shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: overhaul

Browse Source
This commit is contained in:
auricom
2025-01-04 00:00:04 +01:00
parent b14022014b
commit 0c9529c7a2
408 changed files with 3187 additions and 2380 deletions
Download Patch File Download Diff File Expand all files Collapse all files

203
kubernetes/apps/database/crunchy-postgres-operator/cluster/cluster.yaml Normal file
View File

@@ -0,0 +1,203 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: &name postgres
spec:
postgresVersion: 17
metadata:
labels:
crunchy-userinit.ramblurr.github.com/enabled: "true"
crunchy-userinit.ramblurr.github.com/superuser: postgres
patroni: # turn on sync writes to at least 1 other replica
dynamicConfiguration:
synchronous_mode: true
postgresql:
max_wal_size: 5GB
synchronous_commit: "on"
pg_hba:
- hostnossl authelia all 192.168.8.0/22 md5 # Needed because authelia does not support SSL yet
- hostssl all all all md5
parameters:
max_connections: 500
instances:
- name: postgres
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres
replicas: &replica 2
dataVolumeClaimSpec:
storageClassName: openebs-hostpath
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 80Gi
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: *name
postgres-operator.crunchydata.com/data: postgres
users:
# Superuser
- name: postgres
databases:
- postgres
options: SUPERUSER
password: &password
type: AlphaNumeric
# Applications
- name: authelia
databases:
- authelia
password: *password
- name: bazarr
databases:
- bazarr_main
- bazarr_log
password: *password
- name: ghostfolio
databases:
- ghostfolio
password: *password
- name: home-assistant
databases:
- home-assistant
password: *password
- name: joplin
databases:
- joplin
password: *password
- name: lldap
databases:
- lldap
password: *password
- name: lidarr
databases:
- lidarr_main
- lidarr_log
password: *password
- name: lychee
databases:
- lychee
password: *password
- name: outline
databases:
- outline
password: *password
- name: paperless
databases:
- paperless
password: *password
- name: prowlarr
databases:
- prowlarr_main
- prowlarr_logs
password: *password
- name: pushover-notifier
databases:
- pushover-notifier
password: *password
- name: radarr
databases:
- radarr_main
- radarr_log
password: *password
- name: sonarr
databases:
- sonarr_main
- sonarr_log
password: *password
- name: tandoor
databases:
- tandoor
password: *password
- name: vikunja
databases:
- vikunja
password: *password
backups:
pgbackrest:
configuration: &backupConfig
- secret:
name: crunchy-postgres-secret
global: &backupFlag
compress-type: bz2
compress-level: "9"
# Minio
repo1-block: y
repo1-bundle: y
repo1-path: /crunchy-pgo
repo1-retention-full: "30" # days
repo1-retention-full-type: time
repo1-s3-uri-style: path
manual:
repoName: repo1
options:
- --type=full
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres-backup
repos:
- name: repo1 # Minio
s3: &minio
bucket: crunchy-postgres-operator
endpoint: "s3.${SECRET_INTERNAL_DOMAIN}"
region: us-east-1
schedules:
full: 0 1 * * 0 # Sunday at 01:00
differential: 0 1 * * 1-6 # Mon-Sat at 01:00
incremental: 0 2-23 * * * # Every hour except 01:00
# dataSource:
# pgbackrest:
# stanza: "db"
# configuration: *backupConfig
# global: *backupFlag
# repo:
# name: "repo1"
# s3: *minio
monitoring:
pgmonitor:
exporter:
resources:
requests:
cpu: 10m
memory: 64M
limits:
memory: 512M
proxy:
pgBouncer:
port: 5432
service:
metadata:
annotations:
lbipam.cilium.io/ips: ${CLUSTER_LB_POSTGRES}
type: LoadBalancer
replicas: *replica
metadata:
labels:
app.kubernetes.io/name: crunchy-postgres-pgbouncer
config:
global:
pool_mode: session # Grafana requires session https://github.com/grafana/grafana/issues/74260#issuecomment-1702795311. Everything else is happy with transaction
client_tls_sslmode: prefer
default_pool_size: "100"
max_client_conn: "500"
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: *name
postgres-operator.crunchydata.com/role: pgbouncer

26
kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: crunchy-postgres
spec:
refreshInterval: 5m
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: crunchy-postgres-secret
template:
engineVersion: v2
data:
s3.conf: |
[global]
repo1-s3-key={{ .CRUNCHY_POSTGRES_S3_ACCESS_KEY }}
repo1-s3-key-secret={{ .CRUNCHY_POSTGRES_S3_SECRET_KEY }}
encryption.conf: |
[global]
repo1-cipher-pass={{ .CRUNCHY_POSTGRES_BACKUP_ENCRYPTION_CIPHER }}
dataFrom:
- extract:
key: crunchy-postgres

8
kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./cluster.yaml
- ./podmonitor.yaml

37
kubernetes/apps/database/crunchy-postgres-operator/cluster/podmonitor.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: cpgo-postgres
spec:
jobLabel: cpgo-postgres
namespaceSelector:
matchNames:
- database
podMetricsEndpoints:
- honorLabels: true
path: /metrics
port: exporter
relabelings:
- sourceLabels:
[
"__meta_kubernetes_namespace",
"__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_cluster",
]
targetLabel: pg_cluster
separator: "/"
replacement: "$1$2"
- sourceLabels:
[
__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_instance,
]
targetLabel: deployment
- sourceLabels:
[__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_role]
targetLabel: role
- sourceLabels: [__meta_kubernetes_pod_name]
targetLabel: instance
selector:
matchLabels:
postgres-operator.crunchydata.com/cluster: postgres
postgres-operator.crunchydata.com/crunchy-postgres-exporter: "true"

19
kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: crunchy-pgo-secrets
spec:
provider:
kubernetes:
remoteNamespace: database
server:
caProvider:
type: ConfigMap
name: kube-root-ca.crt
namespace: database
key: ca.crt
auth:
serviceAccount:
name: external-secrets-pg
namespace: database

7
kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./rbac.yaml
- ./clustersecretstore.yaml

31
kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-pg
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authorization.k8s.io"]
resources: ["selfsubjectrulesreviews"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: &name external-secrets-pg
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: *name
subjects:
- kind: ServiceAccount
name: *name
namespace: database
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-pg
namespace: database

110
kubernetes/apps/database/crunchy-postgres-operator/ks.yaml Normal file
View File

@@ -0,0 +1,110 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-operator
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/operator
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-operator-cluster
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/cluster
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator
- name: external-secrets-stores
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-operator-secretstore
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster
- name: external-secrets
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-userinit-controller
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/userinit-controller
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app crunchy-postgres-pgadmin
namespace: flux-system
spec:
targetNamespace: database
commonMetadata:
labels:
app.kubernetes.io/name: *app
interval: 30m
timeout: 5m
path: ./kubernetes/apps/database/crunchy-postgres-operator/pgadmin
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: true
dependsOn:
- name: crunchy-postgres-operator-cluster

28
kubernetes/apps/database/crunchy-postgres-operator/operator/helmrelease.yaml Normal file
View File

@@ -0,0 +1,28 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: crunchy-postgres-operator
spec:
interval: 30m
chart:
spec:
chart: pgo
version: 5.7.2
sourceRef:
kind: HelmRepository
name: crunchydata
namespace: flux-system
interval: 5m
install:
crds: CreateReplace
upgrade:
crds: CreateReplace
dependsOn:
- name: openebs
namespace: openebs-system
values:
install:
clusterLabels:
app.kubernetes.io/name: pgo

6
kubernetes/apps/database/crunchy-postgres-operator/operator/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrelease.yaml

20
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/externalsecret.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: pgadmin
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: pgadmin-secret
template:
engineVersion: v2
data:
# App
PGADMIN_PASSWORD: "{{ .password }}"
dataFrom:
- extract:
key: pgadmin

33
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/ingress.yaml Normal file
View File

@@ -0,0 +1,33 @@
---
# trunk-ignore(checkov/CKV_K8S_21)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pgadmin
annotations:
hajimari.io/icon: mdi:database
gethomepage.dev/enabled: "true"
gethomepage.dev/name: pgAdmin
gethomepage.dev/description: PostgreSQL management tool.
gethomepage.dev/group: Infrrastructure
gethomepage.dev/icon: pgadmin.png
gethomepage.dev/pod-selector: >-
app in (
pgadmin
)
spec:
ingressClassName: internal
tls:
- hosts:
- &host pgadmin.${SECRET_EXTERNAL_DOMAIN}
rules:
- host: *host
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pgadmin
port:
number: 5050

9
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./ingress.yaml
- ./pgadmin.yaml
- ./service.yaml

22
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/pgadmin.yaml Normal file
View File

@@ -0,0 +1,22 @@
---
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PGAdmin
metadata:
name: pgadmin
spec:
users:
- username: admin@homelab.io
role: Administrator
passwordRef:
name: pgadmin-secret
key: PGADMIN_PASSWORD
dataVolumeClaimSpec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
serverGroups:
- name: supply
postgresClusterSelector: {}
serviceName: pgadmin

14
kubernetes/apps/database/crunchy-postgres-operator/pgadmin/service.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
# trunk-ignore(checkov/CKV_K8S_21)
apiVersion: v1
kind: Service
metadata:
name: pgadmin
spec:
type: ClusterIP
ports:
- name: pgadmin-port
port: 5050
protocol: TCP
selector:
postgres-operator.crunchydata.com/pgadmin: pgadmin

17
kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: userinit-controller
spec:
interval: 30m
chart:
spec:
chart: crunchy-userinit-controller
version: 0.0.4
sourceRef:
kind: HelmRepository
name: crunchy-userinit
values:
fullnameOverride: crunchy-userinit-controller

10
kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: crunchy-userinit
spec:
interval: 30m
url: https://ramblurr.github.io/crunchy-userinit-controller
timeout: 3m

7
kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helmrepository.yaml
- ./helmrelease.yaml