dt0YlWODwCKSnqR1yuSWJsKySQNZY/pEfxi5jJM=,tag:XoHlMsMuRG6S4Wm0PVjtBA==,type:str]
APP_URL: ENC[AES256_GCM,data:+bveNLjanPPMkoMrDO4KsA==,iv:xQWHzRKBMBumi2bFCUKoWLRiuNNV3HQLv1WGEiZ6RRg=,tag:h9IF4XwIK2P8sB4V1Su5Ug==,type:str]
AUDIT_LOG_LEVEL: ENC[AES256_GCM,data:OA7nqw==,iv:9BcE5Bf9QDf3kzA4Xbf0XkbkFjGAv6id7vdSI12wRm8=,tag:QN7o1eEbGSTvrGGBzzouSg==,type:str]
AUTHENTICATION_GUARD: ENC[AES256_GCM,data:GodJ,iv:5VBM+DywcKMgc4D4zdhItqb7susxTYWp/T3vjysOiHA=,tag:u75H74ev2Jdgfdtc8bMATw==,type:str]
AUTHENTICATION_GUARD_HEADER: ENC[AES256_GCM,data:PI++XaLAVagcKPA=,iv:KDXYnU8jQ3jbfj3TnEdyrlC1KOec9XFi7BG+BZbFhf0=,tag:FvMIy1wCV05W8rneaX4yFA==,type:str]
BROADCAST_DRIVER: ENC[AES256_GCM,data:2iYs,iv:5oeuA+08uDRSJyLwwkdFC2q4LZKNs2OSoQjsnIX0aYY=,tag:m2ybfxtY98j39sBnax7IVA==,type:str]
CACHE_DRIVER: ENC[AES256_GCM,data:2lv9YGE=,iv:xuk6ih2wApMuWJIlm9clwYCnMR973lG7EOHDUZtlDvc=,tag:cdEh6/zAZ+7IcQMvHojgXQ==,type:str]
CACHE_PREFIX: ENC[AES256_GCM,data:OS/jr/Qo5A==,iv:wLeRO4uAo+HHB/1tK3m4MEeefmMRTc0+aTYuUGGrYyg=,tag:8cv8oxfwMkTeZ8+JsCoWVA==,type:str]
COOKIE_PATH: ENC[AES256_GCM,data:pQ==,iv:5QR02hlvi9n/gl6LLdSR2HSybzohlCisq51+QzUJv1k=,tag:hpwUD0ctU0pX7S+V6UNz/w==,type:str]
COOKIE_SAMESITE: ENC[AES256_GCM,data:HNlS,iv:f/kbAOVyWFEH6yKr+N3zM+9tNQQCpQA7/iKAg8ejFdk=,tag:g1rmzfnWSYIzxFJA0l/uUA==,type:str]
COOKIE_SECURE: ENC[AES256_GCM,data:fxJkE2M=,iv:0JXgzyybtMtIgxh6VSwAS5oehpVMFkLKvJFOBDcwhVM=,tag:RAhNUuJKOho6bvXJyNT6cg==,type:str]
DB_CONNECTION: ENC[AES256_GCM,data:Y7b+kts=,iv:1vZBNoO4O0Z8LPH3ZPSDpx49jtbQOEl6+BitbKyat4A=,tag:eOUpSlZGZKM0LPHdZMjb+Q==,type:str]
DB_DATABASE: ENC[AES256_GCM,data:1rRtAXfMaA==,iv:vErtoqpi1KsHVL0nQ6x2MVNe6JCKxjCxivXXjtUT6Uw=,tag:AYxHWADlGq4NHbcVx8QcHg==,type:str]
DB_HOST: ENC[AES256_GCM,data:sjYDEi8q4bAgpdnxin6yDBtNJw==,iv:6rxqBNvXSsE+2oxWbwiztmlxtKP8C0aeYMdmuGTyF/g=,tag:lRB3EwV4vwa64CI3xqi2lQ==,type:str]
DB_PASSWORD: ENC[AES256_GCM,data:PeysFTbHeZHTnkn0XlJ58AMZbS3EzANUQ8UnhQXRIoU=,iv:NM8c3dx8TlQkPVJGECnyg2L6JM7CQwlx/LQ59x15dY0=,tag:xuLow/AXp+yOUm4hO2527g==,type:str]
DB_PORT: ENC[AES256_GCM,data:yXp98w==,iv:a/jbQI7/3QMKaSJRiZGhdYBzdIzyNA0M3sL83bD/1is=,tag:PxauXvxyQlNo8EaFMzdjKg==,type:str]
DB_USERNAME: ENC[AES256_GCM,data:UOz2K8KusA==,iv:75KRLL7F0mtzESvfvVaIJiBqAz1i8JIcS2VwAMm3KVE=,tag:HmjzrLg4hLuAjQ88U3CDbw==,type:str]
DEFAULT_LANGUAGE: ENC[AES256_GCM,data:U2qo/Z0=,iv:duSb5g58hXy+BjmU51cWVc2APmz/THtQrmfKyWJL8Xs=,tag:3578FhaZxtyLXjFOJA7sVQ==,type:str]
DEFAULT_LOCALE: ENC[AES256_GCM,data:DX3VePo=,iv:d3P66DEPoI3yiZj00YaYVEsu9zCSQ+Nz0vCOxJjfkNk=,tag:JNeGcODHleBBOJrewOWq2w==,type:str]
DISABLE_CSP_HEADER: ENC[AES256_GCM,data:mS45ZNE=,iv:7twp7yAggJfGDKnoqoi4OY97uMQuOq1Y3y6LFst9qFY=,tag:mselnIDI/OzNplWsdq2YlA==,type:str]
DISABLE_FRAME_HEADER: ENC[AES256_GCM,data:lIO+3IU=,iv:/jCBrh9pxsNouU+glpvXqEXI3veHsqaHWkSDEJcJzHI=,tag:JHWUyPl6Ir+XczlkEm/xsw==,type:str]
DKR_BUILD_LOCALE: ENC[AES256_GCM,data:43nBSlc=,iv:pylnsBF4HORItmtHxLxaXjojdyazm1rseMtqgTwwX8k=,tag:mi7eWamr3l/H+foZUJYsJg==,type:str]
DKR_CHECK_SQLITE: ENC[AES256_GCM,data:TssvPA==,iv:N6kVxo9w7pjUy5PSt0nF3yPS7imaKaWbizPZdMv7rKQ=,tag:DpWzkfkFbFaQpuLTirsP1g==,type:str]
DKR_RUN_MIGRATION: ENC[AES256_GCM,data:6+nNEA==,iv:TxFrPKxoaN/neoRK09F5SJswfh+ULHw/tFQz+ouOOsU=,tag:UsMPAYDhgccBtBUAXxTNaQ==,type:str]
DKR_RUN_PASSPORT_INSTALL: ENC[AES256_GCM,data:rA1uHQ==,iv:TKV5pRA65C8FNHOrpzx90qA7maX5ld3aLCv/PrQamII=,tag:bqtT9pqHILiV1AEzkkYk5Q==,type:str]
DKR_RUN_REPORT: ENC[AES256_GCM,data:bqE/+A==,iv:PWlGji8/zVoosDeoWaTG4f9rDJwKOilwENI1JtzatPA=,tag:cHCeTgnB7c0TZ+9bSxFW4A==,type:str]
DKR_RUN_UPGRADE: ENC[AES256_GCM,data:76w+1w==,iv:XZwFW5WoWRBhfgM8Jf71IAEsWJxaWj6nmzh4arjV9IY=,tag:wm49cS3mMPPj0l7rNRm7nA==,type:str]
DKR_RUN_VERIFY: ENC[AES256_GCM,data:GE3u0A==,iv:hZc9+yCN781Hm/M6UrzAnFELJopG/m0PTaHCwJuK4Ic=,tag:SwJ/ujTY9VsrS8payg5FbA==,type:str]
ENABLE_EXTERNAL_MAP: ENC[AES256_GCM,data:jwbL3WE=,iv:EmuPlxlldYIK57w44oeiOUx4dNUx88avn/MXGw0khqk=,tag:6UqgxY3eTE/DQ4znx5NNzw==,type:str]
ENABLE_EXTERNAL_RATES: ENC[AES256_GCM,data://NWaSg=,iv:l1k7TLg2d4impHiGyHtVmXFBpHSK1X+MIIMEvqHmFCc=,tag:7FX96H6R+ez0corFjpzoWA==,type:str]
FIREFLY_III_LAYOUT: ENC[AES256_GCM,data:KGo=,iv:xvBorcd8fPvlGYeomuexZBtORPc7LJRII9pYP1ZNBsg=,tag:ibFX6k0a12rXElxRODc1YA==,type:str]
IS_HEROKU: ENC[AES256_GCM,data:Ffu4Sro=,iv:Q5txv1a/DcH+Utlr12zQJUBy4vlcdxcHFsNDWuWVOeU=,tag:NTay0IKz6s7a9dFpx1BZ+w==,type:str]
LOG_CHANNEL: ENC[AES256_GCM,data:Njfav/E=,iv:xwccazZYrtARU7xKooAnBKJcCDJH5xUSN0C+nIs8Pos=,tag:jI3pelMMZQQ37uuUmUmENQ==,type:str]
MAIL_FROM: ENC[AES256_GCM,data:ILVOrph55Ku8pIfsHtU8DjMuUjo=,iv:c4wzRvDugyRUbKZKq/fgQ2eP3CJ1wJzkQo89tBCZ0WU=,tag:tx2lUsnCBbYIk0h4gL/CBA==,type:str]
MAIL_MAILER: ENC[AES256_GCM,data:rdoZ,iv:NBi4YtbtTkDJHQmXBu9lGUfCWhfRgtYLI3UCayMpq2k=,tag:o+cXYLXlJ0bWVQAPr85CJA==,type:str]
MAIL_PORT: ENC[AES256_GCM,data:lffjiQ==,iv:GsZWiMZGuhpPJfX6vPcr3PKuq2YXS3oQ8v8NojufyKk=,tag:rHcfDoLZdU5wCQR4g/qV6A==,type:str]
MAILGUN_ENDPOINT: ENC[AES256_GCM,data:rrw7Rwjo//tdEyxN98pE,iv:3aeAQM4RV5hDFfZ08voXgk7IrejoM8YACluo75AmRrE=,tag:cAmTiI0vPAnY7NX+YlM6Og==,type:str]
MAP_DEFAULT_LAT: ENC[AES256_GCM,data:i8I6LaPPLFoi,iv:sG6dP5GS2G6kGXEsn8P3KJmyEThJ73WIN2gkMJwNDBA=,tag:uefjbg5pZdIIONBklcsSyw==,type:str]
MAP_DEFAULT_LONG: ENC[AES256_GCM,data:+ESO4h6cGSE=,iv:hAFNmDfc6XWnQbpLQXjUsdZSOwPu964MlFBXYsNr9O0=,tag:iXfs5Z+Ojojzp2H2u1kHxA==,type:str]
MAP_DEFAULT_ZOOM: ENC[AES256_GCM,data:zw==,iv:soYKokimSKxSS0x9nM7GcZfpXtwxjuXVls+KFh61w30=,tag:ryX2Rj1TakKRfynh7bFEtw==,type:str]
MYSQL_SSL_CAPATH: ENC[AES256_GCM,data:Mo68CXbhV7kK5ZGi5MS8,iv:pVKSl5Tu8xzZVk4FX0DIA3vpVYZ9V0RXtfkoUTYeAAU=,tag:bez1DYHFlOn5TZ/oz7F6fQ==,type:str]
MYSQL_SSL_VERIFY_SERVER_CERT: ENC[AES256_GCM,data:DT7Jow==,iv:ZEOzfc0IepdvDNo2vWanOsYAT4EGLvFnSpL8qiiOwes=,tag:eEilJ8cwgCer7H/8qpDPgg==,type:str]
MYSQL_USE_SSL: ENC[AES256_GCM,data:rsKgGpE=,iv:nEJbHiaqOvVauAtCyL6uvfmkAmgvjjSFb28L3/j1PmU=,tag:6d5whsZ30buXkc0W4+5JIg==,type:str]
PGSQL_SCHEMA: ENC[AES256_GCM,data:pmFdRyiy,iv:mYXXlj7R7T3RTuK7QNRKiY6HwCezQYaMpn6de0st+FA=,tag:xFs7kAnFuRjDVRjKyyrJOw==,type:str]
PGSQL_SSL_MODE: ENC[AES256_GCM,data:/spE//X3,iv:qCBP7fJVFixBrB1ApGti1Nq0S87RcVxpHqmPBW9GuWU=,tag:MyCEseplfPX9PNdoqGLvmw==,type:str]
QUEUE_DRIVER: ENC[AES256_GCM,data:tTmRSg==,iv:2KdDPsJ9PlyHsVsFdknC7A4cShE5bBBpRxWslF/0wgY=,tag:7QN0MlfyoDyukmAgmgQvxg==,type:str]
REDIS_CACHE_DB: ENC[AES256_GCM,data:9w==,iv:MKfWJO941vxlJ0VP/0ob9JeFnHkI+okOkd/ifxkbKTA=,tag:PyyjVTRCUSvZxpHekP9ENQ==,type:str]
REDIS_DB: ENC[AES256_GCM,data:Bw==,iv:h3v/+cO1W7eGDAGjVtgeDh8UekMg+ZvIRkNZx+iE/Es=,tag:nF143FAtE181ZJfAjtau7A==,type:str]
REDIS_HOST: ENC[AES256_GCM,data:7hVDI2P+443UGlw/jyBFmNTDBM2p,iv:sbLD+/wdDEiKYpR3ttrey6HTlI5n76trH3wZjU7s3uQ=,tag:qZP1nb9+tOr7Lm4i9HR4wg==,type:str]
REDIS_PASSWORD: ENC[AES256_GCM,data:/i9UM5Cx6h61xbDQ//ocmW1BtmT0LILnwwemOwaTTkw=,iv:FINFRW1006Ljnb1JSi+Ctae3Jw9xR5EW73Ut8FCNfHI=,tag:+6raDqY1TgQQgbkcCcbCLg==,type:str]
REDIS_PORT: ENC[AES256_GCM,data:ME1O4Q==,iv:FhqTqv645wnhhQdGW0IsemeXOlJuCKjbMa3tBw0kueI=,tag:b7TdkDklkFwE/X3lE6XZGA==,type:str]
REDIS_SCHEME: ENC[AES256_GCM,data:puE6,iv:XvOpz9QO7Fn14bbHT8L2p0HquNxIzxomN3Bg3K2NOQY=,tag:qerZcGVGKXW+YAyj6RK9Tg==,type:str]
SEND_ERROR_MESSAGE: ENC[AES256_GCM,data:9xoXVw==,iv:m20IvyDsNzw7v3U8Ai34MhhxrIUGnU3OK9LHwZAdlJo=,tag:BgrhqBiqc9RYo9EzOCvSsw==,type:str]
SEND_REPORT_JOURNALS: ENC[AES256_GCM,data:+ErZjA==,iv:dcrc2+U7MoSBQ3b7w2qe0wIb50AbLDQ8/N9TK03ub5o=,tag:ub6+5g77qZxq8IjxDmk7og==,type:str]
SESSION_DRIVER: ENC[AES256_GCM,data:QlF9bSQ=,iv:I1cjDE4EFVG166ISZaNuM0eFMs6U55y7LUl2cVIONrI=,tag:VxKEC67A3Y0IRNKJ/nZV0g==,type:str]
SITE_OWNER: ENC[AES256_GCM,data:KbzTQ/QdlMmxnSDr1mCo4EG9,iv:287MEAzZFE3+zp3bWWA5Y2u3w7iQH+7AAZ812I4Elx0=,tag:TlljmsgLww7EJIBMdDrKvA==,type:str]
TRUSTED_PROXIES: ENC[AES256_GCM,data:cAU=,iv:MBL/z8pmM2CxlDT1sY4my2gC3jsDo6O1NSa11w3en5U=,tag:zqzHOR69HT3+U7tQOFQQSw==,type:str]
TZ: ENC[AES256_GCM,data:45gLKxH0OsAfMPkgnjKgWQ==,iv:P9CUovVI4WSfZi1nyFHVzHJ7Oioai1FUZRcgBNhQb64=,tag:S7IF8Oxg7hYNcT0mcgkg7Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-22T06:58:04Z"
mac: ENC[AES256_GCM,data:/rwjyeSoSNzgrBa+vDL1u7xUbimDYg5G/6faE2wNtD87GhTs1xyzG91/GmolOutbB/8shxIiV5EA1uhjqjRIBdww/vkE6eY4oqqBb45OwpFzpvpas44KzXKOcA2UuH3uTMkdfGGQN4FSfCs5Ku2T0UhjNu4qhQMAxZYxtjCaDOc=,iv:JK11VmLn5fZdsx2AM0VMH0rwrHYr/Bx5mZ2BKVJgKOA=,tag:vMOs1mlQT1FA/212SyujIQ==,type:str]
pgp:
- created_at: "2023-04-22T06:45:59Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/+OUBTUE0RZs6YVOB9PCZ0+BY2xQG1o0sc1u/VS4vA03gh
urTPKVv10k/l1dLOXALJS3bfahb8RN/HJqEWbFygjY13FceR/ZMHTyeOnPN2hXxP
MTNOhYLXGyjXf8o9djNyNvPp6NBfaaXJK3RjMibaY/FznqDqehEK3YLnJlCDVDDo
uF6yb1/YSnUIBI0rsb+B+a5JJ9/mR4kEUjR0kjNf6QkpgFHYc5g4JTWKH8NCMMlI
2L1srPzFJPUtqE+UbI9TSLJfon7KzDxgg5YptcX+Ob65eeNlA4DTwX/DcST0QStP
7Ytjt5sUu4/GhSBNZxHqeiQ60omfAcupm9viTupSEwxDR4KcqTT4RIUv3MFB0zc3
WIZfLPUUQCbXb1strX7sO6Wf3AzzcgB4S7dQcQ4lQV+dN6ryYyggX0WB3A9qWtZ+
CtpRP1LE5/Cpb3VM4w0N9CVQnoec6QouE3uzrEF5+rctdDg667w9RxUXMa6LtQRq
pKwZTLlE0oOW5zkKC5FcAU7BJ9yUMPVknnDqyVszyXgHeuJq5bnc6uhLF9r9Eqcg
x3uZBrF9mDXkwWwIVBXRqcUQ69QfSzBVz6mSrWuIxyNquAh0VvcReMKgHUkKFbtP
Mp0bUReA64Hy9HpfIGom6smA7uKwKg32MNYUus+qzcCx9EVGuIF7cV0siLe5pJ7U
aAEJAhAGDUrFbwuaRbtFCkS8o92eRfW81OpVKIEVMOFu1mGt7scKgzNNHL2LRQ8E
VrUY9dyLvwlpoC/uZxqobQ2Qz32qTQ9ebHSiHf0hnnKgMgjCV3XxHBT5Zn70+Cqt
HPd5fibb04VY
=KEGa
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-22T06:45:59Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ//TtvoeA5ucihLkLjOJzeeYAwrPsnhMXDlY43QXPFfdjnN
MwFa4sraoO4Iocnacrog0QYQHzAD/xmR/zBhLwYxUr3Q3LDJ24XcfLlkqznDuNAS
xnXqjWpLex+nqwGZ8PQAcA+CG0F+UzDIQqwkBtI7gErwiHi6gkHztl5YIT6zpyDj
sUGSz73uXTsHz0GgskluyYQqqzkwglc8MNfXtzEgrOf2NVmHbq8khQL9YDbkN1A+
eb4hy4c5YjVVLpnuJw7JxJ+OUXBs/+BMF8NB2qKzlUx1Ml4coDt0lfI/eD8HPswd
o8wHZ/5LVqxuEc4ZeV9fx+w1gHclgIYhwhWbNN18CnBVOH3ojkcrDi2zlJnBDRgc
TcE3+e1Z36/Ye/L6eIdowRZCjFz66sjgXVtyz7naK/L5tKQ1AUZ/oHjuxYE3EPwq
i+Npv6PXyWmssHkJ29tz1ALecGyDm5zovZF+Q+ZgDNc4Un84U9EzfP8nsGCYDuUF
MJln1v6LGYnRrpEAnNNk8Hv1x1Aj8jMjoarhP9xs3teKZ2QWt1QjmV9h37QEZ3jH
bfq4usTFLA1hc3BQnJQlo7DSUHWAmEw4xm9XFp/HXCHp7KBi+sYRVHuod3r/datx
2p48NYMz/E37B8AUkUvVpQ16OD02JSWRoq5HWTjHQ/lOzhICzKS0zHCqdixJ7bHU
aAEJAhDkk3RniwOmd7pncD60uGkVkPyXVHPXmLboXLKEQuquGegSwtK/ve20qb/y
T0A9vKjxfrhltkYx/wH76gQVmPcyLK4Xu+Iahs/X+UMRPmhz871LUHjg08kjiiFG
V73ZXeNZtlyk
=egmO
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

72
cluster/apps/default/fireflyiii/helm-release.yaml Normal file
View file

@ -0,0 +1,72 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: firefly-iii
namespace: default
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: fireflyiii/core
tag: latest
envFrom:
- secretRef:
name: "firefly-env-secret"
service:
main:
ports:
http:
port: 8080
probes:
liveness:
enabled: false
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: &host "budget.${SECRET_NEW_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
firefly-uploads:
enabled: true
type: pvc
accessMode: ReadWriteOnce
size: 8Gi
mountPath: /var/www/html/storage/upload
podSecurityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
# resources:
# requests:
# cpu: 1m
# memory: 275Mi
# limits:
# memory: 500Mi

0
kubernetes/common/apps/exim/app/kustomization.yaml → cluster/apps/default/fireflyiii/kustomization.yaml
View file

16
cluster/apps/default/gitea/gitea-pv.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitea-pv
namespace: default
labels:
app.kubernetes.io/name: gitea-pv
spec:
storageClassName: hostpath
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 30Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/MainPool/Kubernetes/gitea"

61
cluster/apps/default/gitea/gitea-secret.sops.yaml Normal file
View file

@ -0,0 +1,61 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-secret
namespace: default
stringData:
admin-password: ENC[AES256_GCM,data:IjukgfqqKKmFzOA=,iv:pbkG9/pRDveNksDJJU8ujje56xLTUFAFHDuaX2Te7yg=,tag:dMXUc4wQ1n6U0jmFmDdR9Q==,type:str]
db-password: ENC[AES256_GCM,data:V7tDCRPEbYrSLbgwZgU7yVOPh/kUH0cK4aFkmvEiFgI=,iv:u8dgHSPrIYY7kBjiWTEmgYnQzh157iPpC0d0j2KWOZ4=,tag:IbY2UumxQhANDF7lEcEEig==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-06-04T04:02:52Z"
mac: ENC[AES256_GCM,data:Rfp9jgDr4b35rwTmX9EfOGgPSdYGSwoK096cDz2MFFzp3akUyeRQposFJ/M1JtcYLseg+XCKCLNSd/yVxwhNGMcA+lF4kgHHXAZyjYGHqOuo4RaylaYuAavdFmC8LL0f0fUX3P5L1AHH1JuqW9EJK60/IxqxD1/d/qJdhwaLH7k=,iv:fwLlG5BsTf70IyeXkWfHwfB3phjJTLYLZoYWFMo6qJ4=,tag:ZJLMIGRW4OUKauvOyaO8AQ==,type:str]
pgp:
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
/T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
pjU1GRaK5AlT
=mItp
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
/4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
/fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
fux0T5xDbgq5
=eiXM
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

64
cluster/apps/default/gitea/gitea-sidecar-secret.sops.yaml Normal file
View file

@ -0,0 +1,64 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-sidecar-secret
namespace: default
stringData:
GITHUB_USERNAME: ENC[AES256_GCM,data:SXCx5XDUwLQ=,iv:6X5UHnxR+TDTPyRXijZun4PMNzpKqjJRF4MRBlFIReg=,tag:9Kd4zvFW+wDUk6/8HMTvhQ==,type:str]
GITEA_URL: ENC[AES256_GCM,data:Bn6oR1biDoq6qxWMCPXGcWYO/ZGArNgY,iv:zriCzHEGvtRlh6CnVLPFzpzsfjkDvsHn65skToQIycE=,tag:N+KqSWOXr1AZ3ejXpXic7Q==,type:str]
GITEA_TOKEN: ENC[AES256_GCM,data:yycB4vt0vIiTL47ShrHdUoQJ65/fwvDNLlNnWx9fHAW7a6L3fH1e1Q==,iv:ba721yEtnG+BaLMZGOxou72UN8l2bSU9ouoxPDV1W2A=,tag:wgWIiPpKZoH7JRkm+ALe/Q==,type:str]
GITHUB_TOKEN: ENC[AES256_GCM,data:v+JZTunM9gdt86VS9ucaD0u8uNbJGZDIu8KftY5nuN0MehOpF/QYWw==,iv:NEo0+pElEbH4va/BBQw2BydkZFshzKDlWhY8lhcNd2I=,tag:FZtCX9DtbJ0VZ3COpvp5iQ==,type:str]
MIRROR_PRIVATE_REPOSITORIES: ENC[AES256_GCM,data:tl8JqA==,iv:oc0ryLDZW3FzUD2/Db51VOTjTAoaKDeh2QSfo4HgCF4=,tag:RhSv1KLk2BC1XMoRneeC9g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-06-03T18:05:43Z"
mac: ENC[AES256_GCM,data:MjqQ910pVYck69rTk7UrU5LQ0yCwypu/vnqdUzXnrJ5hTiEHlArFb/CxJNWiMIg/T3XNRPE2jIyxeDnlrDlH9JH/yyLYLuMw+bBrEgkjK/HIfZrJvVJMLXnFYne1SvINk0j5x7h0ubJYu5tUXmz2Aeskn/n9GhCO50NB1ok8GJk=,iv:c7OWJLL+tyVYeZarvjCOemAe/crrJVTnF7hqo02zPNs=,tag:gBtswvBP1sClhh47MrF3PA==,type:str]
pgp:
- created_at: "2023-06-03T18:05:43Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ//Sas6j7EYRheBkqGZtOCHezGHLk7hvY8iX0Lkm0X5g42M
orLdkS6kccStt27jgnxcllm6/++OuX1DLiOPdhM/H+3t3etBXOeFKp4yLZiVkttb
QnYgnV9EcuhU6g5GUro6gSzpsfZIxiDWyShb8Ha3aReqoR30Jtpaxtu82Q0oD7gQ
s6DwrjuYKsXRsv+s+0IwW5r/r3SPqwT4zLowwPbyakRp2cG8iI3d55rEPar5k652
4vqQaVlKMPgHx06IGUpkc2TdC1UM32jJsJdepe8KAySe1Tq2HOuOF5RLv6ukr/r6
7ENhUivTWRE/v0/kJi9r1tqyE0wNekTGGyluKKaWtgZFddhexFrwpDcqJRyBQjKO
p6T5RgrG5eerS49h8zO28Ars3q6oOYWg7RTTinVEZBu4wD5ZW/8rM8N4DtGPD3TB
FrwWjL3sVzyMCDXHCnjce0C2ZpGpRoqZh0pNchNCr9xIN/iiirubhXABmWcW6qwp
9tnIbgHLW3welq5g7zOTB1+EVVTJgQtSVUxQ8MhlYWsZisaP+WtHfRy6yeeczJwI
z6SrTGmfQQeJDj1ynwF+UrDAKt14wwbSZn0YzT9bC5qxynNalnxcJEnq/2Ga2mTN
t7LhFpyUzFD0ZA1lNZqzFVbjuiBwHV0RiMuuBfD1CvyHg6oOfvNqYYuhzzE6N0XU
aAEJAhAEP5hmq0w18dLqY+oay38ng8LUXOdOG/RJ20KvysEtlm+8d7k1cG6s81EQ
+B0CID587oPs3PUFK9yeo36bK5aa4n9vJku0R2fdh8LmHXAME2O216O3xKtpg3fq
5gEls4nY/Hni
=/eHH
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-06-03T18:05:43Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ//RjJU3Gy9CMFc0FZPBTfIx+3OJMwXjvGarpHgqmDdDiPE
8O6h6dANI/3xXhbkxbPfY3UD2RQtA2UHCbFORwsTiIOIdLoJaABAxRUyM0V+jRqb
Mp2NYT3CCdZ6CJryukZGnj9dVANlqQPap1pxN+n5r7b3RHXhb37ZHBXhghaF46RL
1i+do/AmQ1ElLuaxM5R+yCAJYCNNGHp7Xz7NEgHGejMGhLQuwPFpscfRpF7MkUgO
98eyC5gsdLSrRCRkB7lz6xm0O/WWyuoPH95GklvG7m4rpfP+C7ySQs3/kxJhVrmZ
1XOWw6WO17l66FziNlRMXEisyGipzQQ8OnZGXjgxH2ON0YRPq9rfqaEm2RMcMesZ
6RMqZPcX+up109D53GZkrz3OOQS6fFiBArWvO+8AgshoF844OYtl6FGA2ZHaZfx8
l6bgrXbE0q2ReFOewgmytbSQS5oH9qrCBp85kS/ulQvzAfav3YKDIDcCAo1jmNnm
jZQJ+bVutYq6HgQN2Xz5i0qKGPSRsu6OubCdGRD3dR6TwMkfMzEVDfAjPSw4lpL6
Ffbleq6Wq1+V0e2sB2I2+rV+VySVnd7f3P8NzSvQM2z5v2HPeOotVTFSml938moT
LrjdMc9vuTlKGb2idQOZ22hWq24UjYsolHknYXqMxjcirpEYQV5Pz7R0I0rAKVXU
aAEJAhANgdJ5tt7r5f2w+wm73enOn88vRjoo0ukN43C93ZqMXo83QCuFiwHT334Z
q3AtplABnicVogPicrtgfzZCZw74oHC8HG5ZK/BAU5gMyJu555MdMFXBlqwo+9g1
GDWhKPbYnh7u
=iyaG
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

92
cluster/apps/default/gitea/helm-release.yaml Normal file
View file

@ -0,0 +1,92 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: gitea
namespace: default
spec:
interval: 5m
chart:
spec:
chart: gitea
version: 0.3.2
sourceRef:
kind: HelmRepository
name: bitnami-charts
namespace: flux-system
timeout: 5m
values:
existingSecret: gitea-secret
existingSecretKey: admin-password
persistence:
enabled: true
size: 30Gi
storageClass: hostpath
selector:
matchLabels:
app.kubernetes.io/name: gitea-pv
resources:
requests:
cpu: 1m
memory: 340Mi
limits:
memory: 2Gi
# podSecurityContext:
# enabled: true
# fsGroup: 10000
# containerSecurityContext:
# enabled: true
# runAsUser: 10000
# runAsNonRoot: true
# Sidecar used for mirroring GitHub repos to gitea
# sidecars:
# - name: mirror-to-gitea
# image: jaedle/mirror-to-gitea:latest
# imagePullPolicy: Always
# envFrom:
# - secretRef:
# name: gitea-sidecar-secret
service:
type: ClusterIP
nodePorts:
ssh: 30022
ingress:
enabled: false
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt-production
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
# hostname: &host "budget.${SECRET_NEW_DOMAIN}"
#
# tls: true
# selfSigned: false
#
# extraTls:
# - hosts:
# - *host
# secretName: wildcard-main-tls
#
# secrets: nil
# secrets:
# - wildcard-main-tls
postgresql:
enabled: false
externalDatabase:
host: postgresql.database
port: 5432
user: gitea
database: gitea
existingSecret: gitea-secret
existingSecretPasswordKey: db-password
volumePermissions:
enabled: true

24
cluster/apps/default/gitea/ingress.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: default
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: &host "git.${SECRET_NEW_DOMAIN}"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 80
tls:
- hosts:
- *host
secretName: wildcard-main-tls

7
kubernetes/common/apps/openebs/kustomization.yaml → cluster/apps/default/gitea/kustomization.yaml
View file

@ -1,7 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./gitea-pv.yaml
- ./gitea-secret.sops.yaml
- ./gitea-sidecar-secret.sops.yaml
- ./helm-release.yaml
- ./monitoring-helm-release.yaml
- ./ingress.yaml

7
cluster/apps/default/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./fireflyiii
- ./cdn
- ./gitea
#- ./msrewards

62
cluster/apps/default/msrewards/env-secret.sops.yaml Normal file
View file

@ -0,0 +1,62 @@
apiVersion: v1
kind: Secret
metadata:
name: msrewards-env-secret
namespace: default
stringData:
TZ: ENC[AES256_GCM,data:rIp7EMSrKApRg03l4/59Xw==,iv:A0cFOA2pr7CvjQBiCcequq9WAA77x2k8iqTlMJ9lJBU=,tag:dYdQDtA1H1h/CufVSEbQGw==,type:str]
MSAccount_0_USERNAME: ENC[AES256_GCM,data:JIW/ueWXYfgP+rgMR/7aXWWyuRP1YQ==,iv:P69ybwaQPFfMJnfDiVM3TSSlc2YkAUUM6VANdhgFDtY=,tag:GlZwS/nWOJfm7NQzXLkPFA==,type:str]
MSAccount_0_PASSWORD: ENC[AES256_GCM,data:nUWE5vW9iSavWPKhVWcn,iv:NWI9ILx+M8EGWi4jaor8MpRWL9SYXibOp9Nct6rVB+U=,tag:CUqpuogj1BJk2ocicaj5vQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-05-15T02:13:48Z"
mac: ENC[AES256_GCM,data:q1QBZ3bGr90qXXHKEtKuSfC39pGJ90ss8cJtD8CIZYYB5CQAuz0fZH6nsim6FoyYhWXDzlDo8HH7Z+bLJt1BGXCSa0SDaOe9xcSZtBinSapTQ3sYSRul99xCD7QHGGFXZtYbPjCRv/qj58vRTLXHKejnh8hCbPJsNYCYYuBGXks=,iv:HDIA3WDGZwXhwRjioGnd2KHwWISinLLoxS4LaHLgRAU=,tag:ux9KEs0bYQUzkpnBdrIQAQ==,type:str]
pgp:
- created_at: "2023-05-15T02:13:46Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ//Xm7FbYSJt3FPFSIcltxFqSEmvgv47TZ0+ktb1lyj4Qga
isU19xxjwl/vXu38gheywYdYSePl5vc9k92EtLZxfYRKjVIspL1lAD6UGul/fB3R
8dKjIb8IjpaVMXMeig4/kHulYfQ4dUEkGKN6QhSaa17vxMh8Tw98/LabC4KiYp8L
r7eMqFjoHKgl1suxjB7/qTyJbBkYD2+ep3KZj99EbwgbylRzT8tZUj63oKZnctxw
UAcb5BR2tdad6GUZAi+dTIyh9GlLxUH+ma7mmRIBjqUrPCOCkceCCDnhycPf524E
1K2yRU7+SYtgKM51pQvmDmoTll4JKDj7ztacsHBiol5V+yaYUUxYXPMGHnXyf/cz
it3jdUsK15eesb9B0t/sQcJDJykBoG0CIk0oG3e1GTjF8sNfzSocaU/z8e9GUcmD
lKhi0KOqKEDneI2wq68cTR0zEPy3JeNtyOqhwR9j+O6zD95k0ZlxKsU4+0uh4Ndv
0rJ8zyl11rPsT/lsjSxkqgGRzMI7LCxDX8dy3/7yIWG0o/vrATk1BF+CF3UPc1yO
FQOdVrFc9xLTmRCfokoPl3nAbHJKAyhEzfV6yGJTzo2QiNl9bSB2vffzPXxt1V4D
XJ8/NhAErlSDJIr0ZLGaLY6LvJNamXsORKXArHivVP8649yJz8N+4LYjzsdjGjDU
aAEJAhAVV69Gwo0RrjxfHkd6d0jncXUn4TKZHt2JyCu5zH/2xGAjkwTFRD0LiFN3
ljJMeRkXa1phkGVDGak8XGOqaOG+aWNgnQwtmW91GQTEF3w1yqzXERG79v7zxFCg
YHletP5QN9F1
=a4kI
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-05-15T02:13:46Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ//bjuPs8n97bOnbdWpvGIpHrQc8ty9fXQR+szmM6Ya1w1V
wwJKTREZ7L8RoONzIWYsW12KuyJz5dUZYBBA/AfADm9amVaaqXOIS3+TabgQtsmt
lfPtIpMBAeTKjpTeK3YloLKdSk7yEmQEZBAJMgOouDx7LatWoHz3Vzat1wVnH7t7
s9bdSCawqOXGtaWE2t+MlWpWOa3a6Fbr2/GaZwTrVJ4ZO+q4Oo8Q5a07B14mcEm6
Nb+cp7J6EN7OneqePMoaqMrAWhhPpxOzMgxNLO/qOKsjB2aXbLmgcWghKtg6adcC
0htvUVdB6/Lgn22cocd91bZuVoj4VBaYq9cdVOFTaIxuWNb0SJN2NvBe/7dK3Nft
MCqt5Mqa3JtlGbuVo/D89M1qI1P3GxSLMHjdZUFuCjoPh4UO7VbZ5MJmyH+gIcFY
Mq18RexmLx/ISUwxj+j44j7BCUFhC5D+OMtfIAfpsyLgkvPwHc0Gx+dMpZEAP5e+
ZXEO59YyMVstRVaMdAIz07auoWRcsU0fHgdCVoUc+V8zDi6ZoUlBFbxjOpnX4BOu
zN6Seyy4dHk8VX+FrotN/5vUq1CDr2Pa25+meOukjbHoA3GO836J1CezwAYHgYXC
KIQKNevogsaCwrAR2fs8qbcjb3B67nKdemE0AlNXjTh4KUETYmGoJ/KGgVhuZK/U
aAEJAhDQ+n/QkUUfgigB9La8T/Su0XiazU3OQcxD6FjjU8KpU4Ar13tEzI02RliF
izvA5C4jiKF6ik1e95/ZD91hpiAT+JbFgkfwq/TYcH1w4khUwohSrJkzKg8lR8K3
fL0914OMu8Gq
=5YEL
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

35
cluster/apps/default/msrewards/helm-release.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: msrewardfarmer
namespace: default
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: ghcr.io/binaryn3xus/msrewardfarmer
tag: latest
envFrom:
- secretRef:
name: "msrewards-env-secret"
service:
main:
enabled: false
podSecurityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch

1
kubernetes/main/apps/default/ganymede/app/kustomization.yaml → cluster/apps/default/msrewards/kustomization.yaml
View file

@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./env-secret.sops.yaml
- ./ganymede-conf.yaml
- ./helm-release.yaml

5
kubernetes/main/apps/download/bazarr/helm-release.yaml → cluster/apps/download/bazarr/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: bazarr
@ -17,7 +17,7 @@ spec:
values:
image:
repository: ghcr.io/onedr0p/bazarr
tag: "1.5.1"
tag: rolling
env:
TZ: America/New_York
@ -47,6 +47,7 @@ spec:
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:

0
kubernetes/common/apps/metallb/app/files/kustomization.yaml → cluster/apps/download/bazarr/kustomization.yaml
View file

4
kubernetes/main/apps/download/flaresolverr/helm-release.yaml → cluster/apps/download/flaresolverr/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: flaresolverr
@ -17,7 +17,7 @@ spec:
values:
image:
repository: ghcr.io/flaresolverr/flaresolverr
tag: v3.3.21
tag: latest
env:
LOG_LEVEL: info

0
kubernetes/main/apps/download/bazarr/kustomization.yaml → cluster/apps/download/flaresolverr/kustomization.yaml
View file

15
cluster/apps/download/kustomization.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
#- ./network_policy.yaml
- ./qbittorrent
- ./radarr
- ./sonarr
- ./prowlarr
- ./bazarr
- ./readarr
- ./mylar3
- ./unpackerr
- ./media-dashboard.yaml
- ./flaresolverr

0
kubernetes/main/apps/download/media-dashboard.yaml → cluster/apps/download/media-dashboard.yaml
View file

0
kubernetes/main/apps/download/mylar3/cache-cronjob.yaml → cluster/apps/download/mylar3/cache-cronjob.yaml
View file

5
kubernetes/main/apps/download/mylar3/helm-release.yaml → cluster/apps/download/mylar3/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: mylar3
@ -17,7 +17,7 @@ spec:
values:
image:
repository: lscr.io/linuxserver/mylar3
tag: "0.8.1"
tag: latest
env:
TZ: America/New_York
@ -51,6 +51,7 @@ spec:
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:

0
kubernetes/main/apps/download/mylar3/kustomization.yaml → cluster/apps/download/mylar3/kustomization.yaml
View file

4
kubernetes/thin/apps/traefik/app/files/namespace.yaml → cluster/apps/download/namespace.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: traefik
name: download
labels:
name: traefik
name: download

0
kubernetes/main/apps/download/network_policy.yaml → cluster/apps/download/network_policy.yaml
View file

7
kubernetes/main/apps/download/prowlarr/helm-release.yaml → cluster/apps/download/prowlarr/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: prowlarr
@ -17,12 +17,12 @@ spec:
values:
image:
repository: ghcr.io/onedr0p/prowlarr-develop
tag: "1.30.2.4939"
tag: rolling
# Metrics sidecar
sidecars:
exportarr:
image: ghcr.io/onedr0p/exportarr:v2.0.1
image: ghcr.io/onedr0p/exportarr:latest
args:
- prowlarr
ports:
@ -91,6 +91,7 @@ spec:
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:

0
kubernetes/main/apps/download/prowlarr/kustomization.yaml → cluster/apps/download/prowlarr/kustomization.yaml
View file

0
kubernetes/main/apps/download/prowlarr/prowlarr-exportarr-metrics.yaml → cluster/apps/download/prowlarr/prowlarr-exportarr-metrics.yaml
View file

0
kubernetes/main/apps/download/qbittorrent/app/dashboard.yaml → cluster/apps/download/qbittorrent/dashboard.yaml
View file

102
cluster/apps/download/qbittorrent/helm-release.yaml Normal file
View file

@ -0,0 +1,102 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: qbittorrent
namespace: download
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: lscr.io/linuxserver/qbittorrent
tag: latest
# Metrics sidecar
sidecars:
gluetun:
image: qmcgaw/gluetun:latest
env:
- name: FIREWALL
value: "off"
- name: DOT
value: "off"
envFrom:
- secretRef:
name: qbittorrent-secrets
securityContext:
capabilities:
add:
- NET_ADMIN
metrics:
image: caseyscarborough/qbittorrent-exporter:latest
env:
- name: QBITTORRENT_BASE_URL
value: "http://localhost:8080"
ports:
- name: metrics
containerPort: 17871
env:
TZ: America/New_York
PGID: "10000"
PUID: "10000"
WEBUI_PORT: "8080"
service:
main:
labels:
app: qbittorrent-service
ports:
http:
port: 8080
metrics:
enabled: true
port: 17871
protocol: HTTP
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
hosts:
- host: &host "qbit.${SECRET_NEW_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
storage:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Media/Torrents
mountPath: /storage/Torrents
config:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Kubernetes/qbittorrent
mountPath: /config
resources:
requests:
cpu: 10m
memory: 250Mi
limits:
memory: 6000Mi

3
kubernetes/main/apps/download/unpackerr/kustomization.yaml → cluster/apps/download/qbittorrent/kustomization.yaml
View file

@ -1,6 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./unpackerr-config.sops.yaml
- ./qbittorrent-secrets.sops.yaml
- ./helm-release.yaml
- ./qbittorrent-metrics.yaml
- ./dashboard.yaml

0
kubernetes/main/apps/download/qbittorrent/app/qbittorrent-metrics.yaml → cluster/apps/download/qbittorrent/qbittorrent-metrics.yaml
View file

65
cluster/apps/download/qbittorrent/qbittorrent-secrets.sops.yaml Normal file
View file

@ -0,0 +1,65 @@
apiVersion: v1
kind: Secret
metadata:
name: qbittorrent-secrets
namespace: download
stringData:
VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:R8/w2f+rPQ==,iv:jy1iVRtJq9l/fYKjCdSrSneNZh8V9/LHVopGWdjtpNY=,tag:HkzAyAuflvqEcdHGF6jnfw==,type:str]
VPN_TYPE: ENC[AES256_GCM,data:Dff2qD9mAVX7,iv:jhLEkfAulvPxN/uRdSF3MR9GbxnRt2cSLqDOkXO7qPA=,tag:dMB6aEhwLssc3JPKdFULTQ==,type:str]
WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:NKEqINUpmt3rJqrUfXZtcE1vMSogtvF3B7lggI3rS48/akwEgJQRssxgfzk=,iv:wKoook7MN+CSvU8F2bi/GijAbUEoN61FUldh5nCKfXc=,tag:djUHCZtY1T5zMADqqm1DgQ==,type:str]
WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:hSuZoWk9Zih763suTpwK,iv:YkdOLnSqugkunUS66W/oVS5IScrElkRr6l4oCjt4gOE=,tag:XG8yKsobjyJkD98RiPpAjQ==,type:str]
SERVER_COUNTRIES: ENC[AES256_GCM,data:pyid,iv:gItcOstdlJ6t5uICxGHiEFjcz7pu+t62HBhja+mjaT8=,tag:4aNdJXDgyrWHa5LV0D5EfQ==,type:str]
SERVER_CITIES: ENC[AES256_GCM,data:XwiVflyqpQA=,iv:9ZAV0kS2WNKBezsAVROh3IEIBw4igkNLJqG44oboTq8=,tag:Z6KJUbiU5WL5QfJcWjFo4A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-08T19:01:31Z"
mac: ENC[AES256_GCM,data:UkYxI7p4pOV6w6FDs8xHJRzrx6Zugx4rd8G/77KEHPhYmOo/mi8HrwQRFrffWyrMbkIy/Y8nZiLQBV70H2l5KjE1ROYemLGSlZwIZPuNW0mWKsqtnbjqyHR7OPIbXE8QHFF/HSApTzQ9BR5/B7iHEHQSX6OmgmnxPVeqCMFDcDc=,iv:UBDj3JFPw20HpxUU4GHag/rKtA5xa9wiFN8BYTo7OiU=,tag:2GaYuJJwhL6TgJ7HmH5wlQ==,type:str]
pgp:
- created_at: "2023-04-06T03:41:51Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixARAAitrd38vQexWeELGnS0HrjWf4274iNDbC7UDOXkI3a5hA
HwkA+thkq7JvIE+UuNOeucJKii+8lLh8wGu5nVCizswckoz+wFvMATrDYrHQPO89
AB0PfWF32OVCKePp08o+UUlYiWb212HksTwqF78XMZFthcnql//uojXmyeiYarAf
j5wyPkh5RkfhZCqG2z1Rywk0XJOHRaOMQQ+8Qs/XuAlRuwyg9Ei+gYRo4FH/Wx1A
k0tCrViVlDVdd5OnIwlbR6w5eTgM7id31mCjCA7vPrupo2XKV6A6L+bPyA94aT7/
eWrcivQ6J1BaoRQafYQcbgNxdUdHqlb4B/0txkYipu8Yxc4I082+B4hWS0wm1hNF
ytrkuCvK29C9ViIREsWwPO5GaupMHQLnDo/2MAJa8r3ndi0QMz5hQsS7cckcAaVm
l1VZEvlY0M1CJeEXVhZ4v/Drt1fTFaV4sCuXqEEv8DuS6rBEMSFyQ0+YY0wxwGvG
o/qzU393s2r4DgQ8CzpoRgXxcGJJhcdgzrBAQGBB8UiKSembyJMiI6R0tfacSBtS
QpX5RuVVzeOnY5ftnuSePR24T5r0tlMpE8kYH5rZ19mwBNaMnwASOZeVu/4pM970
ko+1P9XWGXcTPXHYYacXiCFTpFAEjGQay7qCqepJJ/V1n5gSVuWa9SWsr7H40EHU
aAEJAhBw71YDGPfB/tJIT1agrtMW+VJr4m56jiK8lbCT56udmw5MDZTxAufCJA+C
slbO6oLgInBJLYlpiJB4aJ9WvvX0XGIfmDIho/EpbK8uUrUjfwgSvRwEdKIRZpZ3
DPRnKLFBYm/9
=DL6W
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-06T03:41:51Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ//ctKJ4aFujay7DJNel2MgCg3wmKR+td5m+B3ELrDbAHcT
2agpyvb0rotjEAbczKHkkY0805y4lWvGXFyDMWdtWa6msUsM51lW5c2akAAG+cxr
N53XMASD+WS/5DrZ0FzGCYtKklBRv3IlBw85vAlMuFQkJqkqwB9aVzG46PAoQ9I2
bl4X/5PljoI78iW7lCM1LugyD6nxHB6umwUZ5XDs1L/QavCXb5UNckluH69tu0ec
hNsCHW9kfMO2dV15JCVchvuLntgtt+1+H1l8XNwjg1x2E7GMVkNMByZPF/PLTTrs
ZvpUcwTcbKO5Ha7BNh+hrUteNd6teTGUr9WAlGnDQECxhNGWMtau4707hxBXDL+W
cCGZToiGbsZ3173tQsFM54Rumcwa7E6UxIXX8YmIdU70u7UHGKQWFBkakyCNRp8h
X4JM+BPuD+pthY3Coucf3NXInw0Jd78m6TQrtJ1POm0p3Kx7eAWNJbxpwHQAg5fX
r6UCJflXu1M0VwAll6DkLL/MvBV6EUA9UctPi+F3E3yEjSC80KX9S34hiJcJzDge
LUJpCQqvB6FK80iFlaCNLg9qcyH3oqLcm8EpUcrHxFTmNwSXFzyRAjwq7aZ4UPjI
U8qSBiilmoz/UJnaTAwOcGkJ8lVfF41VzohqI2xxbKye8gtmMxSS6I161FCRbq3U
aAEJAhByOVF+gDjFQLssl9tlwNGsbT2xWwcDZ1OfibDGARgU5g6PQFkYMxj2SGZ7
J19BGBWSB2ucbsFcxmOijpgxnMhJHgIMdYUwCyv1Kut2DeXyfvZYgVw4ZRjAu2W7
EEVy24tMDoul
=HAIu
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

120
cluster/apps/download/radarr/helm-release.yaml Normal file
View file

@ -0,0 +1,120 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: radarr
namespace: download
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: ghcr.io/onedr0p/radarr-develop
tag: rolling
# Metrics sidecar
sidecars:
exportarr:
image: ghcr.io/onedr0p/exportarr:latest
args:
- radarr
ports:
- name: metrics
containerPort: 9000
env:
- name: URL
value: "http://localhost"
- name: CONFIG
value: "/config/config.xml"
- name: PORT
value: 9000
- name: ENABLE_ADDITIONAL_METRICS
value: "true"
- name: ENABLE_UNKNOWN_QUEUE_ITEMS
value: "true"
volumeMounts:
- name: config
mountPath: /config
readOnly: true
env:
TZ: America/New_York
service:
main:
labels:
app: radarr-service
ports:
http:
port: 7878
metrics:
enabled: true
port: 9000
protocol: HTTP
probes:
liveness:
enabled: false
# custom: true
# spec:
# httpGet:
# path: /ping
# port: 7878
# initialDelaySeconds: 10
# periodSeconds: 10
# timeoutSeconds: 3
# failureThreshold: 3
startup:
enabled: false
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
hosts:
- host: &host "radarr.${SECRET_NEW_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Kubernetes/radarr
mountPath: /config
storage:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Media
mountPath: /storage
podSecurityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
resources:
requests:
cpu: 1m
memory: 350Mi
limits:
memory: 1500Mi

2
kubernetes/main/apps/media/immich/app/kustomization.yaml → cluster/apps/download/radarr/kustomization.yaml
View file

@ -1,5 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./secret.sops.yaml
- ./helm-release.yaml
- ./radarr-exportarr-metrics.yaml

0
kubernetes/main/apps/download/radarr/app/radarr-exportarr-metrics.yaml → cluster/apps/download/radarr/radarr-exportarr-metrics.yaml
View file

8
kubernetes/main/apps/download/readarr/audiobook-helm.yaml → cluster/apps/download/readarr/audiobook-helm.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: readarr-audiobooks
@ -17,13 +17,12 @@ spec:
values:
image:
repository: ghcr.io/onedr0p/readarr-develop
tag: "0.3.32.2587"
pullPolicy: Always
tag: rolling
# Metrics sidecar
sidecars:
exportarr:
image: ghcr.io/onedr0p/exportarr:v2.0.1
image: ghcr.io/onedr0p/exportarr:latest
args:
- readarr
ports:
@ -92,6 +91,7 @@ spec:
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:

0
kubernetes/main/apps/download/readarr/audiobook-monitor.yaml → cluster/apps/download/readarr/audiobook-monitor.yaml
View file

8
kubernetes/main/apps/download/readarr/ebook-helm.yaml → cluster/apps/download/readarr/ebook-helm.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: readarr-ebooks
@ -17,13 +17,12 @@ spec:
values:
image:
repository: ghcr.io/onedr0p/readarr-develop
tag: "0.3.32.2587"
pullPolicy: Always
tag: rolling
# Metrics sidecar
sidecars:
exportarr:
image: ghcr.io/onedr0p/exportarr:v2.0.1
image: ghcr.io/onedr0p/exportarr:latest
args:
- readarr
ports:
@ -92,6 +91,7 @@ spec:
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:

0
kubernetes/main/apps/download/readarr/ebook-monitor.yaml → cluster/apps/download/readarr/ebook-monitor.yaml
View file

0
kubernetes/main/apps/download/readarr/kustomization.yaml → cluster/apps/download/readarr/kustomization.yaml
View file

121
cluster/apps/download/sonarr/helm-release.yaml Normal file
View file

@ -0,0 +1,121 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: sonarr
namespace: download
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: ghcr.io/onedr0p/sonarr-develop
tag: rolling
# Metrics sidecar
sidecars:
exportarr:
image: ghcr.io/onedr0p/exportarr:latest
args:
- sonarr
ports:
- name: metrics
containerPort: 9000
env:
- name: URL
value: "http://localhost"
- name: CONFIG
value: "/config/config.xml"
- name: PORT
value: 9000
- name: ENABLE_ADDITIONAL_METRICS
value: "true"
- name: ENABLE_UNKNOWN_QUEUE_ITEMS
value: "true"
volumeMounts:
- name: config
mountPath: /config
readOnly: true
env:
TZ: America/New_York
SONARR__AUTHENTICATION_METHOD: "External"
service:
main:
labels:
app: sonarr-service
ports:
http:
port: 8989
metrics:
enabled: true
port: 9000
protocol: HTTP
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /ping
port: 8989
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
startup:
enabled: false
ingress:
main:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
hosts:
- host: &host "sonarr.${SECRET_NEW_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Kubernetes/sonarr
mountPath: /config
storage:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Media
mountPath: /storage
podSecurityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
resources:
requests:
cpu: 2m
memory: 350Mi
limits:
memory: 2500Mi

2
kubernetes/main/apps/download/sonarr/app/kustomization.yaml → cluster/apps/download/sonarr/kustomization.yaml
View file

@ -1,7 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./pvc.yaml
- ./secret.sops.yaml
- ./helm-release.yaml
- ./sonarr-exportarr-metrics.yaml

0
kubernetes/main/apps/download/sonarr/app/sonarr-exportarr-metrics.yaml → cluster/apps/download/sonarr/sonarr-exportarr-metrics.yaml
View file

63
cluster/apps/download/unpackerr/helm-release.yaml Normal file
View file

@ -0,0 +1,63 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: unpackerr
namespace: download
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.3.x
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
image:
repository: ghcr.io/onedr0p/unpackerr
tag: rolling
service:
main:
enabled: false
probes:
liveness:
enabled: false
startup:
enabled: false
ingress:
main:
enabled: false
persistence:
config:
enabled: true
type: configMap
name: unpackerr-configmap
items:
- key: unpackerr-conf
path: "unpackerr.conf"
storage:
enabled: true
type: hostPath
hostPath: /mnt/MainPool/Media
mountPath: /storage
podSecurityContext:
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
fsGroup: 10000
fsGroupChangePolicy: OnRootMismatch
resources:
requests:
cpu: 2m
memory: 6Mi
limits:
memory: 20Mi

2
kubernetes/main/apps/database/mysql/kustomization.yaml → cluster/apps/download/unpackerr/kustomization.yaml
View file

@ -1,5 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./mysql.sops.yaml
- ./unpackerr-config.sops.yaml
- ./helm-release.yaml

60
cluster/apps/download/unpackerr/unpackerr-config.sops.yaml Normal file
View file

File diff suppressed because one or more lines are too long

8
kubernetes/main/apps/game-servers/factorio/helm-release.yaml → cluster/apps/game-servers/factorio/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: factorio
@ -17,15 +17,15 @@ spec:
values:
image:
repository: goofball222/factorio
tag: "2.0.32"
tag: latest
service:
main:
type: NodePort
# annotations:
# metallb.universe.tf/allow-shared-ip: "main-ip-192.168.10.70"
# metallb.universe.tf/loadBalancerIPs: 192.168.10.70
# metallb.universe.tf/allow-shared-ip: "main-ip-192.168.87.10"
# metallb.universe.tf/loadBalancerIPs: 192.168.87.10
ports:
http:

0
kubernetes/main/apps/download/flaresolverr/kustomization.yaml → cluster/apps/game-servers/factorio/kustomization.yaml
View file

4
kubernetes/common/apps/metallb/kustomization.yaml → cluster/apps/game-servers/kustomization.yaml
View file

@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./app/ks.yaml
- ./pool/ks.yaml
- ./network_policy.yaml
- ./factorio

0
kubernetes/main/apps/game-servers/namespace.yaml → cluster/apps/game-servers/namespace.yaml
View file

15
kubernetes/main/apps/game-servers/network_policy.yaml → cluster/apps/game-servers/network_policy.yaml
View file

@ -12,6 +12,7 @@ spec:
- namespaceSelector:
matchLabels:
name: "game-servers"
# - podSelector: {}
# Allow traefik pods
- namespaceSelector:
@ -21,16 +22,4 @@ spec:
# Allow all pods with this label
- podSelector:
matchLabels:
needsGameServers: "yes"
egress:
- to:
- ipBlock:
# allow all IPs
cidr: 0.0.0.0/0
except:
# except the private IP ranges: https://en.wikipedia.org/wiki/Private_network
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/20
- ipBlock:
cidr: 192.168.87.250/24 # server
needsGameServers: "yes"

24
cluster/apps/harbor/harbor-ingress.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: harbor-core-ingress
namespace: harbor
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: &host "oci.${SECRET_NEW_DOMAIN}"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: harbor
port:
number: 80
tls:
- hosts:
- *host
secretName: wildcard-main-tls

27
cluster/apps/harbor/harbor-pv.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-pv
namespace: harbor
spec:
storageClassName: hostpath
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/MainPool/Kubernetes/harbor"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: harbor-pv-claim
namespace: harbor
spec:
storageClassName: hostpath
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi

64
cluster/apps/harbor/harbor.sops.yaml Normal file
View file

@ -0,0 +1,64 @@
apiVersion: v1
kind: Secret
metadata:
name: harbor-secret
namespace: harbor
stringData:
REGISTRY_STORAGE_S3_ACCESSKEY: ENC[AES256_GCM,data:1k2KYsDvvQs=,iv:6GEFFeLSKH8+QxDg3rLR7q9h0jglYU4ou1byklt2x8w=,tag:JjFAs/3jsVhSBGJmbul4iQ==,type:str]
REGISTRY_STORAGE_S3_SECRETKEY: ENC[AES256_GCM,data:0U40z0y7vn2wPPyGt0dYQx80QuGoj7Ni/uJMtHgrc5U=,iv:YX9acsf2G2B4RLnGez6VLD2UiwKFIqhz2X4S+uTyX50=,tag:hVJVh2aSpVz22BjGGcPOuA==,type:str]
#ENC[AES256_GCM,data:JGk1Br4y3LKLTdPHRD4F+hwP,iv:rzYB5JF0SeE9BWwp5btZABpfHgqKfQukXpXAa0Dy2A0=,tag:K9pJFFtcDhmrE4SfYlivwg==,type:comment]
password: ENC[AES256_GCM,data:XkJEhaoRRSlxbKP94GN8dIZbj8KCwZFkcpgWNjn4vZE=,iv:Bi0D/T1izvN+l8LoZDwyUrcoN1ViS2Q6ambq2xyJFk8=,tag:ojUu0VOdnXJjbsb0XigkDg==,type:str]
REDIS_PASSWORD: ENC[AES256_GCM,data:8kEbWelcGhd4v/yewnM4QshW2hzx+VWX2iFE76sKhYc=,iv:kbGieMQhMbml2SIznBX1pTncnSaxdsZ0PUynCECpjyU=,tag:HfRJA+P57IzpxuFtKD+tTg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-04-16T05:54:57Z"
mac: ENC[AES256_GCM,data:c4DP6+KnDOXYubNbf5NqVZPxBik0a0BDiKqNLqm5dlNqjReeQFMa5BJxENelMwLMH2T/pHZ40i1UVfkTDbsy//+oWgUwZDcmN4MVDC+Y0nPqgF48K6obxJ0XgNg5tDqPWyxTMJuslMP3QDCZVyBWODb51Zzfwpd6fuiBogKdlBM=,iv:JiHRd3tFLg+UKcRfKlnyK6CEK6K6EAe/QNc0lm4Lf4w=,tag:wkt+kX3I//yN1Ob2+aiw5A==,type:str]
pgp:
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe
KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo
/T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ
PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk
cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb
W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6
FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f
N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie
rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO
9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae
JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU
aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1
o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl
pjU1GRaK5AlT
=mItp
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-04-07T01:57:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9
TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4
Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o
/4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO
JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT
AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl
E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6
/fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP
RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz
hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE
roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU
aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM
9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx
fux0T5xDbgq5
=eiXM
-----END PGP MESSAGE-----
fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95
encrypted_regex: ^(data|stringData)$
version: 3.7.3

85
cluster/apps/harbor/helm-release.yaml Normal file
View file

@ -0,0 +1,85 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: harbor
namespace: harbor
spec:
interval: 5m
chart:
spec:
chart: harbor
version: 1.3.x
sourceRef:
kind: HelmRepository
name: harbor-charts
namespace: flux-system
values:
logLevel: debug
expose:
type: clusterIP
tls:
enabled: false
# secret:
# secretName: wildcard-main-tls
# notarySecretName: wildcard-main-tls
#
# ingress:
# hosts:
# core: oci.${SECRET_NEW_DOMAIN}
# notary: charts.${SECRET_NEW_DOMAIN}
#
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt-production
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
persistence:
persistentVolumeClaim:
registry:
existingClaim: harbor-pv-claim
subPath: "registry/"
jobservice:
jobLog:
existingClaim: harbor-pv-claim
subPath: "jobservice/"
# trivy:
# existingClaim:
# subPath: "trivy/"
imageChartStorage:
type: s3
s3:
bucket: harbor
existingSecret: "harbor-secret"
regionendpoint: https://s3.seanomik.net:9000
notary:
enabled: false
trivy:
enabled: false
database:
type: external
external:
host: "postgresql.database"
port: "5432"
username: "k3spostgresql"
existingSecret: "harbor-secret"
coreDatabase: "harbor-registry"
redis:
type: external
external:
addr: "redis-master.database:6379"
username: ""
existingSecret: "harbor-secret"
metrics:
enabled: true
serviceMonitor:
enabled: true

8
cluster/apps/harbor/helm-repository.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: harbor-charts
namespace: flux-system
spec:
interval: 1m
url: https://helm.goharbor.io

4
kubernetes/main/core/openebs/app/kustomization.yaml → cluster/apps/harbor/kustomization.yaml
View file

@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./harbor.sops.yaml
- ./harbor-pv.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
- ./monitoring-helm-release.yaml
- ./harbor-ingress.yaml

4
kubernetes/main/apps/dev/namespace.yaml → cluster/apps/harbor/namespace.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: dev
name: harbor
labels:
name: dev
name: harbor

0
kubernetes/main/apps/irc/kustomization.yaml → cluster/apps/irc/kustomization.yaml
View file

0
kubernetes/main/apps/irc/namespace.yaml → cluster/apps/irc/namespace.yaml
View file

0
kubernetes/main/apps/irc/network_policy.yaml → cluster/apps/irc/network_policy.yaml
View file

5
kubernetes/main/apps/irc/thelounge/helm-release.yaml → cluster/apps/irc/thelounge/helm-release.yaml
View file

@ -1,4 +1,4 @@
apiVersion: helm.toolkit.fluxcd.io/v2
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: thelounge
@ -20,7 +20,7 @@ spec:
image:
repository: lscr.io/linuxserver/thelounge
tag: "4.4.3"
tag: latest
env:
TZ: America/New_York
PGID: "1000"
@ -47,6 +47,7 @@ spec:
tls:
- hosts:
- *host
secretName: wildcard-main-tls
persistence:
config:
enabled: true

Some files were not shown because too many files have changed in this diff Show more