shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixup! ♻️ migration externalsecrets

Browse Source
This commit is contained in:
auricom
2023-07-09 09:17:34 +02:00
parent c00e101eec
commit 357fb88067
167 changed files with 1329 additions and 2706 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
kubernetes/apps/default/authelia/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,46 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authelia
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: authelia-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# App
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: "{{ .LLDAP_LDAP_USER_PASS }}"
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET }}"
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY }}"
AUTHELIA_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}"
AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}"
AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}"
AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia
AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}"
AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}"
MINIFLUX_OAUTH_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}"
WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}"
GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}"
# Postgres Init
INIT_POSTGRES_DBNAME: *dbName
INIT_POSTGRES_HOST: *dbHost
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: authelia
- extract:
key: cloudnative-pg
- extract:
key: lldap

3
kubernetes/apps/default/authelia/app/kustomization.yaml
View File

@@ -4,7 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./secret.sops.yaml - ./externalsecret.yaml
- ./gatus.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
configMapGenerator: configMapGenerator:
- name: authelia-configmap - name: authelia-configmap

43
kubernetes/apps/default/authelia/app/secret.sops.yaml
View File

@@ -1,43 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: authelia-secret
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:RzmXYg==,iv:/Nyi6ik2vfnVcSVUa+tZ8iwoSWy/eyFtDP0cwW4NjMw=,tag:ZggZ20DHnI1gQDN0GWNQjg==,type:comment]
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:XQPgqGCOxig/ewQfyVVte6Op8cA=,iv:bIBc8YqgjdGlllQlXuWPP8VGOt4GBNBjrPNwsydYfGg=,tag:7c8xdEKvrZNaWajhUMtM3w==,type:str]
AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:popD58odXyQ=,iv:gw+Y2n/ZRRAudSZy6T6aYdLq504xEH6Ntk+nWY39zjE=,tag:okpCZIGgCzeooa+eSWhAbA==,type:str]
AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:j/VlSpeqwTVKCDN+Law=,iv:k+PKPq1iF/bl0acff1DrbQzRKOb3cy37Sq5R+wuKOQc=,tag:ouhjcJuZJQ0Gc/T396WDrg==,type:str]
AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:/FH8Yi4olsLQgbAbTGh23wvZ+0bY5XZMxyXUcQ==,iv:BB18NV8++Uqh3TS9KeDAOV3WH8gvBa/vKRAoV48ddMU=,tag:jbNMXobzUIIEd/fQKrD17Q==,type:str]
AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:oKlY7wYdJWyVyS9L0kEyE/FBaX8QguU7ZwN4wg==,iv:qn3DBkozHECvEvjfJaGwogGdNcEYfL9Mr4sZhkmRvUs=,tag:tmvKCTehK5APrJG/xRzdtg==,type:str]
AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:dhPWtO+l7X+9chnJczfL1qE0ckO58kRAvzjTiA==,iv:ac8mMxYENkUv7llxkHHdTiCxMaqP0/joJeAxDkc7vNE=,tag:HUZudNImGCxzlGXeYJZGtA==,type:str]
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: ENC[AES256_GCM,data:GQ5FI3GP+dNfWapUXbkWRoUi4N8oHLn6Kotmmfaqxd0=,iv:iZMUl9vBZUdWElVV1iqPNhdTy0aQKw3H318UT/rTpWs=,tag:iuKMZal34P0zFy6v+Dvj7g==,type:str]
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:IeAA9iN8w6vU5ZsJVAmLyaH4xuADYg0ESKdqIWSCQ6OJKd60E0UNhIQOIH25JCQnRo3cpAflkqDHRdMNnoUY4apsA5GBZtO9+kDnswMHFfMwhgP15V6RBLObvIFVFfjH5n2k7hObMeS2qm8+rVIaUpyNDu3elD8KrKHOiqN0dxbd4PVx1CmN3c9kJGqSWrYFhBo44fULjUzWYSaQbfMqxotkxodtfRDKYlwvXBh9fg1hWblBj2LEl8yPd2V3QiKDH2o6um8VWw33ryUzAeefJOelUUU/s8EynbGwTZwuPVy8LATSSiDtvramFpsk7XXshDLrwEir7hujaieP3P0T7XspF9i85wFVZrTqZDtlysYgziwTEqSbd2vL737p6S5l3QpAn5De+QkZyYDbPYJ2X/PTESeY1X4hJ8TI0OK15DXX5+YYkh3Vnvl21xseaAoT9QvTcXM9jjUug8cwt56UhG/grNFrYLjngq4cLPHI4vzE9JXLfXlax+Y+jj0t1Bv8EPA66RzXxJWYgbLP/SdHPFDpyMwRjSzm5zJ9ldG+ajJ1B6pVuWb53USVxtRu6aRnZsxWpJfkn7HqGkXjRPT0mSiU2tFpwaM/NDxMB66DiIZjCwjeTfbFSngDQc88fcwv8V6klASM0iCbsQCtXDGoAt1mG6wmA5UhMmoKkqdRVj+qov+ZeMz+dlafdoXJNXT8ncTo06RDQAZX/3kW+7uK5EbfSRUmDUdPnHHBL/fhEYEasZoF5nwegp9gGPOX6N+mHyYoB3tJNrATJkBa7bTDcPcKpRL5a472ApXva6WYyDgnO4FrvxlkC0wt9Dt8Tw/YakwxY+UtatmdEyYRprxRWQDPYHCqe+lK8S0LGHq+2HEcf109lzAszhkEHj4AKXVuwc2ooWlqVFoCMB4+1sJzawA4Ry5mXNFLN9eb+6xO8fg6DMxRZFbZTL+mdOUfIQxz+nCbEm48xakSj3NJzQ4Rd+31kuapmcnjCLoWdDItXfPrIV160v0GGGMQmrzL7PJVmBaFwmRfJ5YJz5UE0qi8z5RC1d//0ywEyb0EBNCouuWh47XHo2EDKTbhy3o0qpkQBHIQuxUZcIPM+3veF/SOT7pFYPGHMFPbif/71j1HgxuE/E1p+How0XfelOfP4Z8rUWZcDWLJp0wDrD7WRe9564/cqCTvqBRusPKYlCG/xJreqn42LV0bVN4JxJAiBXM68lasZJHunMJcd1E1DB/p1S0Wooezc7J67sPMiLAfiq4GdBSq8Z+8OJKcv88KDXu/PPCh8Ke4xVLdovK1KUncP/T8cppFhyE61CkDjcGvahGbuLkZl2mkR5oHoNerOXqFQ/tvIR34vXRRbb6Qo92r/yJmi6lsXGEu1dxMKBPKkOdCqWYXcSgGtDgyETm1+keoNjh67f7M0rl7eztHpFDl9CX9b4lYEBTiaaozWN+LYdPQps5IZfZDzTN4NScfx2CDve46xVLxNc/DpLhUih/a9i3/kHUB6aPNN/IxA6mhZqrya3gAUfAstxlkiBme8Wa902DFOh10YTn0VP9H+yRihK/OECDMhDDwrqSC1dn7BOF5iWFg9CMB6OzABstucmFDAgRxkqkaIPTSYF0mbZnD5KeZYRjeUV43m7BstHFXGSmb4R2CI9popqvDV1y/7ANpiepXlN2JFGCeCgW/SyyPAZw/xnQUH3ZGjK4lon1l45YA2YRvWnfurGZemaAtir499dbKNa1JK+1POmpAHvMw7tm7Jj2LjaHNKD40jGY782ucZkLFGwBm8P0KU44vjKinQNvjhNrct/USTEMxU+sHtuE9jFDsufKlNeOK/LkjCKfbOu6PNKF8MXoXw8bUsHSqMYHXRvBDiYNmuHp0zitet8JLvdKW1LVLTpuFR7/13y5L//9RvpvD66gjbO9LawIm4oX/RrkzzCEf/eMC4jCPvAe5KhcDGxW53LRYAowGLHmNlKDzWMWMAwe86dT9Y49cQYuznLYifu2ApeQ4nEFW4b0bktrzxSuZCVhWXPs+e0OnEWTUC3lzTd0MSfUgI1pSW+HmKs9+nr+YcEOBTmGd35oyjKGLq4SE4SecckslWnvYpXnHj2QOTqVD/Mn36B3NQgPIQOeh3uOiKhfOw4T0TiBc8ElBGbM0bsp5Cp2q41xByITXaVsgPo6IksI+dnoaqaDwzXVW2RABuuEDNAhC64gJW+t94obETP8X/ulGzxqibLVmOJgcdQ31TuEoE1z17TALTjm6GwZj8Jz80CfM2gHivh41xHjw23yHev3tJ4y5iOQ2fJRE9nM+Lwx3YjN0311PQ63ZfF453flkw7tzvHT+WMUyMHJBCwlQyrYVSVAd1NPdov4i/Ru/OSGGRQ2W3gdkDpTTbxB3rHzWaXS47mQHT9m60SfXDccT7JrZeDb6R8KhpS3aBL8k9paarynaFPrvjwRgJyjZAXzk38StzSRoRIUdS4teWlOm0aLjWA2N+FNxTnHif7fXLXQGnlHIhAU2U3KJ9mlqCq+pxqy2nmnDoXwBh0MjWYvEXwJhEQXv7PdXN6+74jlgx5xrmvyCqOJFuVIvIcRzj74mFIqMTMzXLL6eAjg9xLleTtCbY8jxjBrzfENYpYMQHPVRM1fwipu973WV33sEGmmtk6K79sQyI9Re2J5vneBJ5nT0/xqzA3EWQVEgXMXuOSthjO3PICYrPaH0ohlhiFEwlKpFWBAFKDwxilXeYMBN8epnm3tQjsnUoDyW4TTO/5j4e0Yb/k2z3T7IMYSme4AJq/ulf1Og+aIxHPfJ+QPfTqDnaF/zhkhYHh1iDEa9Dp4UEXyhgytbpr5f+tmcVuvGmtK4k6aOi1XkaLg6/CUa2O00MVqyLmqOeGDAw8z+UJcyFTk86kvNk8PMMrXsEzt6xDGkpSEjiPXL2vf1PrJIYi/99rcWrXR82zMCZg0EaM3zxhZvWzOFrWqHuE9u2ErgzgRt1GQ8iA3gFPw8uP7o8SCjE1Ig9kf56+OncA1fyJRFCPBe9Y36izZtEt901k9aMhZVmiuuCQAtptGFYslKFkLTeaQesnaSgSO2jq1wDEUtRHLHaTeBVWupB1AWvM9u661iC1dk32eVsclftyH5Auf0R58TohDLzhGT8e8NkOii9IJ2+N+ua8nPPiQqxfjbdXrKJFLFeyYimb/h6yfugQpxiDXWOfZFFkdKSZJqONaQ+aURqK3gyavzJeYUdRoiattdNNgGl+jTI/OEe3lt69oimYYExFQRzJ2R3uYYVbVyvaptW7+ppGxOxk4yfoQAcMZnOTGu9DKgBDClGOcdI2LeluieJrfXwoMq3o5wcoM6yvTmgfxzUMZ3DELWwP7Fqv0IJyRD0tXbIcQxGGyd1U3aGq6u0sGJaQy6+sb+s8hFPglL0CrzvCJPJERm8PHiJtiLHDa6WG1+b3V9fPnmJFD0AJEggE7fPolq5/j1dm1SRNmWNffHXcqGrCDcZ0qx6BE2pEzTY2VtyinsaNuigULK6kL55srFHh9xjwdgTD5F7czuqoIo2Phm8PoRW5X8I7dQZ0Psiur2d9tMAT+ChDWoytqmZH3edCN0a1kjWKN8+hDzIptbW68j+JuNLCtBc2ENtCo2mne4Kz15oYgbR7urht+CvagdKxauBiDGcp/KXuRUQKz7onCgnMmMkLP3lHXeyRqi2maG58K0Vngdsi2nFn7IzbeM8ieF2D7mo7FK5lyRlyIy3X2GwTQvEUTUyTUkv/cNCSet4O3zVeMY+hgegZzU1h8Cpzp+GF7v8wEVAe6DZTu+0aubwb27lqiweBUBBNJf9GuAMnuYGHODMsn1CNe3wNtgRlp0liGyT4YmoZlgO6rPcpUpjtxAdw+legYXdylGMwX/Cer2OLxe/VOsd1wjmMcZL1009guK7t6BjwGY9/g85y8MMPiHpWwo1MUOuKPQZFK2c2iu3IiQJtawqocNvmBeZ4/h9978Rod2aUbYXvTRFJbDbRqfqojEDgZv0JgIpBQKT/cIqQLPXoigyab45tMoKWKm2D7lSdwQIWpc2tx4qkECbLy5KEmd0UbCmCC8RDUk3I/Nkycwf1XrlZVYwNpKhQMIytDUyIf9TqTrU/XIJ/Q6Ib7kSyjZeK46GldMNuGnc05mPlJQoj75ZxxtWibfPG9kH7ImR4K1PgHoY2gHleca/paVyC9jNKpKiyB3m4WDnrxK5N+NpO+wlbNXAtGeqZJd6H/V8URnBuIv0NxFRhQ1seVZQKElkol1KCe9H/+n0Hs/fz5RdBwa/Oh9/lVNrJiVcnH1/5JGpR5/p/RLElE9Nl+GJGS2uWasvREyXjoLrB0aSwQK,iv:+H0Qz07NHU6fs7mJk9VnLZlYSoxTCnW59oPSHOmGr+s=,tag:w7NtwB7ks/Tb3eky5e/P/A==,type:str]
#ENC[AES256_GCM,data:C0B+sL2neQ9RssNtmkc=,iv:m2CKgHodIVggA8J/YJR/DJw0t/irZJwLvZCXUNmR6zc=,tag:GZoHTWx30yOwcS4hdvqSEg==,type:comment]
INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:lSN7RhVA/KE=,iv:6QvaJnVGUHLiEMo5qZffRHapFL1dtXiIzdhk9iLKZQs=,tag:KoLAgcCEPmCurE3cqzEETQ==,type:str]
INIT_POSTGRES_HOST: ENC[AES256_GCM,data:EUIrBuvpu5XQOE6HfO54Cxr//BwlKW9oPEKHmyQTuUIu1oMMSg==,iv:Ygjak8gez1OeEQ2X1F4HryB5glB3pzut7H7k7z/hwAI=,tag:s3Hd8GZ6enjGEp9uTfy41Q==,type:str]
INIT_POSTGRES_USER: ENC[AES256_GCM,data:gLyRrjvhbKQ=,iv:1SBPtSAq/c5Q90MSgxpBeOkrvqpsOMPitpDdzfG1oBc=,tag:5mi6e6+OnxElAOk3P20XaQ==,type:str]
INIT_POSTGRES_PASS: ENC[AES256_GCM,data:7BviKXdQ32upRD3gEwA=,iv:e6E8oHw2VkaT1y+QmomZmYF/Z8Dnx/nWJDaJWLaaXt0=,tag:soEnjX3zmC1rb1sKdYrT0w==,type:str]
INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:yDvSJZuQC3F5sXIuqzYClg==,iv:7IBNox0wpkA9756iK55kPasF2wsBLn54VAnVt9v+2w0=,tag:IgVxbDU59iyLOHMUUchw3Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-08T16:58:03Z"
mac: ENC[AES256_GCM,data:E1U2G0xX5opwHgbye57uEyvypTjBd14HegNxc7yz68PGMwG3bkOhZGw2BYi6R2WRqimhfZk6hR4+xYo00BSNahrmjDWcW+vOOwSge1lNz3PehynmZO1dsakAJfaY2r7vHi4Fmd/9ZgCf8NChgBP9QJxSYBhVPg9otbdWOcMf1mE=,iv:zSkV6bumO3XQz7c4DiNNeP5HQu6fxaGL1pKuKBqYJiI=,tag:MiQRkIyQXZ0IAeKfRmUVxA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

3
kubernetes/apps/default/authelia/ks.yaml
View File

@@ -9,7 +9,8 @@ metadata:
substitution.flux.home.arpa/enabled: "true" substitution.flux.home.arpa/enabled: "true"
spec: spec:
dependsOn: dependsOn:
- name: cluster-apps-cloudnative-pg-app - name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
path: ./kubernetes/apps/default/authelia/app path: ./kubernetes/apps/default/authelia/app
prune: true prune: true
sourceRef: sourceRef:

7
kubernetes/apps/default/bazarr/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/bazarr/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: bazarr
namespace: default
spec:
sourcePVC: bazarr-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: bazarr-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/bazarr/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: bazarr-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:nv139ZEGpIFxa3DdsGMpSPlZmW/TcMLeUYjhkbQso9Cs9lxcgUh3V+vXWW+WJEDATT2jSZkcxy4=,iv:R+zvTMTBa0evMizp+04Zs2y4FKmfo1CReMzDyVmA36g=,tag:6gb15igwzatq6vhr5Ym8Fg==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T15:28:16Z"
mac: ENC[AES256_GCM,data:GU6+JsaZFIdyRlf0VS/+rYPdZxTmZ+rhVSR6EqLrJNW/zk7Y55vB/WTMKTGJRS7FwZzwYxCnKtC9bo4kmNyNVmtMaRrLlUrzqrAbGlawIAtPEl0oohKKQxvVrwRpymCoyDvryKool2Css6P6qzXVs1iWUMsZixswjtBhpso44DU=,iv:uDoQXjkQ8ZD/vARU4g6Cslza+yGPzs+lviBslXHdmK8=,tag:RQTXfuAhPhegV+6bWrLKWQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

35
kubernetes/apps/default/bazarr/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: bazarr
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: bazarr-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# App
POSTGRES_ENABLED: "true"
POSTGRES_DATABASE: &dbName bazarr
POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
POSTGRES_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
POSTGRES_PORT: "5432"
# Postgres Init
INIT_POSTGRES_DBNAME: *dbName
INIT_POSTGRES_HOST: *dbHost
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: bazarr
- extract:
key: cloudnative-pg

44
kubernetes/apps/default/bazarr/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app bazarr name: &app bazarr
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: bjw-s name: bjw-s
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:
@@ -26,7 +26,22 @@ spec:
retries: 3 retries: 3
uninstall: uninstall:
keepHistory: false keepHistory: false
dependsOn:
- name: rook-ceph-cluster
namespace: rook-ceph
- name: volsync
namespace: volsync
values: values:
initContainers:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: bazarr-secret
controller:
annotations:
reloader.stakater.com/auto: "true"
image: image:
repository: ghcr.io/onedr0p/bazarr repository: ghcr.io/onedr0p/bazarr
tag: 1.2.2@sha256:9656191a1347e44de7fc883912bb00d6a8d5c190dbd0dd77d5ba1ba075095b65 tag: 1.2.2@sha256:9656191a1347e44de7fc883912bb00d6a8d5c190dbd0dd77d5ba1ba075095b65
@@ -34,7 +49,7 @@ spec:
TZ: "${TIMEZONE}" TZ: "${TIMEZONE}"
envFrom: envFrom:
- secretRef: - secretRef:
name: *app name: bazarr-secret
service: service:
main: main:
ports: ports:
@@ -46,10 +61,6 @@ spec:
ingressClassName: "nginx" ingressClassName: "nginx"
annotations: annotations:
auth.home.arpa/enabled: "true" auth.home.arpa/enabled: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Accept-Encoding "";
sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/bazarr/nord.css"></head>';
sub_filter_once on;
hajimari.io/icon: mdi:subtitles-outline hajimari.io/icon: mdi:subtitles-outline
hosts: hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
@@ -80,11 +91,26 @@ spec:
server: "${LOCAL_LAN_TRUENAS}" server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/video path: /mnt/storage/video
mountPath: /mnt/storage/video mountPath: /mnt/storage/video
podAnnotations: scripts:
secret.reloader.stakater.com/reload: *app enabled: true
type: configMap
name: bazarr-scripts # overriden by kustomizeconfig
defaultMode: 0775
readOnly: true
resources: resources:
requests: requests:
cpu: 23m cpu: 23m
memory: 204M memory: 204M
limits: limits:
memory: 1Gi memory: 1Gi
sidecars:
subcleaner:
image: registry.k8s.io/git-sync/git-sync:v3.6.8
imagePullPolicy: IfNotPresent
args:
- --repo=https://github.com/KBlixt/subcleaner
- --branch=master
- --wait=86400 # 1 day
- --root=/add-ons
volumeMounts:
- { name: add-ons, mountPath: /add-ons }

12
kubernetes/apps/default/bazarr/app/kustomization.yaml
View File

@@ -4,9 +4,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups - ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
- ./secret.sops.yaml
- ./volume.yaml - ./volume.yaml
patchesStrategicMerge: - ./volsync.yaml
- ./patches/subcleaner.yaml configMapGenerator:
- name: bazarr-scripts
files:
- post-process.sh=./scripts/post-process.sh
configurations:
- ./patches/kustomizeconfig.yaml

7
kubernetes/apps/default/bazarr/app/patches/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/values/persistence/scripts/name
kind: HelmRelease

21
kubernetes/apps/default/bazarr/app/patches/subcleaner.yaml
View File

@@ -1,21 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: bazarr
namespace: default
spec:
values:
additionalContainers:
subcleaner:
name: subcleaner
image: registry.k8s.io/git-sync/git-sync:v3.6.8
args:
- --repo=https://github.com/KBlixt/subcleaner.git
- --branch=master
- --depth=1
- --root=/add-ons/subcleaner
volumeMounts:
- name: add-ons
mountPath: /add-ons

17
kubernetes/apps/default/bazarr/app/scripts/post-process.sh Executable file
View File

@@ -0,0 +1,17 @@
#!/usr/bin/env bash
printf "Cleaning subtitles for '%s' ...\n" "$1"
python3 /add-ons/subcleaner/subcleaner.py "$1" -s
# case $1 in
# *Movies*) section="4";;
# *Television*) section="5";;
# esac
# if [[ -n "${section}" ]]; then
# printf "Refreshing Plex section '%s' for '%s' ...\n" "${section}" "$(dirname "$1")"
# /usr/bin/curl -X PUT -G \
# --data-urlencode "path=$(dirname "$1")" \
# --data-urlencode "X-Plex-Token=$2" \
# "http://plex.default.svc.cluster.local:32400/library/sections/${section}/refresh"
# fi

29
kubernetes/apps/default/bazarr/app/secret.sops.yaml
View File

@@ -1,29 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: bazarr
namespace: default
type: Opaque
stringData:
BAZARR__API_KEY: ENC[AES256_GCM,data:JP0q+GSWGKQsAWAL+vOpJUzWVNcG6ncjHxiZ8vplk1o=,iv:rUxiwvF1kyTX9SHrAMmml9lmbKhRqXYYFZ2djWlUsaU=,tag:xSPaQCULmLvFy08QgCV1kQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-15T04:37:34Z"
mac: ENC[AES256_GCM,data:8NbT9oTRIKRY/GlyeasQGaQpypHoa7HJtzTf7QX3sn8sN0eQoH9H8nZMcwGm9yS1YzOti8MugQVfkkQiwp6nknY7Xk93tyZ8UO9IOo1SybI12WnaYuXf0CUfGVpv9Fsisc0DHonnxTgsymkJDYqXZgJP9L8JwiNeZx6jtCoaO0I=,iv:AfNP3QP5iK9Jx0Juey/EpIdQNZL2VNyjJLmQxO4AV7w=,tag:3dfYfYElHQk/KTQ6AwUB8A==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/bazarr/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: bazarr-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: bazarr-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/bazarr'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: bazarr
namespace: default
spec:
sourcePVC: bazarr-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: bazarr-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

3
kubernetes/apps/default/bazarr/ks.yaml
View File

@@ -9,7 +9,8 @@ metadata:
substitution.flux.home.arpa/enabled: "true" substitution.flux.home.arpa/enabled: "true"
spec: spec:
dependsOn: dependsOn:
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/bazarr/app path: ./kubernetes/apps/default/bazarr/app
prune: true prune: true

7
kubernetes/apps/default/calibre-web/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/calibre-web/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: calibre-web
namespace: default
spec:
sourcePVC: calibre-web-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: calibre-web-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

34
kubernetes/apps/default/calibre-web/app/backups/restic.sops.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: calibre-web-restic
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:bEsDAvrGLpXOhGV4M/bwVDjxroaLKG3vF4OqLy9ChHti4ateAQKOqzsT/9wwejZwmnWB8jBWPuzx2e876g==,iv:/MucYIH5cQNE6m+ceNDWEhKu122iMCUI6te9awbXRO8=,tag:+fkEJP2PWCz/vEOohVgCWw==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T14:53:29Z"
mac: ENC[AES256_GCM,data:rTyH2sHO4+/P7S4XLfW4dEyRDi1h044LlXCdlQmk1XdqDH8/5d93UYGSSfW3S6JjIqrOS1ETsRQS2Am8gSVmqZjBi+eXui4kNp7zURcOa8RiuMyySJZLap+KnV2Tu9aZYaaiOms/oy7ABk/+5X4SyJHPtOv51uw+gvfDWaU93Uo=,iv:r919TYG3cfPsjYDRrYdAgUGBwzdVVpMu2pmaJdLSd9Q=,tag:e0JmALQgOu5wXCb35PhGFQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

4
kubernetes/apps/default/calibre-web/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app calibre-web name: &app calibre-web
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: bjw-s name: bjw-s
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:

2
kubernetes/apps/default/calibre-web/app/kustomization.yaml
View File

@@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups
- ./helmrelease.yaml - ./helmrelease.yaml
- ./volume.yaml - ./volume.yaml
- ./volsync.yaml

49
kubernetes/apps/default/calibre-web/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: calibre-web-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: calibre-web-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/calibre-web'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: calibre-web
namespace: default
spec:
sourcePVC: calibre-web-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: calibre-web-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

1
kubernetes/apps/default/calibre-web/ks.yaml
View File

@@ -9,6 +9,7 @@ metadata:
substitution.flux.home.arpa/enabled: "true" substitution.flux.home.arpa/enabled: "true"
spec: spec:
dependsOn: dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/calibre-web/app path: ./kubernetes/apps/default/calibre-web/app

7
kubernetes/apps/default/calibre/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

24
kubernetes/apps/default/calibre/app/backups/replicationsource.yaml
View File

@@ -1,24 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: calibre
namespace: default
spec:
sourcePVC: calibre-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: calibre-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 1026
runAsGroup: 1000
retain:
daily: 10
within: 3d

34
kubernetes/apps/default/calibre/app/backups/restic.sops.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: calibre-restic
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:NCy35YYxOndjxHADaEqPRQQ0nRT8MPxUex80YNjEEL0GCSpvN+exASZefQjRxtkXz84cGgj9gANx,iv:gBwqlwFn1D97913ZxwG1E3WeYi7wXKVk8Mdspa/Tx8o=,tag:dojF0a2jaTcYzz3YMxUmTA==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T14:51:21Z"
mac: ENC[AES256_GCM,data:fdP1tAzBaWHagD6DpVtjRuwfs1KLg0ji0IoLArCXiBiXQ9VYlc4cWhgdmzLFzoqu1dNpCUyHsl9dHGgDaoxLEtZDq8bJ9n47Z6h+gP31TRuSgnb1sOAfqxOswLYabzZRfMGIJmaGI8zeWC3Og0xZj0TUbsyc8CBA5rMLj/iHZNE=,iv:NR7VP08kRRcrnbRzBWXlMqB8849jOsEVqt79iLT9Mik=,tag:FvBWbDR3zmKVKxTPiVzASw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

4
kubernetes/apps/default/calibre/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app calibre name: &app calibre
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: bjw-s name: bjw-s
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:

2
kubernetes/apps/default/calibre/app/kustomization.yaml
View File

@@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups
- ./helmrelease.yaml - ./helmrelease.yaml
- ./volume.yaml - ./volume.yaml
- ./volsync.yaml

48
kubernetes/apps/default/calibre/app/volsync.yaml Normal file
View File

@@ -0,0 +1,48 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: calibre-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: calibre-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/calibre'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: calibre
namespace: default
spec:
sourcePVC: calibre-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: calibre-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 1026
runAsGroup: 1000
retain:
daily: 7
within: 3d

1
kubernetes/apps/default/calibre/ks.yaml
View File

@@ -9,6 +9,7 @@ metadata:
substitution.flux.home.arpa/enabled: "true" substitution.flux.home.arpa/enabled: "true"
spec: spec:
dependsOn: dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/calibre/app path: ./kubernetes/apps/default/calibre/app

7
kubernetes/apps/default/changedetection/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/changedetection/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: changedetection
namespace: default
spec:
sourcePVC: changedetection-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: changedetection-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

34
kubernetes/apps/default/changedetection/app/backups/restic.sops.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: changedetection-restic
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:HmPWvXXr22DmHh2XypxfFMIi32R15/Czlna0V+b6mUCY+cyO/jOfG+GqPen0Ygn2bzlSnw+1c/Yvgs7v+9yAfxc=,iv:kJ5KSpAv7Dh2tYx2UjVtC4rYRAGsyuJC1H3ii1btMWQ=,tag:7vKCtcIoVVVNq16j20M/og==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-29T17:55:52Z"
mac: ENC[AES256_GCM,data:Sa2goM30k4qdpk8sCpzvOGRqAkxsVHpHc4LDno/l4pWNalUa7ntmRtaO5IfpOrayOp4j2la20n9aNj9S436laMsXtno3ozi8Q93yBt4Nxc1/5CQRZDenkaYaqsKYgNbPLJ8z+Bxy8HAV0OGrrsE7R992SmGhBKIqzU39Eg0vtuU=,iv:2o9a3ARM0yyGycuMTNqiy6QfYC7wTyB37Ae5DLlWIpo=,tag:2kLCR7hhgkCFhJgZEm745g==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

4
kubernetes/apps/default/changedetection/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: changedetection name: changedetection
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: bjw-s name: bjw-s
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:

2
kubernetes/apps/default/changedetection/app/kustomization.yaml
View File

@@ -4,8 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups
- ./helmrelease.yaml - ./helmrelease.yaml
- ./volume.yaml - ./volume.yaml
- ./volsync.yaml
patchesStrategicMerge: patchesStrategicMerge:
- ./patches/browser.yaml - ./patches/browser.yaml

49
kubernetes/apps/default/changedetection/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: changedetection-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: changedetection-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/changedetection'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: changedetection
namespace: default
spec:
sourcePVC: changedetection-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: changedetection-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

1
kubernetes/apps/default/changedetection/ks.yaml
View File

@@ -9,6 +9,7 @@ metadata:
substitution.flux.home.arpa/enabled: "true" substitution.flux.home.arpa/enabled: "true"
spec: spec:
dependsOn: dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/changedetection/app path: ./kubernetes/apps/default/changedetection/app

4
kubernetes/apps/default/cloudnative-pg/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: cloudnative-pg name: cloudnative-pg
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: cloudnative-pg chart: cloudnative-pg
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: cloudnative-pg name: cloudnative-pg
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
crds: CreateReplace crds: CreateReplace

4
kubernetes/apps/default/cloudnative-pg/cluster/backups/external-backup.yaml
View File

@@ -24,12 +24,12 @@ spec:
- name: POSTGRES_USER - name: POSTGRES_USER
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: postgres-superuser name: cloudnative-pg-secret
key: username key: username
- name: POSTGRES_PASSWORD - name: POSTGRES_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: postgres-superuser name: cloudnative-pg-secret
key: password key: password
- name: POSTGRES_EXTRA_OPTS - name: POSTGRES_EXTRA_OPTS
value: "-Z9 --schema=public --blobs" value: "-Z9 --schema=public --blobs"

18
kubernetes/apps/default/emqx/app/emqx/externalsecret.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: emqx
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: emqx-secret
creationPolicy: Owner
dataFrom:
- extract:
# admin_password, user_1_username, user_1_password
key: emqx

17
kubernetes/apps/default/emqx/app/emqx/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: emqx name: emqx
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: emqx chart: emqx
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: emqx name: emqx
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:
@@ -34,8 +34,7 @@ spec:
emqxConfig: emqxConfig:
EMQX_ALLOW_ANONYMOUS: "false" EMQX_ALLOW_ANONYMOUS: "false"
EMQX_AUTH__MNESIA__PASSWORD_HASH: plain EMQX_AUTH__MNESIA__PASSWORD_HASH: plain
EMQX_AUTH__USER__1__USERNAME: ${SECRET_MQTT_USER} EMQX_DASHBOARD__DEFAULT_USERNAME: admin
EMQX_AUTH__USER__1__PASSWORD: ${SECRET_MQTT_PASSWORD}
service: service:
type: LoadBalancer type: LoadBalancer
loadBalancerIP: ${CLUSTER_LB_EMQX} loadBalancerIP: ${CLUSTER_LB_EMQX}
@@ -80,5 +79,13 @@ spec:
valuesFrom: valuesFrom:
- targetPath: emqxConfig.EMQX_DASHBOARD__DEFAULT_PASSWORD - targetPath: emqxConfig.EMQX_DASHBOARD__DEFAULT_PASSWORD
kind: Secret kind: Secret
name: emqx-config name: emqx-secret
valuesKey: admin_password valuesKey: admin_password
- targetPath: emqxConfig.EMQX_AUTH__USER__1__USERNAME
kind: Secret
name: emqx-secret
valuesKey: user_1_username
- targetPath: emqxConfig.EMQX_AUTH__USER__1__PASSWORD
kind: Secret
name: emqx-secret
valuesKey: user_1_password

2
kubernetes/apps/default/emqx/app/emqx/kustomization.yaml
View File

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./secret.sops.yaml - ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml

30
kubernetes/apps/default/emqx/app/emqx/secret.sops.yaml
View File

@@ -1,30 +0,0 @@
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: emqx-config
namespace: default
stringData:
admin_password: ENC[AES256_GCM,data:5CgeNci9Mr9bhHLG/cl9yajr02CInvng,iv:tzU2NnmprFiVfnxgXP8y+o2wgwooaWVpvq6+fKodLC8=,tag:MkDFv5wOn4B6yWUMfivQGA==,type:str]
user_1_username: ENC[AES256_GCM,data:np5xaBR5Ze8ml9UY8w==,iv:fmxB+fop4lc81BJnVataRvbtlaCaqfB8xL1AoFkuDDQ=,tag:00XN9H0wKoypgz7fUW4NGQ==,type:str]
user_1_password: ENC[AES256_GCM,data:NilXDCtXR0j+pWQYhesSogoWNQ==,iv:79TXQXTqYbzaLfMfQ/ZF5EP1UmtYAJ0aYHrD4HrYw3c=,tag:VIH6Zx00vLlpFGS9yrDAfg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvb3RQOTVNN0VzdElJSGRY
bytDQ045bnRMY2RGSmEvTE9jQkN4MTQrZUhnCnZ0TjF5ZTU2bWtJNzVGRXdqV0lP
RGtuaUVkZlluUjlsd0lvZ0ZuRE5ocEUKLS0tIGxsTjJpc0JEeUhxSjF6MU5mSlli
bXpSSjd3YU5hRXFKdnhVcTFKTzRqZzQKlFvt9rCRt+1EviAtZxaQVVwAEt300456
KDHW7U58DUO3TmzTG47/iLj7AxIgCQKUjgaU6FoiQ/DZLaVCloyWEA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-14T12:39:16Z"
mac: ENC[AES256_GCM,data:0dG5L2JMoLlTVR4RqxbCGLQAe+NR0wHKGUwCUO0+5tDS/klaUvMAaQQkQZd2UDXeK6nyrb0pQA5i6sgqrv6znT6TToMA1vujHbuXe7S7+zVVfU0nIEsPomQWSxaqLP0FSvfqJ06Q3SftLusnnAFrwo1SHfvinIl2XcA0fJWJ/dk=,iv:407K+60IDcnxm5bo1woKMVUySxWHavFr5eFcN2VhA+Q=,tag:fwPcZ4D5XeWMFwluUcaTGA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

1
kubernetes/apps/default/emqx/ks.yaml
View File

@@ -10,6 +10,7 @@ metadata:
spec: spec:
dependsOn: dependsOn:
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-external-secrets-stores
path: ./kubernetes/apps/default/emqx/app path: ./kubernetes/apps/default/emqx/app
prune: true prune: true
sourceRef: sourceRef:

7
kubernetes/apps/default/firefly-iii/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

21
kubernetes/apps/default/firefly-iii/app/backups/replicationsource.yaml
View File

@@ -1,21 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: firefly-iii
namespace: default
spec:
sourcePVC: firefly-iii-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: firefly-iii-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/firefly-iii/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: firefly-iii-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:6LyAyrcpadw4k54eIuZXmwA/VUpEhu0vdiv9A3PmKON+c+NJapQS2SkkJZ5ZRzvxzhAl3QRqrh2W23waUg==,iv:afDeELcTvPXp06kjm7xtNt6Z6DNBhCY6AHpPcsGD5s8=,tag:+SZzGfvonhiYgbpwl+5Rwg==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-17T15:41:24Z"
mac: ENC[AES256_GCM,data:4Mdw4S0kLhuVvmmgiSmDvSRge27vzXHLMgHeZ889D4CogVwBOZVlOhHfR4PRY9ETO/7YC9iCWmK47e3Gu3cJId1Fxy0R46vOtk9ymySqn6yydJ+N3zjgaJIgCqnzsx9OoXjqX9NCdpuwWgyzM7R2jk/VbMXISV9DWSRiqP2Dc5c=,iv:xmg69s0AeXXAZMA8YvuMlea5PAPsyVkWBfaMhoccYZA=,tag:sXe233lgl15DspA3gfgR/g==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

34
kubernetes/apps/default/firefly-iii/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: firefly-iii
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: firefly-iii-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# App
APP_KEY: "{{ .FIREFLY_APP_KEY }}"
DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
FIREFLY_III_ACCESS_TOKEN: "{{ .FIREFLY_ACCESS_TOKEN }}"
# Postgres Init
INIT_POSTGRES_DBNAME: firefly-iii
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: firefly-iii

11
kubernetes/apps/default/firefly-iii/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app firefly-iii name: &app firefly-iii
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -27,6 +27,13 @@ spec:
uninstall: uninstall:
keepHistory: false keepHistory: false
values: values:
initContainers:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: bazarr-secret
controller: controller:
annotations: annotations:
reloader.stakater.com/auto: "true" reloader.stakater.com/auto: "true"
@@ -42,7 +49,7 @@ spec:
TZ: ${TIMEZONE} TZ: ${TIMEZONE}
APP_URL: "https://cash.${SECRET_DOMAIN}" APP_URL: "https://cash.${SECRET_DOMAIN}"
DB_CONNECTION: "pgsql" DB_CONNECTION: "pgsql"
DB_HOST: "${POSTGRES_HOST}" DB_HOST: postgres-rw.default.svc.cluster.local
DB_PORT: "5432" DB_PORT: "5432"
DB_DATABASE: *app DB_DATABASE: *app
MAIL_MAILER: log MAIL_MAILER: log

70
kubernetes/apps/default/firefly-iii/app/importer/helmrelease.yaml
View File

@@ -1,70 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app firefly-iii-data-importer
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.5.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: fireflyiii/data-importer
tag: version-1.2.2
service:
main:
ports:
http:
port: 8080
env:
TRUSTED_PROXIES: "**"
FIREFLY_III_URL: "http://firefly-iii.default.svc.cluster.local:8080"
VANITY_URL: "https://cash.${SECRET_DOMAIN}"
envFrom:
- secretRef:
name: firefly-iii-secret
persistence:
config:
enabled: true
existingClaim: firefly-iii-config
mountPath: /var/www/html/firefly-iii/storage/upload
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
hajimari.io/icon: foundation:page-export-csv
hosts:
- host: &host "firefly-data-importer.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
resources:
requests:
cpu: 100m
memory: 256Mi

6
kubernetes/apps/default/firefly-iii/app/kustomization.yaml
View File

@@ -4,9 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups - ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
- ./secret.sops.yaml
- ./volume.yaml - ./volume.yaml
patchesStrategicMerge: - ./volsync.yaml
- ./patches/postgres.yaml

32
kubernetes/apps/default/firefly-iii/app/patches/postgres.yaml
View File

@@ -1,32 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: firefly-iii
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.8
env:
- name: POSTGRES_HOST
value: ${POSTGRES_HOST}
- name: POSTGRES_DB
value: firefly-iii
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: firefly-iii-secret
key: DB_USERNAME
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: firefly-iii-secret
key: DB_PASSWORD

32
kubernetes/apps/default/firefly-iii/app/secret.sops.yaml
View File

@@ -1,32 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: firefly-iii-secret
namespace: default
type: Opaque
stringData:
APP_KEY: ENC[AES256_GCM,data:NLGN6FyBlsnIJQJlfu/hGPTE1WPPs1Vw2oUE71MwXmc=,iv:TCwaM/NH+1TOU76fKc6tyV9mxieUcI3IAxeumv+e2wo=,tag:MWPaCl39dEyt6UXOvKLiuQ==,type:str]
DB_USERNAME: ENC[AES256_GCM,data:K/HOy/nGdg==,iv:1bmBakA39Z9I19wvbDf9pdEnoeLfyyp6H3LBPMD/VjU=,tag:1bOb34XHnxFZqTnzMAXs0A==,type:str]
DB_PASSWORD: ENC[AES256_GCM,data:TCMJIdYJUda28KeoPNLOotbrFy8=,iv:IkXyzoKKlSrWUEog/KsiJeidnpFQbbaZDCcFlfys0zU=,tag:9on2I0Xzk5eB61/FDl+06Q==,type:str]
FIREFLY_III_ACCESS_TOKEN: ENC[AES256_GCM,data:1wvSr8l8YPaewwM/MFPYCDEuNv9thV49bSwLfchbPilio911qjriTVu7YWLnVe6UgXbdiQYMTmN91GgT1ss64ByyNHhqT59voQ4noT69Otbb7T/KPF7IAgLC9vKfs6/T+fcJwMzkP+tHbITCRzdwv+T8sjfX8qmLwWgVjLrF8f8TemF8z08K6uOqQiEWnV5zqotEnbnW22bEhTcNPbS0bayETpy0/39mN4OvLET+KGcO8LPNIWzObgq80pat8wsUNyfNp9h/I+8IRWwh9X1OCsJe8dJ6O3wynaqwyaccu0D2009DUW1i3+5sixz0l9eKVc9nmOuiFa3ghLCEjqZTvEP4NFlFdD6qeVQ9e+3hXAV8ufkDF3Cf98gvvkKjIWbxjSsjCHLHXFfQpHDAjYsKFBOGJjZv0kxdqavF7av1GE0SbMGfatviyEwFqJh38RG9Gj1KoK8jOdG+kQU7PGA0HbhPI6QM7nU1kJzKgwUlfZd7bduCdBBPYaU5GkuCmygD2cbUG3xmaI+F8Rchut85j8kseIkQn7SzxekpXaIWpZ0nBFF3xB2S+2xfkzTAtxrjvp2Ej16r515Q8wE1mbk0S+1zA45BaMhpUsZsXUOvdclIoa7kg9Vfa+bhHaqpnW52sp0fTd2vj+dl/HLlVeMOpAyPpe6A82BxkrgoPA+rfZwBLd9v1AwaFIuSBc4D4d2b8lCJnbM7iuDuZZRNPBC4T2R27RjXiqbbtXYD1MalkpS+M2PwTYwS/s5T0oc10OmIh0QPGqtxb7lgQsN2Sgg2oFjGywb1P3SV9GIQBDK4SDgMSLKuVnJO6WdcYuHTBIuxSzjfVyQ0BuH3NhxQECwO5DYuXwx/7Dc4IeNuagX7Hl7vKua4JRjdF8XWdePBz9LdZ/CraWhX5bXfOypCpNWIuVLRk3pd7Dpf/Fq5dTJo774plPnPG/RHUNOK2ws2Y4S81i2qSDLw3tdKlGO3jTz6uEd67SwQ27Uw9XR5MaPaM7vuS7wvuOyeDTuJ2SwNWazQlUANw9WUlRiB75uOqjcu9dLVwbldZJpZ/lIb/2iQYMrzxodS3G9Dbqbwm0hCzCQQIlWvYjAEpotmZPA7CTsdxRIc7Uwy3GUIxcb0GZ0uCl2t+PwdDSjRXuuhWj7dzZg0WgJV/v+H+1TIomvjRPmgXru0dd7mUz4JU2Mloi/tVXcqAZpmEo5i9pqgRQfXyFcXV+2M+E/xUcPN1YVoQMuhCr/Dy5cg7c29pbLBfDpZsPmu3c3ER2Q3a1U0YPHFo0Gy8KEfejhyCkHsrX1Htq4MjcteLco=,iv:4Li737+2osPRFNOlrGhjXiw1nMUYHAt3MCraJhafl1Y=,tag:7kgrpub9cwQ2D4W+KQw9HA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-17T16:49:46Z"
mac: ENC[AES256_GCM,data:PhQy1ewerdHDAcSGw8EYXSpocB/fVZr38cUGGdFSIlaMK2o0NVOTutValrpgQhAnZWN5hPzcfDlqtMWCxNThsZSgoKSVmU8eZQ9bhlQzzlaoctUQQ+ZVSrP5l2AHuUK2a50i3bWpijms+2i6HDhmCi8xSWhZ49eYoM2jcJjH03s=,iv:CTQI3E25UOXmMHfpYcNKbk7NAIzYPuXmtDEUvjkWJgo=,tag:dSb6cTEnYVBJiEVxmtxP3g==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/firefly-iii/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: firefly-iii-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: firefly-iii-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/firefly-iii'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: firefly-iii
namespace: default
spec:
sourcePVC: firefly-iii-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: firefly-iii-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

30
kubernetes/apps/default/firefly-iii/ks.yaml
View File

@@ -15,35 +15,7 @@ spec:
name: home-ops-kubernetes name: home-ops-kubernetes
dependsOn: dependsOn:
- name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: firefly-iii
namespace: default
interval: 30m
retryInterval: 1m
timeout: 3m
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-firefly-iii-data-importer
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
path: ./kubernetes/apps/default/firefly-iii/app/importer
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-firefly-iii
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
healthChecks: healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2beta1 - apiVersion: helm.toolkit.fluxcd.io/v2beta1

7
kubernetes/apps/default/flood/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

21
kubernetes/apps/default/flood/app/backups/replicationsource.yaml
View File

@@ -1,21 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: flood
namespace: default
spec:
sourcePVC: flood-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: flood-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/flood/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: flood-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:fVeVjIVtONVdCuSBthH5YYkzirnDbpLzX40UpQIP18xcI4O2hREchTRfKz+EgRKFfj1rDZx5pg==,iv:RlEqORfh8kK4lfl4yrGyZI29KPrWYCW/AvPprrIx7gA=,tag:6J6NRmM1vuagkWafuj5sSw==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T08:19:36Z"
mac: ENC[AES256_GCM,data:bysbIEfD4gyDw5Yq6AHxPVqY4CCuc9TIv2Z4wne8RJSgVf1/Tk0H+8xVg5j30FQEW5f3VnwJIFAIUVDoZabq8ywhESjdMclL1BPk4wz0tEDkShwkfIkv43JaEc4XZbqMOxvIVYF+9PmYV3uPXx1aFtOYi5Mtf28CETI4Mpjsvl8=,iv:f2mua5viAurKjFyiVjGT3d9vLUbYzHwXG07w28uyuM4=,tag:OjmcIja38jL2o9p5WBKYbw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

18
kubernetes/apps/default/flood/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: flood
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: flood-secret
creationPolicy: Owner
dataFrom:
- extract:
# FLOOD_OPTION_QBUSER, FLOOD_OPTION_QBPASS
key: flood

9
kubernetes/apps/default/flood/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app flood name: &app flood
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: bjw-s name: bjw-s
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:
@@ -27,6 +27,9 @@ spec:
uninstall: uninstall:
keepHistory: false keepHistory: false
values: values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image: image:
repository: jesec/flood repository: jesec/flood
tag: master tag: master
@@ -36,7 +39,7 @@ spec:
FLOOD_OPTION_QBURL: "http://qbittorrent.default.svc.cluster.local.:8080" FLOOD_OPTION_QBURL: "http://qbittorrent.default.svc.cluster.local.:8080"
envFrom: envFrom:
- secretRef: - secretRef:
name: *app name: flood-secret
service: service:
main: main:
ports: ports:

4
kubernetes/apps/default/flood/app/kustomization.yaml
View File

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups - ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
- ./secret.sops.yaml
- ./volume.yaml - ./volume.yaml
- ./volsync.yaml

30
kubernetes/apps/default/flood/app/secret.sops.yaml
View File

@@ -1,30 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: flood
namespace: default
type: Opaque
stringData:
FLOOD_OPTION_QBUSER: ENC[AES256_GCM,data:wwb74Ok=,iv:bLa7BU9lqiUKUqO5hLaMKE50ovxUJzJnaEMu9QSX6wQ=,tag:VQjtK4T8AOQIvPEujTOfcA==,type:str]
FLOOD_OPTION_QBPASS: ENC[AES256_GCM,data:8PzsOc2NNHkY8kRVB3z/62W4peA=,iv:pbRQ+I9IBAY/+QYfVKuNGUr4zYAawUzqdbG8IeETIhQ=,tag:X8O0AitScHuBXcoePprZ1Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-15T05:40:26Z"
mac: ENC[AES256_GCM,data:hwIHegLoNt6vHq1Dj3sispmAoByMN25HAG/koTtaNSCs94W4JbGGqJ+6waXX9vlWyWux6gJw8Y4j71BnjfP5Fhk4sTkS2N30XrNt/B4+95jO4u4spfZ5MPzb4FE5qIVaqDliDbhj50GA2eruVtYgGgJ4oCADWGI+iJZYyKnuUNQ=,iv:w9lUfjBF194TQQjUGzPBOpbYeey6eOG8heU7QKYF2gk=,tag:xiTESQOcm/PGaIYZqLgFQQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/flood/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: flood-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: flood-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/flood'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: flood
namespace: default
spec:
sourcePVC: flood-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: flood-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

2
kubernetes/apps/default/flood/ks.yaml
View File

@@ -9,8 +9,8 @@ metadata:
substitution.flux.home.arpa/enabled: "true" substitution.flux.home.arpa/enabled: "true"
spec: spec:
dependsOn: dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-qbittorrent-app - name: cluster-apps-qbittorrent-app
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/flood/app path: ./kubernetes/apps/default/flood/app
prune: true prune: true

7
kubernetes/apps/default/freshrss/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

21
kubernetes/apps/default/freshrss/app/backups/replicationsource.yaml
View File

@@ -1,21 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: freshrss
namespace: default
spec:
sourcePVC: freshrss-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: freshrss-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/freshrss/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: freshrss-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:9Ci4hIV+kXv9XSOaXvVg2vAoECXKPvfuTtkazuiEHgLhKCKo7s/+D0/PZEa5Y8hM66E1GkoCLfzWcA==,iv:DDuFt9rgeUvBQY/ztbBJIgYMQ4p7R0O5b5axY9JgTyA=,tag:O2TjT4aPdsCWlly8/+98pQ==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T06:23:44Z"
mac: ENC[AES256_GCM,data:fghV+11Qm1SPSbeJlmHlZzUPROR/J0AoLfuN3zfjrwuEc9amCUjZzouEAsBYeOM3eDJRd33g0/pIdUFMrExORdt8vuHrUlAAZkyaJhM/znndlw64Z/7/PDIj6hg1REXyyI5YQsQeGWid4wgbZlaGsNRoeerD5dYrentlK+ceWuM=,iv:GrCfCf1RHaMsptV8UZw/4qy0f1gDGjS1JuD7IYZ+Mwk=,tag:Y5+u4dyYGTPZ+rn54JP0aA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

28
kubernetes/apps/default/freshrss/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,28 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: freshrss-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# Postgres Init
INIT_POSTGRES_DBNAME: freshrss
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: freshrss

16
kubernetes/apps/default/freshrss/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app freshrss name: &app freshrss
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: bjw-s name: bjw-s
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:
@@ -27,6 +27,16 @@ spec:
uninstall: uninstall:
keepHistory: false keepHistory: false
values: values:
controller:
annotations:
reloader.stakater.com/auto: "true"
initContainers:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: freshrss-secret
image: image:
repository: freshrss/freshrss repository: freshrss/freshrss
tag: 1.21.0 tag: 1.21.0
@@ -44,8 +54,6 @@ spec:
enabled: true enabled: true
existingClaim: freshrss-config existingClaim: freshrss-config
mountPath: /var/www/FreshRSS/data mountPath: /var/www/FreshRSS/data
podAnnotations:
secret.reloader.stakater.com/reload: *app
ingress: ingress:
main: main:
enabled: true enabled: true

6
kubernetes/apps/default/freshrss/app/kustomization.yaml
View File

@@ -4,9 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups - ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
- ./secret.sops.yaml - ./volsync.yaml
- ./volume.yaml - ./volume.yaml
patchesStrategicMerge:
- ./patches/postgres.yaml

32
kubernetes/apps/default/freshrss/app/patches/postgres.yaml
View File

@@ -1,32 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: freshrss
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.8
env:
- name: POSTGRES_HOST
value: ${POSTGRES_HOST}
- name: POSTGRES_DB
value: freshrss
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: freshrss
key: DB_USERNAME
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: freshrss
key: DB_PASSWORD

30
kubernetes/apps/default/freshrss/app/secret.sops.yaml
View File

@@ -1,30 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: freshrss
namespace: default
type: Opaque
stringData:
DB_USERNAME: ENC[AES256_GCM,data:cEgGT4H8dUo=,iv:9FsASsPg285Wvxh84pMJYgZcEGHusK2waZT1JDs848U=,tag:GGqWYGx7mwUnq1UkcP6anA==,type:str]
DB_PASSWORD: ENC[AES256_GCM,data:o3jf5T0HkJmkfDpDTl4=,iv:mfKTcA28lw4Ay7qmLlez2JFAafF9kDWcLIv7ks+NrOE=,tag:2BxNiAdwOal3zj7Om3FezQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-15T11:26:17Z"
mac: ENC[AES256_GCM,data:HONFGv4W73jhfxO+mN9LGazgzQflKX4krefmOsmdS039MVQZVKiJgoyAVku6t/WOHkyfAn+x8CXERC1swvVOMVhJXt6eXgjgCK4yD3MTBNvV4Uuov6aJ6JEwbAtXMIQm0h/QU1a99xBlRZlX2JL02tqN04bqB/tgUeNuWVr7R3U=,iv:MlkMOuKDt3TR9XtT/yzydlBUcaM+2qL7LzIPPkpw0Aw=,tag:KNuGsmvpN8vNuQ/8JDmIpw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

45
kubernetes/apps/default/freshrss/app/volsync.yaml Normal file
View File

@@ -0,0 +1,45 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: freshrss-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/freshrss'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: freshrss
namespace: default
spec:
sourcePVC: freshrss-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: freshrss-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
retain:
daily: 7
within: 3d

2
kubernetes/apps/default/freshrss/ks.yaml
View File

@@ -15,7 +15,7 @@ spec:
name: home-ops-kubernetes name: home-ops-kubernetes
dependsOn: dependsOn:
- name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
healthChecks: healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2beta1 - apiVersion: helm.toolkit.fluxcd.io/v2beta1

32
kubernetes/apps/default/ghostfolio/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: ghostfolio
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: ghostfolio-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# App
ACCESS_TOKEN_SALT: "{{ .GHOSTFOLIO_ACCESS_TOKEN_SALT }}"
DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres-rw.default.svc.cluster.local:5432/ghostfolio
JWT_SECRET_KEY: "{{ .GHOSTFOLIO_JWT_SECRET_KEY }}"
# Postgres Init
INIT_POSTGRES_DBNAME: ghostfolio
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: ghostfolio

15
kubernetes/apps/default/ghostfolio/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app ghostfolio name: &app ghostfolio
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: bjw-s name: bjw-s
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:
@@ -27,6 +27,13 @@ spec:
uninstall: uninstall:
keepHistory: false keepHistory: false
values: values:
initContainers:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: ghostfolio-secret
controller: controller:
annotations: annotations:
reloader.stakater.com/auto: "true" reloader.stakater.com/auto: "true"
@@ -37,9 +44,7 @@ spec:
NODE_ENV: production NODE_ENV: production
REDIS_HOST: redis.default.svc.cluster.local REDIS_HOST: redis.default.svc.cluster.local
REDIS_PORT: 6379 REDIS_PORT: 6379
envFrom: envFrom: *envFrom
- secretRef:
name: ghostfolio-secret
service: service:
main: main:
ports: ports:

4
kubernetes/apps/default/ghostfolio/app/kustomization.yaml
View File

@@ -4,7 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
- ./secret.sops.yaml
patchesStrategicMerge:
- ./patches/postgres.yaml

25
kubernetes/apps/default/ghostfolio/app/patches/postgres.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: ghostfolio
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.8
env:
- name: POSTGRES_HOST
value: ${POSTGRES_HOST}
- name: POSTGRES_DB
value: ghostfolio
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
envFrom:
- secretRef:
name: ghostfolio-secret

33
kubernetes/apps/default/ghostfolio/app/secret.sops.yaml
View File

@@ -1,33 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: ghostfolio-secret
namespace: default
type: Opaque
stringData:
ACCESS_TOKEN_SALT: ENC[AES256_GCM,data:79MYxQfsI5/a2s0vgwG1MlDgiGjfsDzRPIojVG+0YRw=,iv:DeACgrhPIJYXxZCtZX5AkOLNFvj+CyC040jy1HV9sgY=,tag:SSoj3EZyhf5Svrn2iqvhIw==,type:str]
JWT_SECRET_KEY: ENC[AES256_GCM,data:bAuSYbpG0UIN5b88fFr0FTK/6R6paiJ8KNizVxLz+/w=,iv:ByWc4lj/EhkEkU/Ugdy+IxrjEgts74cvH8rpWDOv9Cs=,tag:sWPfQUOPz5UzUg+6X5NADg==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:YOTeKyVzEPyMMA==,iv:i4IBUD2c/4VcxwkeNyD5kdJ/Z/MOzqAo9ZOEtiMv/bI=,tag:xrdHy6TFr9qCEz/xLuLi9w==,type:str]
POSTGRES_PASS: ENC[AES256_GCM,data:ua1cNOaGxhPF0DS78ktPh8nUP4w=,iv:aFMFikc1aCINcqAgK1/1H1P+eLheV3M1CASHxQiztL4=,tag:IekQpaYz90L6N/fdec264A==,type:str]
DATABASE_URL: ENC[AES256_GCM,data:atodPD9zTsTde/D9z9b10YME/YT9IeV6+WxDJ7CteNUoihlVvXNq+820tZsDXX7Zon765XAYh65A2mAnqALf5C4LCuUWgpHQMtx9GSg=,iv:XTOHziHyU0vfoQ3Wocief14k3cQ4j0lEidrmq5VkGsI=,tag:1wQ+dITKmuLICESIzuV8aQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-18T11:46:24Z"
mac: ENC[AES256_GCM,data:hmdekBADO2YO/iFpGDQ5H/yhnXBhUdT0Ov14BsyqZJeKLJZNQN5haR5WGxf/NSWCpy98QX0A0w/03AoqE9EmVyElnz/ZMLLsJGTOGlvINh3dXqrg+ZcXZGzmCp6cuY+CUHXhKTKvuxQiYoLf5hhJi66LWHmBIpQXUaXEUOmSCI8=,iv:cp9UiJb+LXsDXwR1UXva0J37joo3F7mzluC1/muLdco=,tag:/GpRG5Eu3hLLc5YtARwfVQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

3
kubernetes/apps/default/ghostfolio/ks.yaml
View File

@@ -15,8 +15,7 @@ spec:
name: home-ops-kubernetes name: home-ops-kubernetes
dependsOn: dependsOn:
- name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app
healthChecks: healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2beta1 - apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease kind: HelmRelease

8
kubernetes/apps/default/gitea/app/backups/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./external-backup.yaml
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/gitea/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: gitea
namespace: default
spec:
sourcePVC: gitea-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: gitea-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/gitea/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: gitea-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:Y1Kpc918cOrFj1lv9aCUyoJPwYXhpQlirTzDPIiznbbVHfoOWhUdsDWDzv8Dvs7dSFbNiFdYag==,iv:CvQ3u6gmkP9wpUs0pbmG3UK5/jzJvDyjxSB/kRZrOyU=,tag:dhqdXpyGYDqnSxG6OQ0Z9A==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T07:48:12Z"
mac: ENC[AES256_GCM,data:yQjxYGqOHqB6OvdHADZpLNpblivcBaNhwmzTZvBQ8j0eb3jk/FXjhYzaomIReq49RmsdQTbqSWNLZkx7Ze6M9E64YOBYFGA5CBucvTn+/0WG4XdrXz0W11BDGtEfU4FlAmHbLZHA11Qw/NcjR4aqP4U8OdNcDye5amGmnLg4U8A=,iv:bZRsW+I3G1uVmBBCrRjVeRAoQgqjehhiF0NJ+ej20ac=,tag:r1rt+3qtL+BIoh/XUacWqw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

4
kubernetes/apps/default/gitea/app/backups/external-backup.yaml → kubernetes/apps/default/gitea/app/externalbackup.yaml
View File

@@ -79,9 +79,9 @@ spec:
volumeMounts: volumeMounts:
- name: secret - name: secret
mountPath: /opt/id_rsa mountPath: /opt/id_rsa
subPath: deployment_rsa_priv_key subPath: GITEA_DEPLOYMENT_PRIVATE_KEY
volumes: volumes:
- name: secret - name: secret
secret: secret:
secretName: gitea-config secretName: gitea-secret
restartPolicy: Never restartPolicy: Never

36
kubernetes/apps/default/gitea/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,36 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: gitea-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# App
GITEA_ADMIN_EMAIL: "{{ .GITEA_ADMIN_EMAIL }}"
GITEA_ADMIN_PASSWORD: "{{ .GITEA_ADMIN_PASSWORD }}"
GITEA_AWS_S3_ACCESS_KEY: "{{ .GITEA_AWS_S3_ACCESS_KEY }}"
GITEA_AWS_S3_SECRET_KEY: "{{ .GITEA_AWS_S3_SECRET_KEY }}"
GITEA_DEPLOYMENT_PRIVATE_KEY: "{{ .GITEA_DEPLOYMENT_PRIVATE_KEY }}"
POSTGRES_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
# Postgres Init
INIT_POSTGRES_DBNAME: gitea
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: gitea

68
kubernetes/apps/default/gitea/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: gitea name: gitea
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: gitea chart: gitea
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: gitea name: gitea
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:
@@ -44,7 +44,7 @@ spec:
RUN_AT_START: true RUN_AT_START: true
database: database:
DB_TYPE: postgres DB_TYPE: postgres
HOST: ${POSTGRES_HOST}:${POSTGRES_PORT} HOST: postgres-rw.default.svc.cluster.local:5432
NAME: gitea NAME: gitea
SCHEMA: public SCHEMA: public
SSL_MODE: disable SSL_MODE: disable
@@ -101,8 +101,6 @@ spec:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
podAnnotations:
secret.reloader.stakater.com/reload: gitea-config
postgresql: postgresql:
enabled: false enabled: false
memcached: memcached:
@@ -138,36 +136,36 @@ spec:
valuesFrom: valuesFrom:
- targetPath: gitea.admin.email - targetPath: gitea.admin.email
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: adminEmail valuesKey: GITEA_ADMIN_EMAIL
- targetPath: gitea.admin.password - targetPath: gitea.admin.password
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: adminPassword valuesKey: GITEA_ADMIN_PASSWORD
- targetPath: gitea.config.attachment.MINIO_ACCESS_KEY_ID - targetPath: gitea.config.attachment.MINIO_ACCESS_KEY_ID
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: minioAccessKeyId valuesKey: GITEA_AWS_S3_ACCESS_KEY
- targetPath: gitea.config.attachment.MINIO_SECRET_ACCESS_KEY - targetPath: gitea.config.attachment.MINIO_SECRET_ACCESS_KEY
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: minioSecretAccessKey valuesKey: GITEA_AWS_S3_SECRET_KEY
- targetPath: gitea.config.database.PASSWD - targetPath: gitea.config.database.PASSWD
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: dbPassword valuesKey: POSTGRES_PASSWORD
- targetPath: gitea.config.database.USER - targetPath: gitea.config.database.USER
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: dbUser valuesKey: POSTGRES_USERNAME
- targetPath: gitea.config.storage.MINIO_ACCESS_KEY_ID - targetPath: gitea.config.storage.MINIO_ACCESS_KEY_ID
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: minioAccessKeyId valuesKey: GITEA_AWS_S3_ACCESS_KEY
- targetPath: gitea.config.storage.MINIO_SECRET_ACCESS_KEY - targetPath: gitea.config.storage.MINIO_SECRET_ACCESS_KEY
kind: Secret kind: Secret
name: gitea-config name: gitea-secret
valuesKey: minioSecretAccessKey valuesKey: GITEA_AWS_S3_SECRET_KEY
postRenderers: postRenderers:
- kustomize: - kustomize:
patchesStrategicMerge: patchesStrategicMerge:
@@ -179,25 +177,9 @@ spec:
template: template:
spec: spec:
initContainers: initContainers:
- name: init-db - name: 01-init-db
image: ghcr.io/onedr0p/postgres-initdb:14.8 image: ghcr.io/onedr0p/postgres-init:14.8
env: imagePullPolicy: IfNotPresent
- name: POSTGRES_HOST envFrom:
value: ${POSTGRES_HOST} - secretRef:
- name: POSTGRES_DB name: gitea-secret
value: gitea
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: gitea-config
key: dbUser
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: gitea-config
key: dbPassword

5
kubernetes/apps/default/gitea/app/kustomization.yaml
View File

@@ -4,7 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- ./backups - ./externalbackup.yaml
- ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
- ./secret.sops.yaml - ./volsync.yaml
- ./volume.yaml - ./volume.yaml

34
kubernetes/apps/default/gitea/app/secret.sops.yaml
View File

@@ -1,34 +0,0 @@
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: gitea-config
namespace: default
stringData:
adminEmail: ENC[AES256_GCM,data:KUhhtTXAU/lcKVsuy3tF+QjgRk8m,iv:goqGhOEkpbnYa6uELXYfdQjCdKPOW2KGAjb4cfdHrn0=,tag:SFENNvmSkEfcAgat/BHksg==,type:str]
adminPassword: ENC[AES256_GCM,data:SMR6vlFSysGv7iG+zjk=,iv:PtceAzAWR1nc8nACAYSOe+19evR9+orQa9DRzbcXU4U=,tag:Rq+3Ua0XhOzsnFw6/OdY4A==,type:str]
dbUser: ENC[AES256_GCM,data:4Mb4+JI=,iv:qTzsuXkJGFEtKjoKcAWD2VoBCD4GIH9UsBSWUknez8c=,tag:p5Q0R1DdJuZmpPiBYZxV0A==,type:str]
dbPassword: ENC[AES256_GCM,data:h/qQ43+3E9DfSlY6eww=,iv:ppvnc3A4binyLwnNuEPzmQCyc11RUSZ9cSw0cRYjLdI=,tag:iBXRYFPBCn4AdkdoRZK4eg==,type:str]
minioAccessKeyId: ENC[AES256_GCM,data:Gh41eINrkyjgEpTO5O+5lPWNPd8=,iv:XFH3RvyJwUEtszqtKVjLtMxTamPHPx4Aqi0PqsUmDCQ=,tag:abNj9gjgSlPJFsS9DBs+gw==,type:str]
minioSecretAccessKey: ENC[AES256_GCM,data:ZiCMwvRnVavI62F7+OIDoYEOSvM9Jfh1eqJGbJjOR+GiC2YXw7T4+A==,iv:bbCaIOXhwrCFqiu8AQ1qyWzE+yuTotCjJgaK14qC1Qs=,tag:ZESnmDhsgqffe1rdKoVStQ==,type:str]
deployment_rsa_priv_key: ENC[AES256_GCM,data:3Olhz6VZ6oI18hwCUDIHNLUEMM7PnGIcDDTCtX7sb6+yOmmW8cyKfZo2Ks6c4pEXJjWQ0JpvIYd/JMP53Noyb62H2+JAlcnIYgivJYpKmZ2fFD5i9Nyg+a91w6xkwwfBHEO6BBGAM4j3wARfFqLo4xqQFgf0/2DEUMVwHgXP6JGuqik+fOTHFRP66fQ16m+p+3iig1cvMvkjN7y/KmuBgT8w3VBJ6xukb/rC3mx+h5KIhoMfi+aBXi/SI7hUvnDPmaJs2Q/QlpcudQQHEYC51df0uGEeJaM/136+BON6B8fi2xUw1y/zYPJFabZg3b5Y7KRxKrDUJyOclaXEi8ZI+1Wz64KJ3Zhb7bITNLX7iIMuE2bQZq574xJre5HH/aI6/VAwLIKOFAV/l+WadfEh+1mbmoGRhjC3Ylin01mC9/z+8dxnG5sX+DvGzG7EiwoApIHpEZ4n7DZThi9xR1RSfYCqG5K9D3q+RpsnVoi6busJbevJ9U7fb0Yq7iiZfv+iiZc8HmEWyAy6r967oUGNss8VF/ahucP4uAE6nzTVadOSLc/UyS/jeil593SSn62h2hDYPuDxP/M3odiI40m0kCMuLNdIxFDl8xXNtSNy5nUmdlP/Ez9ach5Zigw+gJaeK/CVhr2e6TFkzfcYri7ryOVVNmoFw6hr66TXGjiwHATj6Ucpm0OLS1C2GP/G5FGqpdbYMTxe6JCOQggnBXLe3v5Dtr2Qrp49yA8UxLG5Ksxxd19Q1uaudWbc4S/Lg6gfey7IkuaMQ6zGIAE8vMNnKHdx0XBqKwBpwajCsFXDCrTnAs6YyST1KXHm/YmRep5KcMMuUk3UhE6TwAYTNK9SHSwXHOxaRETrVnf1XEzg7GATomW7U3Gp4v4OAnZy2T/7NJ1EfhQiMjw4J3RKN7bswITmfhLamXwDk6tiVGv9pQdsAEtr0+A5kKXV2kNXGfZ5U1Uv0wdcAhXxYnc0TaFmQ2J95Kljl/O+SYFxv3UyvQs4O1JQdeXVIrqpRzGtMRQHaPpaT0FMlk5ntShRQhGYZEoHknKw0cniajNpfCC6pqNEGbcL6PhROx9X2AK59YveX4g2z2jEhfrzb/eRow2Ha5gubmMGnwiV07wwzEe5VQCwDQgdcAc8l2bbkpgcws8RCg342towNRwjq81fqWX+hWsufXxIip9PX+AQsAcBpbdfcAEbcxLQLhkxCqA23+k+Ih8Yt/4qqKCT7QMyiJgRmigaXW5J61lVSuRjU2gQfGOqjtqQc23K6bUzrzgGiymWJEMMwKOJuxJiKk7uTs2xowmiSgFsfFdsiD+3UzOX5Fh6Y0OV858oXpzx/vD8J9RwrLnsV36xfeXPX1yh8UoCc0ZeVyvvWvXIa942RSDXtvgt86Y4kT/uTIEKrikReCD1K+1BdE8bwaMHakrKYrRwbauQM3S2SV17/XC6t8A1f4vu8/vV5Ir1oge2tFI/pJU6AqF/k7Lit1JTWXf1qiXxAxFEJJDzuwABWLQKvw1QUBHQiR/Kq5myDN589qSU5/C2zh1zq8k7BE54NR1ZyCAnIkmbZNMEMBNMArr44DbTgm5tiGhCh+OgJD/5DUGi1+E6a4IqoMzgvh3ToHAKveSz3mRQwhXx7RJH4WFkcGBVUaQohg2YlqIQilb1NFHwG5UFnoXlVPY0VpIhyoFCfvg2X/L1UmfpU7V9OpKHOcMFQ0A7YIGXgp/nGVZZchuOcuiwkF5z/GTI14RZOiBFh5P2LR3pa56j4P4PrhWV5mGgAkdfDvh0DY0yWRTzjo0piZPBCnLf/hUn8rpT9T8xIqz0EDoH3pHRR/VKgGxFOcgRecSD+fTnYFGUEi4akcBT5Lgm11/c3VNbO3/nZq6dlTxbjT8/VGOps/tPWPHUUbf/8U1NTD46zjbRGWEjod7Pwnz1hFxU3ql0KBDBhS/J+0kSmz98CPmeS8uW0OCKPFvIoPYJhr9CsxJNVEiW2+pd/WabvlIeOXtmQKjjwvmQaW77FTkKVP8Y0+9qH8Ln4M9h4QrP69YHGBtt3oIej5MUDCoZ+ut1L7ikEHbuOEb1c1a2z0PdzooudgT+NMhcBlGCpoUiC9ZcspOJn+nU6IBkJ2Sjyfl/BrMTBmJ+rs3suoEY3NvA4gWRU9xevNKpjqNRtxiYLll1JZl43lJL5RkG4bXb5JK4nSwJfADu6aIhWL2IjpFYd93A4lg19jf3nVpcazxFXcYY7UpYDhOb7fbWYmI6xV+AX52SwTKRM9fLK7j0EWx/fo0SfdZUNl4T/dtPsqe8Te/ZzkQlHA8tbC5kQeEJxGw72lvjMHNq4Fv0hVZ7r4gEFZhiPlciYG9cOwG1A2GifGthy+1fsCnKxNBx/5Cf+1OOz8AY7ZL9ECSPOrK3zlpXC6P6HhxokvTe5qY9eIR0ztYg1vgxz+XrqzOU7drfUdDigt+uqRZwvfC5AoNF2e5bFO+y83fdeVisZI0qtsOElhBYS6EIHmh1LRNhRfD3tpRyFinNlVVbOy/33A7yEUv+ieO9hL5VOvkJEvEdmeTtcCevniESu2tQEANFUiI6NpoxNycmJaCeejiZ5LvrC+BQjylqPIqAhgHdfWDIcmKjRQuolkOQ2PbzRrGCCcV3sbDaCbH769hGrdBV06bN3gNZNvnAo6kafEw62RGRaGjxJ/O8zHRALVwDECLtE3yW9ghjgPdw2zGItza0qlG2Hr+nzER9aMLWI4dzqnMNFTtiqJDLkL2Qo33h8qtGTtIEuP8jjTbGqMbs8xFzsqPkeSROW34kLAzJold7JAoRLevFGAshk0kGv4C+sXexBwNuTn4JduUdB6niVxzKkhQM3OcKNuFQ0tZNQY8fxbg0h2YhONG3spfQ8UC2bT2lSJfWec26fP8W2VzjjVLeNxpODco0eHre3i/6BRSEn8q2i+n15zKtiDlcEw8R7phnjB3I+JCZAvwy33mI0qJ/5fKIzRKtYtzPWRDcoOazdtfByBZrXjVUpSIm0e4Dxl1AIyKj5ec5DC2Czv1p+uUYMA5lhw1alXOSrlzJnRnsnohtdXIgH+xEf19V6zYf6IQBsB+4Kz1hQYo1IVwKj6qkXReNy9tQ5OrBFMzDLrbCd50gaMyT+86R8EsSZ2nW5anIaMxvSERdmED7QZkizeyUHLyLFPduv20OYQbaUxQ0oRWxpCY9OOq/vxOwLLqoRU+ohc7wnLCjsUmjQA5V5zlBYok8TMv971WM2rqmOfa7F5uOxiQ5RJ4GLCMryBl0UuLpNmN2JTdq3RjzduiQP/osJspJP0evz9ln9b0sdf6KqSnCnTiu2NUMZHhj7oGpFjBZpG7KWROVcjUiS0OVmKWjbYHJE5DNXAK9zcHodPxrAYVxUG+lDhVJ+4GmNY5o+KO5yCOswD93HrTX+KkwaLG9vhdKM3IrC6ttynCzvl1CME5A9HL+VszsJQoXWnZYNl36pD7p1k8AMqINeAN+KahalogAoMXk,iv:CYw3LLwOeyEu3/BK/SjdjneQvXPk2mHMPiFm2T4sXHQ=,tag:Et4HAytIgiVg4n8+D5anfw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd2h2N2RELzkvODM0WE1p
c1M3bEQxdDZkZ3Zlcm9uKzFWYklLWWpUYXhvCkN1bXU3YmNrY255RmkwSXFDWmt1
dHExaGZRODhKdm1NR2xYV29CeE5vbk0KLS0tIHpBUGVaNUhKaE5UOU1hM3c0akxX
ZWRhWnBrY1FBNVQyOU0yVGFXb0QrVnMK26Nc5Bw/jOzuxXcufHcxnugG1bzqO9T8
LNIau17zdWX5bfWGDj++ipnm8x1sPswEULal4U2Muc2Iy7GuZPhVyg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-16T22:14:19Z"
mac: ENC[AES256_GCM,data:IbNuB2a6Pm2NTA6OS45kmYIdqZZIG1iJewt6n0rWLdYrbaGNGKt1ig0oTu/ubJSHNb/OgoN+fKEj/JQ+kJhwUiTEQhH+IUwPtUZeb0C0/QqatqCXoQk4qBOTuwea4gLLMHqoIwP0fETLiaVphNK7llPaI7aW0Li0W9yAdhu3VCs=,iv:utxR9+tJ8elgdvOQg5eoClb/4DDJyzvz2eWuCDNU3V0=,tag:Y8qEcwVwW2FoUOXZRQHEgA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/gitea/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: gitea-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/gitea'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: gitea
namespace: default
spec:
sourcePVC: gitea-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: gitea-restic-secret
cacheCapacity: 10Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
retain:
daily: 7
within: 3d

2
kubernetes/apps/default/gitea/ks.yaml
View File

@@ -15,7 +15,7 @@ spec:
name: home-ops-kubernetes name: home-ops-kubernetes
dependsOn: dependsOn:
- name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-rook-ceph-cluster - name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app - name: cluster-apps-volsync-app
healthChecks: healthChecks:
- apiVersion: batch/v1 - apiVersion: batch/v1

4
kubernetes/apps/default/hajimari/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: hajimari name: hajimari
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: hajimari chart: hajimari
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository kind: HelmRepository
name: hajimari name: hajimari
namespace: flux-system namespace: flux-system
maxHistory: 3 maxHistory: 2
install: install:
createNamespace: true createNamespace: true
remediation: remediation:

7
kubernetes/apps/default/home-assistant/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/home-assistant/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: home-assistant
namespace: default
spec:
sourcePVC: hass-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: home-assistant-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/home-assistant/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: home-assistant-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:PSUxcuB0ZkoJ3+ims+yBY8gFGbn/JmM29lw7+TZ/ewbyMJeqMpWK4cvNIMzTt0M7dTcVdPiR8NPDyCpVI6maxA==,iv:crebRNDxmJSpGlh83bju2aTLS1aj8CLWaS6gdfeHHBU=,tag:mWjowas5pf0tx7lJyLGCTA==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T06:57:49Z"
mac: ENC[AES256_GCM,data:UOdoegFqPZEQYiGM8Pq1QJEIWkd5/5vzgcIDE9NHy4qwBMz182s1Vse5gGa+pWRTHWhLNxC6zjuhZjcBPFCa1K1dGF4dFDYRRxoG+wVEg200mdmYb4t0RPWnJ9tlDV8p0JXa53CJTvuB2+eQSQhCix2sjaOLU5LdEfbP5VYiN3U=,iv:HE6EQHPh5zC6pxBjGHmxU3xt/1Dwk1wHUl0H21W7dvs=,tag:+FaKITLwr7zXB9lKZ7c6kQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

34
kubernetes/apps/default/home-assistant/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: home-assistant
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: home-assistant-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# App
HASS_SECRET_ELEVATION: "{{ .HASS_ELEVATION }}"
HASS_SECRET_LATITUDE: "{{ .HASS_LATITUDE }}"
HASS_SECRET_LONGITUDE: "{{ .HASS_LONGITUDE }}"
HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/home_assistant"
HASS_SECRET_URL: "{{ .HASS_URL }}"
# Postgres Init
INIT_POSTGRES_DBNAME: home_assistant
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: home-assistant

16
kubernetes/apps/default/home-assistant/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app home-assistant name: &app home-assistant
namespace: default namespace: default
spec: spec:
interval: 15m interval: 30m
chart: chart:
spec: spec:
chart: app-template chart: app-template
@@ -27,6 +27,16 @@ spec:
uninstall: uninstall:
keepHistory: false keepHistory: false
values: values:
initContainers:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: home-assistant-secret
controller:
annotations:
reloader.stakater.com/auto: "true"
image: image:
repository: ghcr.io/onedr0p/home-assistant repository: ghcr.io/onedr0p/home-assistant
tag: 2023.7.1@sha256:53a01ba5ee421bc6ba3ab89d63ba20d40cb6684cb2230000cf72f524d262ba82 tag: 2023.7.1@sha256:53a01ba5ee421bc6ba3ab89d63ba20d40cb6684cb2230000cf72f524d262ba82
@@ -34,9 +44,7 @@ spec:
TZ: "${TIMEZONE}" TZ: "${TIMEZONE}"
POSTGRES_HOST: ${POSTGRES_HOST} POSTGRES_HOST: ${POSTGRES_HOST}
POSTGRES_DB: home_assistant POSTGRES_DB: home_assistant
envFrom: envFrom: *envFrom
- secretRef:
name: *app
service: service:
main: main:
type: LoadBalancer type: LoadBalancer

6
kubernetes/apps/default/home-assistant/app/kustomization.yaml
View File

@@ -4,12 +4,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- backups - ./externalsecret.yaml
- ./helmrelease.yaml - ./helmrelease.yaml
- ./secret.sops.yaml
- ./token.sops.yaml
- ./podmonitor.yaml - ./podmonitor.yaml
- ./volsync.yaml
- ./volume.yaml - ./volume.yaml
patchesStrategicMerge: patchesStrategicMerge:
- ./patches/addons.yaml - ./patches/addons.yaml
- ./patches/postgres.yaml

25
kubernetes/apps/default/home-assistant/app/patches/postgres.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app home-assistant
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.8
env:
- name: POSTGRES_HOST
value: ${POSTGRES_HOST}
- name: POSTGRES_DB
value: home_assistant
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
envFrom:
- secretRef:
name: *app

2
kubernetes/apps/default/home-assistant/app/podmonitor.yaml
View File

@@ -12,7 +12,7 @@ spec:
scrapeTimeout: 30s scrapeTimeout: 30s
bearerTokenSecret: bearerTokenSecret:
name: home-automation name: home-automation
key: prometheus-token key: PROMETHEUS_TOKEN
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/instance: home-assistant app.kubernetes.io/instance: home-assistant

34
kubernetes/apps/default/home-assistant/app/secret.sops.yaml
View File

@@ -1,34 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: home-assistant
namespace: default
stringData:
HASS_SECRET_LATITUDE: ENC[AES256_GCM,data:/tafIrcH0xz+rHHUTz3wdi4=,iv:HyRcQcOvfWi6X2Y+PCILYtcB9WvrZVoZmN7DH31NdrA=,tag:QjsavnTkBCAE3xdl7YtQyg==,type:str]
HASS_SECRET_LONGITUDE: ENC[AES256_GCM,data:Ya0P5TJ2PcD2gbD6yNi5M44=,iv:ZnMO4G3I4jNc52q0J2UBAScJs3nrZnB1zFlbh6hkJmI=,tag:0Y00oMSmtP1wdY3cP84sgw==,type:str]
HASS_SECRET_ELEVATION: ENC[AES256_GCM,data:ruU=,iv:4yDZLOGfHcGXcGNuQVBmFrg3HgSpGXhsB9cwlliplVc=,tag:4f4zrnIosO3kWh9BGNz7Rw==,type:str]
HASS_SECRET_URL: ENC[AES256_GCM,data:WTi34088t3P1mSsuuo/+U/qpMnwpmPw7Udeul2BBlwU2TG4tIr8QL65RTVVrnLM=,iv:eAcvCs5C1g+jdNJH3b4CZMFoicfgy7DUmtCZJnL9Exo=,tag:k5KY9cbRgzHosZAxkgAlAQ==,type:str]
HASS_SECRET_DB_URL: ENC[AES256_GCM,data:Nl7EMtmX2U1LHLsSsIk3MbBshcR2CuOhDogrb1i9elZyP2DRlS995lerl9T8mQ98XK9HuU/qTwJAj4JUP9FikcAJpIS0Fspf9IwNai1uhQ4/RWA9d5NsgjuGhv7eueQiNg==,iv:wxT4Yf4V5RAIRbZmBS1GikzhbQEsGu7tTwKIRePKnH0=,tag:oMvx5G2p5ASckOp8vhkilA==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:6sFSx8XfWgkgifgAk+o=,iv:qdUCWatQb7XWskKMKUBvDQ1JqKxH5zoSznop3KRkgM4=,tag:KpeLOhEWpE5petnB3bXnRA==,type:str]
POSTGRES_PASS: ENC[AES256_GCM,data:cNW97km2wZz+uHnX0Hzl7g==,iv:40HsF3DN96JLnGwLMUhx3cq2hdFbPXSasn6CJuCO7Uo=,tag:4NyuUCHryWMxYBkW8vjCXA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRm1nQmk0eE1OUVRlbmkw
M3RQOFc4NXJrS3lHR09QdGttNEp0YTZzNWp3ClZaQ2hxWEIzNlNSNXhONlE4QzNn
OVQ1ZEphd1lQR2tFMEppZS9nUy9GTFUKLS0tIEJxdXlqQURxbVlmSlJ3S3NEYWtB
SjVvc0k0dk1GeXF0Z3gycHVJSXRtNTgKJScEOU0jr7qw4fdBbtKfE5lI1gVLIQ1g
cklawiOzeLg+v+5ZmuAOk5k6VIUUNMpcrAfEbI84JRWCFRm1IngMwQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-14T17:35:30Z"
mac: ENC[AES256_GCM,data:yLIhWrFqNWF1IT/XyKyM0j5QKdnbM0pKSQd7s9Xx+G8/O9rnlBOTGyWgwazBbw83xW/BZ906TD9f7o6uAtdbLRarX2kw248oUGCuTK8EpyX+ake59OFiyLHya/XWZqpRL0/uC08467ecPdhzFb0NnrJgVfL1DW7dBwGY3fLyZBU=,iv:cq7RmU+HCR+PL7xR7PRcpQ7904YAz1qwvSBDFi93bqQ=,tag:WUiLYFXIC0y2+909Y3GW5g==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

Some files were not shown because too many files have changed in this diff Show More