♻️ homelab

kubernetes/apps/default/homelab/ks.yaml

@@ -0,0 +1,60 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-homnelab-minio
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/homelab/minio
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-homnelab-opnsense
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/homelab/opnsense
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-homnelab-truenas
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/homelab/truenas
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
+  interval: 30m
+  retryInterval: 1m
+  timeout: 3m

kubernetes/apps/default/homelab/minio/backup/helmrelease.yaml

@@ -3,7 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
-  name: truenas-minio-rclone
+  name: homelab-minio-backup
   namespace: default
 spec:
   interval: 30m
@@ -39,6 +39,9 @@ spec:
               repository: ghcr.io/auricom/rclone
               tag: 1.62.2@sha256:8d3ae01ed5295974be1b229f7398ce93a03c77a3fdaf301ea35bf929bb19389a
             command: ["/bin/bash", "/app/minio-rclone.sh"]
+            envFrom:
+              - secretRef:
+                  name: homelab-minio-secret
             service:
               main:
                 enabled: false
@@ -49,17 +52,12 @@ spec:
       config:
         enabled: true
         type: configMap
-        name: truenas-minio-rclone-configmap
+        name: homelab-minio-configmap
         defaultMode: 0775
         globalMounts:
           - path: /app/minio-rclone.sh
             subPath: minio-rclone.sh
             readOnly: true
-      age:
+          - path: /config/rclone.conf
-        enabled: true
+            subPath: rclone.conf
-        type: secret
-        name: truenas-secret
-        globalMounts:
-          - path: /app/age_key
-            subPath: SOPS_AGE_KEY
             readOnly: true

kubernetes/apps/default/homelab/minio/backup/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+configMapGenerator:
+  - name: homelab-minio-configmap
+    files:
+      - ./minio-rclone.sh
+      - ./rclone.conf
+generatorOptions:
+  disableNameSuffixHash: true
+

kubernetes/apps/default/homelab/minio/backup/minio-rclone.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -o nounset
+set -o errexit
+
+# Replace the placeholders in the file with the environment variables values
+cp /config/rclone.conf /tmp/rclone.conf
+sed -i "s@__RCLONE_ACCESS_ID__@$RCLONE_ACCESS_ID@g" "/tmp/rclone.conf"
+sed -i "s@__RCLONE_SECRET_KEY__@$RCLONE_SECRET_KEY@g" "/tmp/rclone.conf"
+sed -i "s@__PASSWORD__@$GDRIVE_PASSWORD@g" "/tmp/rclone.conf"
+sed -i "s@__PASSWORD2__@$GDRIVE_PASSWORD2@g" "/tmp/rclone.conf"
+sed -i "s@__GDRIVE_CLIENT_ID__@$GDRIVE_CLIENT_ID@g" "/tmp/rclone.conf"
+sed -i "s@__GDRIVE_CLIENT_SECRET__@$GDRIVE_CLIENT_SECRET@g" "/tmp/rclone.conf"
+sed -i "s@__GDRIVE_TOKEN__@$GDRIVE_TOKEN@g" "/tmp/rclone.conf"
+
+echo "Sync minio buckets with encrypted remote gdrive-homelab-backups ..."
+rclone --config /tmp/rclone.conf sync minio: gdrive-homelab-backups:

kubernetes/apps/default/homelab/minio/backup/rclone.conf

@@ -0,0 +1,22 @@
+[minio]
+type = s3
+provider = Minio
+access_key_id = __RCLONE_ACCESS_ID__
+secret_access_key = __RCLONE_SECRET_KEY__
+endpoint = https://minio.${SECRET_DOMAIN}:51515
+acl = private
+
+[gdrive-homelab-backups]
+type = crypt
+remote = gdrive:homelab-backups
+directory_name_encryption = false
+password = __PASSWORD__
+password2 = __PASSWORD2__
+
+[gdrive]
+type = drive
+client_id = __GDRIVE_CLIENT_ID__
+client_secret = __GDRIVE_CLIENT_SECRET__
+scope = drive.file
+token = __GDRIVE_TOKEN__
+team_drive =

kubernetes/apps/default/homelab/minio/externalsecret.yaml

@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: homelab-minio
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: homelab-minio-secret
+    creationPolicy: Owner
+    template:
+      data:
+        # App
+        GDRIVE_CLIENT_ID: "{{ .GDRIVE_CLIENT_ID }}"
+        GDRIVE_CLIENT_SECRET: "{{ .GDRIVE_CLIENT_SECRET }}"
+        GDRIVE_TOKEN: "{{ .GDRIVE_TOKEN }}"
+        GDRIVE_PASSWORD: "{{ .GDRIVE_PASSWORD }}"
+        GDRIVE_PASSWORD2: "{{ .GDRIVE_PASSWORD2 }}"
+        RCLONE_ACCESS_ID: "{{ .RCLONE_ACCESS_ID }}"
+        RCLONE_SECRET_KEY: "{{ .RCLONE_SECRET_KEY }}"
+
+  dataFrom:
+    - extract:
+        key: homelab-minio

kubernetes/apps/default/homelab/minio/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./backup
+  - ./externalsecret.yaml

kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml

@@ -3,7 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
-  name: opnsense-backup
+  name: homelab-opnsense-backup
   namespace: default
 spec:
   interval: 30m
@@ -38,12 +38,13 @@ spec:
             image:
               repository: ghcr.io/auricom/kubectl
               tag: 1.28.3@sha256:536e3a2a8222d56637208c207a5b77a7d656175a29b899383d5a1bb1d1e48438
+            command: ["/bin/bash", "/app/opnsense-backup.sh"]
             env:
               OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}"
               S3_URL: "https://truenas.${SECRET_DOMAIN}:51515"
             envFrom:
               - secretRef:
-                  name: opnsense-backup-secret
+                  name: homelab-opnsense-secret
     service:
       main:
         enabled: false
@@ -51,7 +52,7 @@ spec:
       config:
         enabled: true
         type: configMap
-        name: opnsense-backup-configmap
+        name: homelab-opnsense-backup-configmap
         defaultMode: 0775
         globalMounts:
           - path: /app/opnsense-backup.sh

kubernetes/apps/default/homelab/opnsense/backup/kustomization.yaml

@@ -6,9 +6,9 @@ namespace: default
 resources:
   - ./helmrelease.yaml
 configMapGenerator:
-  - name: truenas-minio-rclone-configmap
+  - name: homelab-opnsense-backup-configmap
     files:
-      - ./minio-rclone.sh
+      - ./opnsense-backup.sh
 generatorOptions:
   disableNameSuffixHash: true
   annotations:

kubernetes/apps/default/homelab/opnsense/externalsecret.yaml

@@ -3,16 +3,16 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: opnsense-backup
+  name: homelab-opnsense
   namespace: default
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
     name: onepassword-connect
   target:
-    name: opnsense-backup-secret
+    name: homelab-opnsense-secret
     creationPolicy: Owner
   dataFrom:
     - extract:
         # OPNSENSE_KEY, OPNSENSE_SECRET, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
-        key: opnsense-backup
+        key: homelab-opnsense

kubernetes/apps/default/homelab/opnsense/kustomization.yaml

@@ -4,12 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
+  - ./backup
   - ./externalsecret.yaml
-  - ./helmrelease.yaml
 configMapGenerator:
-  - name: opnsense-backup-configmap
-    files:
-      - ./opnsense-backup.sh
   - name: opnsense-dashboard
     files:
       - opnsense-dashboard.json=./dashboard.json

kubernetes/apps/default/homelab/truenas/backup/helmrelease.yaml

@@ -3,7 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
-  name: truenas-backup
+  name: homelab-truenas-backup
   namespace: default
 spec:
   interval: 30m
@@ -43,7 +43,7 @@ spec:
               HOSTNAME: truenas
             envFrom: &envFrom
               - secretRef:
-                  name: truenas-secret
+                  name: &secret homelab-truenas-secret
           truenas-remote-backup:
             name: truenas-remote-backup
             image:
@@ -60,7 +60,7 @@ spec:
       config:
         enabled: true
         type: configMap
-        name: truenas-backup-configmap
+        name: homelab-truenas-backup-configmap
         defaultMode: 0775
         globalMounts:
           - path: /app/truenas-backup.sh
@@ -68,7 +68,7 @@ spec:
             readOnly: true
       ssh:
         type: secret
-        name: truenas-secret
+        name: *secret
         defaultMode: 0775
         globalMounts:
           - path: /opt/id_rsa

kubernetes/apps/default/homelab/truenas/backup/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: default
 resources:
   - ./helmrelease.yaml
 configMapGenerator:
-  - name: truenas-backup-configmap
+  - name: homelab-truenas-backup-configmap
     files:
       - ./truenas-backup.sh
 generatorOptions:

kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml

@@ -3,7 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
-  name: truenas-certs-deploy
+  name: homelab-truenas-certs-deploy
   namespace: default
 spec:
   interval: 30m
@@ -45,7 +45,7 @@ spec:
               CERTS_DEPLOY_S3_ENABLED: "True"
             envFrom: &envFrom
               - secretRef:
-                  name: truenas-secret
+                  name: &secret homelab-truenas-secret
           truenas-remote-certs-deploy:
             image:
               repository: ghcr.io/auricom/kubectl
@@ -63,7 +63,7 @@ spec:
       config:
         enabled: true
         type: configMap
-        name: truenas-certs-deploy-configmap
+        name: homelab-truenas-certs-deploy-configmap
         defaultMode: 0775
         globalMounts:
           - path: /app/truenas-certs-deploy.sh
@@ -71,7 +71,7 @@ spec:
             readOnly: true
       config-python:
         type: configMap
-        name: truenas-certs-deploy-configmap
+        name: homelab-truenas-certs-deploy-configmap
         defaultMode: 0775
         globalMounts:
           - path: /app/truenas-certs-deploy.py
@@ -79,7 +79,7 @@ spec:
             readOnly: true
       ssh:
         type: secret
-        name: truenas-secret
+        name: *secret
         defaultMode: 0775
         globalMounts:
           - path: /opt/id_rsa

kubernetes/apps/default/homelab/truenas/certs-deploy/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: default
 resources:
   - ./helmrelease.yaml
 configMapGenerator:
-  - name: truenas-certs-deploy-configmap
+  - name: homelab-truenas-certs-deploy-configmap
     files:
       - ./truenas-certs-deploy.sh
       - ./truenas-certs-deploy.py

kubernetes/apps/default/homelab/truenas/externalsecret.yaml

@@ -3,14 +3,14 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: truenas
+  name: homelab-truenas
   namespace: default
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
     name: onepassword-connect
   target:
-    name: truenas-secret
+    name: homelab-truenas-secret
     creationPolicy: Owner
     template:
       data:
@@ -24,13 +24,12 @@ spec:
         TRUENAS_REMOTE_API_KEY: "{{ .TRUENAS_REMOTE_API_KEY }}"
         SECRET_DOMAIN: "{{ .SECRET_DOMAIN }}"
         SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
-        SOPS_AGE_KEY: "{{ .SOPS_AGE_KEY }}"
   dataFrom:
     - extract:
         key: generic
+    - extract:
+        key: homelab-truenas
     - extract:
         key: pushover
     - extract:
         key: sops
-    - extract:
-        key: truenas

kubernetes/apps/default/homelab/truenas/kustomization.yaml

@@ -7,4 +7,3 @@ resources:
   - ./backup
   - ./certs-deploy
   - ./externalsecret.yaml
-  - ./minio-rclone

kubernetes/apps/default/kustomization.yaml

@@ -20,6 +20,7 @@ resources:
   - ./hajimari/ks.yaml
   - ./home-assistant/ks.yaml
   - ./homebox/ks.yaml
+  - ./homelab/ks.yaml
   - ./immich/ks.yaml
   - ./invidious/ks.yaml
   - ./jellyfin/ks.yaml
@@ -38,7 +39,6 @@ resources:
   - ./media-browser/ks.yaml
   - ./music-transcode/ks.yaml
   - ./navidrome/ks.yaml
-  - ./opnsense/ks.yaml
   - ./outline/ks.yaml
   - ./paperless/ks.yaml
   - ./pgadmin/ks.yaml
@@ -54,7 +54,6 @@ resources:
   - ./sonarr/ks.yaml
   - ./smtp-relay/ks.yaml
   - ./tandoor/ks.yaml
-  - ./truenas/ks.yaml
   - ./unifi/ks.yaml
   - ./vaultwarden/ks.yaml
   - ./vikunja/ks.yaml

kubernetes/apps/default/opnsense/ks.yaml

@@ -1,20 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cluster-apps-opnsense
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/default/opnsense/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-ops-kubernetes
-  dependsOn:
-    - name: cluster-apps-external-secrets-stores
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/default/truenas/app/minio-rclone/minio-rclone.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -o nounset
-set -o errexit
-
-
-
-echo "Download rclone config file ..."
-curl -fsSL \
-    --output "/tmp/rclone.conf.age" \
-    "https://raw.githubusercontent.com/auricom/dotfiles/main/private_dot_config/rclone/encrypted_private_rclone.conf.age"
-
-echo "Decrypt rclone config file ..."
-age --decrypt \
-    -i /app/age_key \
-    /tmp/rclone.conf.age > /tmp/rclone.conf
-
-
-echo "Sync minio buckets with encrypted remote gdrive-homelab-backups ..."
-rclone --config /tmp/rclone.conf sync minio: gdrive-homelab-backups:

kubernetes/apps/default/truenas/ks.yaml

@@ -1,18 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: cluster-apps-truenas
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/default/truenas
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-ops-kubernetes
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m