shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-12-23 16:05:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

new talos cluster

Browse Source
This commit is contained in:
auricom
2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
kubernetes/cluster-0/apps/web-tools/freshrss/helm-release.yaml Normal file
View File

@@ -0,0 +1,62 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app freshrss
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres
namespace: default
values:
image:
repository: freshrss/freshrss
tag: 1.20.1
service:
main:
ports:
http:
port: 80
env:
TZ: ${TIMEZONE}
CRON_MIN: "18,48"
DOMAIN: "https://freshrss.${SECRET_CLUSTER_DOMAIN}/"
persistence:
config:
enabled: true
existingClaim: freshrss-config
mountPath: /var/www/FreshRSS/data
podAnnotations:
secret.reloader.stakater.com/reload: *app
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
resources:
requests:
cpu: 50m
memory: 256Mi

8
kubernetes/cluster-0/apps/web-tools/freshrss/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- secret.sops.yaml
- volume.yaml
patchesStrategicMerge:
- patches/postgres.yaml

31
kubernetes/cluster-0/apps/web-tools/freshrss/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: freshrss
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: freshrss
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: freshrss
key: DB_USERNAME
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: freshrss
key: DB_PASSWORD

30
kubernetes/cluster-0/apps/web-tools/freshrss/secret.sops.yaml Normal file
View File

@@ -0,0 +1,30 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: freshrss
namespace: default
type: Opaque
stringData:
DB_USERNAME: ENC[AES256_GCM,data:cEgGT4H8dUo=,iv:9FsASsPg285Wvxh84pMJYgZcEGHusK2waZT1JDs848U=,tag:GGqWYGx7mwUnq1UkcP6anA==,type:str]
DB_PASSWORD: ENC[AES256_GCM,data:o3jf5T0HkJmkfDpDTl4=,iv:mfKTcA28lw4Ay7qmLlez2JFAafF9kDWcLIv7ks+NrOE=,tag:2BxNiAdwOal3zj7Om3FezQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-15T11:26:17Z"
mac: ENC[AES256_GCM,data:HONFGv4W73jhfxO+mN9LGazgzQflKX4krefmOsmdS039MVQZVKiJgoyAVku6t/WOHkyfAn+x8CXERC1swvVOMVhJXt6eXgjgCK4yD3MTBNvV4Uuov6aJ6JEwbAtXMIQm0h/QU1a99xBlRZlX2JL02tqN04bqB/tgUeNuWVr7R3U=,iv:MlkMOuKDt3TR9XtT/yzydlBUcaM+2qL7LzIPPkpw0Aw=,tag:KNuGsmvpN8vNuQ/8JDmIpw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/web-tools/freshrss/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: freshrss-config
namespace: default
labels:
app.kubernetes.io/name: &name freshrss
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

85
kubernetes/cluster-0/apps/web-tools/homer-code/helm-release.yaml Normal file
View File

@@ -0,0 +1,85 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app homer-code
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: homer
namespace: default
values:
image:
repository: ghcr.io/coder/code-server
tag: 4.8.3
env:
TZ: "${TIMEZONE}"
args:
- --auth
- "none"
- --user-data-dir
- "/config/.vscode"
- --extensions-dir
- "/config/.vscode"
- --port
- "80"
- "/config"
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "homer-code.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
persistence:
config:
enabled: true
existingClaim: homer-config
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: ["homer"]
- key: app.kubernetes.io/instance
operator: In
values: ["homer"]
topologyKey: kubernetes.io/hostname
resources:
requests:
cpu: 10m
memory: 100Mi
limits:
memory: 500Mi

5
kubernetes/cluster-0/apps/web-tools/homer-code/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

57
kubernetes/cluster-0/apps/web-tools/homer/helm-release.yaml Normal file
View File

@@ -0,0 +1,57 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app homer
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: b4bz/homer
tag: v22.11.1
env:
TZ: "${TIMEZONE}"
service:
main:
ports:
http:
port: 8080
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
mountPath: /www/assets
existingClaim: homer-config
resources:
requests:
cpu: 50m
memory: 256Mi
limits:
memory: 512Mi

6
kubernetes/cluster-0/apps/web-tools/homer/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- volume.yaml

17
kubernetes/cluster-0/apps/web-tools/homer/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: homer-config
namespace: default
labels:
app.kubernetes.io/name: &name homer
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: rook-ceph-block

865
kubernetes/cluster-0/apps/web-tools/invidious/config/config.yml Normal file
View File

@@ -0,0 +1,865 @@
---
#########################################
#
# Database configuration
#
#########################################
##
## Database configuration with separate parameters.
## This setting is MANDATORY, unless 'database_url' is used.
##
# db:
# user: ${SECRET_INVIDIOUS_DB_USER}
# password: ${SECRET_INVIDIOUS_DB_PASSWORD}
# host: postgres-rw.default.svc.cluster.local
# port: 5432
# dbname: invidious
##
## Database configuration using a single URI. This is an
## alternative to the 'db' parameter above. If both forms
## are used, then only database_url is used.
## This setting is MANDATORY, unless 'db' is used.
##
## Note: The 'database_url' setting allows the use of UNIX
## sockets. To do so, remove the IP address (or FQDN) and port
## and append the 'host' parameter. E.g:
## postgres://kemal:kemal@/invidious?host=/var/run/postgresql
##
## Accepted values: a postgres:// URI
## Default: postgres://kemal:kemal@localhost:5432/invidious
##
database_url: postgres://${SECRET_INVIDIOUS_DB_USER}:${SECRET_INVIDIOUS_DB_PASSWORD}@postgres-rw.default.svc.cluster.local.:5432/invidious
##
## Enable automatic table integrity check. This will create
## the required tables and columns if anything is missing.
##
## Accepted values: true, false
## Default: false
##
check_tables: true
#########################################
#
# Server config
#
#########################################
# -----------------------------
# Network (inbound)
# -----------------------------
##
## Port to listen on for incoming connections.
##
## Note: Ports lower than 1024 requires either root privileges
## (not recommended) or the "CAP_NET_BIND_SERVICE" capability
## (See https://stackoverflow.com/a/414258 and `man capabilities`)
##
## Accepted values: 1-65535
## Default: 3000
##
port: 3000
##
## When the invidious instance is behind a proxy, and the proxy
## listens on a different port than the instance does, this lets
## invidious know about it. This is used to craft absolute URLs
## to the instance (e.g in the API).
##
## Note: This setting is MANDATORY if invidious is behind a
## reverse proxy.
##
## Accepted values: 1-65535
## Default: <none>
##
#external_port:
##
## Interface address to listen on for incoming connections.
##
## Accepted values: a valid IPv4 or IPv6 address.
## default: 0.0.0.0 (listen on all interfaces)
##
#host_binding: 0.0.0.0
##
## Domain name under which this instance is hosted. This is
## used to craft absolute URLs to the instance (e.g in the API).
## The domain MUST be defined if your instance is accessed from
## a domain name (like 'example.com').
##
## Accepted values: a fully qualified domain name (FQDN)
## Default: <none>
##
domain: invidious.${SECRET_CLUSTER_DOMAIN}
##
## Tell Invidious that it is behind a proxy that provides only
## HTTPS, so all links must use the https:// scheme. This
## setting MUST be set to true if invidious is behind a
## reverse proxy serving HTTPs.
##
## Accepted values: true, false
## Default: false
##
https_only: false
##
## Enable/Disable 'Strict-Transport-Security'. Make sure that
## the domain specified under 'domain' is served securely.
##
## Accepted values: true, false
## Default: true
##
#hsts: true
# -----------------------------
# Network (outbound)
# -----------------------------
##
## Disable proxying server-wide. Can be disable as a whole, or
## only for a single function.
##
## Accepted values: true, false, dash, livestreams, downloads, local
## Default: false
##
#disable_proxy: false
##
## Size of the HTTP pool used to connect to youtube. Each
## domain ('youtube.com', 'ytimg.com', ...) has its own pool.
##
## Accepted values: a positive integer
## Default: 100
##
#pool_size: 100
##
## Enable/Disable the use of QUIC (HTTP/3) when connecting
## to the youtube API and websites ('youtube.com', 'ytimg.com').
## QUIC's main advantages are its lower latency and lower bandwidth
## use, compared to its predecessors. However, the current version
## of QUIC used in invidious is still based on the IETF draft 31,
## meaning that the underlying library may still not be fully
## optimized. You can read more about QUIC at the link below:
## https://datatracker.ietf.org/doc/html/draft-ietf-quic-transport-31
##
## Note: you should try both options and see what is the best for your
## instance. In general QUIC is recommended for public instances. Your
## mileage may vary.
##
## Note 2: Using QUIC prevents some captcha challenges from appearing.
## See: https://github.com/iv-org/invidious/issues/957#issuecomment-576424042
##
## Accepted values: true, false
## Default: false
##
#use_quic: false
##
## Additional cookies to be sent when requesting the youtube API.
##
## Accepted values: a string in the format "name1=value1; name2=value2..."
## Default: <none>
##
#cookies:
##
## Force connection to youtube over a specific IP family.
##
## Note: This may sometimes resolve issues involving rate-limiting.
## See https://github.com/ytdl-org/youtube-dl/issues/21729.
##
## Accepted values: ipv4, ipv6
## Default: <none>
##
#force_resolve:
# -----------------------------
# Logging
# -----------------------------
##
## Path to log file. Can be absolute or relative to the invidious
## binary. This is overridden if "-o OUTPUT" or "--output=OUTPUT"
## are passed on the command line.
##
## Accepted values: a filesystem path or 'STDOUT'
## Default: STDOUT
##
#output: STDOUT
##
## Logging Verbosity. This is overridden if "-l LEVEL" or
## "--log-level=LEVEL" are passed on the command line.
##
## Accepted values: All, Trace, Debug, Info, Warn, Error, Fatal, Off
## Default: Info
##
#log_level: Info
# -----------------------------
# Features
# -----------------------------
##
## Enable/Disable the "Popular" tab on the main page.
##
## Accepted values: true, false
## Default: true
##
#popular_enabled: true
##
## Enable/Disable statstics (available at /api/v1/stats).
## The following data is available:
## - Software name ("invidious") and version+branch (same data as
## displayed in the footer, e.g: "2021.05.13-75e5b49" / "master")
## - The value of the 'registration_enabled' config (true/false)
## - Number of currently registered users
## - Number of registered users who connected in the last month
## - Number of registered users who connected in the last 6 months
## - Timestamp of the last server restart
## - Timestamp of the last "Channel Refresh" job execution
##
## Warning: This setting MUST be set to true if you plan to run
## a public instance. It is used by api.invidious.io to refresh
## your instance's status.
##
## Accepted values: true, false
## Default: false
##
#statistics_enabled: false
# -----------------------------
# Users and accounts
# -----------------------------
##
## Allow/Forbid Invidious (local) account creation. Invidious
## accounts allow users to subscribe to channels and to create
## playlists without a Google account.
##
## Accepted values: true, false
## Default: true
##
#registration_enabled: true
##
## Allow/Forbid users to log-in. This setting affects the ability
## to connect with BOTH Google and Invidious (local) accounts.
##
## Accepted values: true, false
## Default: true
##
#login_enabled: true
##
## Enable/Disable the captcha challenge on the login page.
##
## Note: this is a basic captcha challenge that doesn't
## depend on any third parties.
##
## Accepted values: true, false
## Default: true
##
#captcha_enabled: true
##
## List of usernames that will be granted administrator rights.
## A user with administrator rights will be able to change the
## server configuration options listed below in /preferences,
## in addition to the usual user preferences.
##
## Server-wide settings:
## - popular_enabled
## - captcha_enabled
## - login_enabled
## - registration_enabled
## - statistics_enabled
## Default user preferences:
## - default_home
## - feed_menu
##
## Accepted values: an array of strings
## Default: [""]
##
#admins: [""]
# -----------------------------
# Background jobs
# -----------------------------
##
## Number of threads to use when crawling channel videos (during
## subscriptions update).
##
## Notes:
## - Setting this to 0 will disable the channel videos crawl job.
## - This setting is overridden if "-c THREADS" or
## "--channel-threads=THREADS" are passed on the command line.
##
## Accepted values: a positive integer
## Default: 1
##
channel_threads: 1
##
## Time interval between two executions of the job that crawls
## channel videos (subscriptions update).
##
## Accepted values: a valid time interval (like 1h30m or 90m)
## Default: 30m
##
#channel_refresh_interval: 30m
##
## Forcefully dump and re-download the entire list of uploaded
## videos when crawling channel (during subscriptions update).
##
## Accepted values: true, false
## Default: false
##
full_refresh: false
##
## Number of threads to use when updating RSS feeds.
##
## Notes:
## - Setting this to 0 will disable the channel videos crawl job.
## - This setting is overridden if "-f THREADS" or
## "--feed-threads=THREADS" are passed on the command line.
##
## Accepted values: a positive integer
## Default: 1
##
feed_threads: 1
##
## Enable/Disable the polling job that keeps the decryption
## function (for "secured" videos) up to date.
##
## Note: This part of the code generate a small amount of data every minute.
## This may not be desired if you have bandwidth limits set by your ISP.
##
## Note 2: This part of the code is currently broken, so changing
## this setting has no impact.
##
## Accepted values: true, false
## Default: false
##
#decrypt_polling: false
# -----------------------------
# Captcha API
# -----------------------------
##
## URL of the captcha solving service.
##
## Accepted values: any URL
## Default: https://api.anti-captcha.com
##
#captcha_api_url: https://api.anti-captcha.com
##
## API key for the captcha solving service.
##
## Accepted values: a string
## Default: <none>
##
#captcha_key:
# -----------------------------
# Miscellaneous
# -----------------------------
##
## custom banner displayed at the top of every page. This can
## used for instance announcements, e.g.
##
## Accepted values: any string. HTML is accepted.
## Default: <none>
##
#banner:
##
## Subscribe to channels using PubSubHub (Google PubSubHubbub service).
## PubSubHub allows Invidious to be instantly notified when a new video
## is published on any subscribed channels. When PubSubHub is not used,
## Invidious will check for new videos every minute.
##
## Note: This setting is recommended for public instances.
##
## Note 2:
## - Requires a public instance (it uses /feed/webhook/v1)
## - Requires 'domain' and 'hmac_key' to be set.
## - Setting this parameter to any number greater than zero will
## enable channel subscriptions via PubSubHub, but will limit the
## amount of concurrent subscriptions.
##
## Accepted values: true, false, a positive integer
## Default: false
##
#use_pubsub_feeds: false
##
## HMAC signing key used for CSRF tokens and pubsub
## subscriptions verification.
##
## Accepted values: a string
## Default: <none>
##
#hmac_key:
##
## List of video IDs where the "download" widget must be
## disabled, in order to comply with DMCA requests.
##
## Accepted values: an array of string
## Default: <none>
##
#dmca_content:
##
## Cache video annotations in the database.
##
## Warning: empty annotations or annotations that only contain
## cards won't be cached.
##
## Accepted values: true, false
## Default: false
##
#cache_annotations: false
##
## Source code URL. If your instance is running a modified source
## code, you MUST publish it somewhere and set this option.
##
## Accepted values: a string
## Default: <none>
##
#modified_source_code_url: ""
##
## Maximum custom playlist length limit.
##
## Accepted values: Integer
## Default: 500
##
#playlist_length_limit: 500
#########################################
#
# Default user preferences
#
#########################################
##
## NOTE: All the settings below define the default user
## preferences. They will apply to ALL users connecting
## without a preferences cookie (so either on the first
## connection to the instance or after clearing the
## browser's cookies).
##
default_user_preferences:
# -----------------------------
# Internationalization
# -----------------------------
##
## Default user interface language (locale).
##
## Note: When hosting a public instance, overriding the
## default (english) is not recommended, as it may
## people using other languages.
##
## Accepted values:
## ar (Arabic)
## da (Danish)
## de (German)
## en-US (english, US)
## el (Greek)
## eo (Esperanto)
## es (Spanish)
## fa (Persian)
## fi (Finnish)
## fr (French)
## he (Hebrew)
## hr (Hungarian)
## id (Indonesian)
## is (Icelandic)
## it (Italian)
## ja (Japanese)
## nb-NO (Norwegian, Bokmål)
## nl (Dutch)
## pl (Polish)
## pt-BR (Portuguese, Brazil)
## pt-PT (Portuguese, Portugal)
## ro (Romanian)
## ru (Russian)
## sv (Swedish)
## tr (Turkish)
## uk (Ukrainian)
## zh-CN (Chinese, China) (a.k.a "Simplified Chinese")
## zh-TW (Chinese, Taiwan) (a.k.a "Traditional Chinese")
##
## Default: en-US
##
#locale: en-US
##
## Default geographical location for content.
##
## Accepted values:
## AE, AR, AT, AU, AZ, BA, BD, BE, BG, BH, BO, BR, BY, CA, CH, CL, CO, CR,
## CY, CZ, DE, DK, DO, DZ, EC, EE, EG, ES, FI, FR, GB, GE, GH, GR, GT, HK,
## HN, HR, HU, ID, IE, IL, IN, IQ, IS, IT, JM, JO, JP, KE, KR, KW, KZ, LB,
## LI, LK, LT, LU, LV, LY, MA, ME, MK, MT, MX, MY, NG, NI, NL, NO, NP, NZ,
## OM, PA, PE, PG, PH, PK, PL, PR, PT, PY, QA, RO, RS, RU, SA, SE, SG, SI,
## SK, SN, SV, TH, TN, TR, TW, TZ, UA, UG, US, UY, VE, VN, YE, ZA, ZW
##
## Default: US
##
#region: US
##
## Top 3 preferred languages for video captions.
##
## Note: overriding the default (no preferred
## caption language) is not recommended, in order
## to not penalize people using other languages.
##
## Accepted values: a three-entries array.
## Each entry can be one of:
## "English", "English (auto-generated)",
## "Afrikaans", "Albanian", "Amharic", "Arabic",
## "Armenian", "Azerbaijani", "Bangla", "Basque",
## "Belarusian", "Bosnian", "Bulgarian", "Burmese",
## "Catalan", "Cebuano", "Chinese (Simplified)",
## "Chinese (Traditional)", "Corsican", "Croatian",
## "Czech", "Danish", "Dutch", "Esperanto", "Estonian",
## "Filipino", "Finnish", "French", "Galician", "Georgian",
## "German", "Greek", "Gujarati", "Haitian Creole", "Hausa",
## "Hawaiian", "Hebrew", "Hindi", "Hmong", "Hungarian",
## "Icelandic", "Igbo", "Indonesian", "Irish", "Italian",
## "Japanese", "Javanese", "Kannada", "Kazakh", "Khmer",
## "Korean", "Kurdish", "Kyrgyz", "Lao", "Latin", "Latvian",
## "Lithuanian", "Luxembourgish", "Macedonian",
## "Malagasy", "Malay", "Malayalam", "Maltese", "Maori",
## "Marathi", "Mongolian", "Nepali", "Norwegian Bokmål",
## "Nyanja", "Pashto", "Persian", "Polish", "Portuguese",
## "Punjabi", "Romanian", "Russian", "Samoan",
## "Scottish Gaelic", "Serbian", "Shona", "Sindhi",
## "Sinhala", "Slovak", "Slovenian", "Somali",
## "Southern Sotho", "Spanish", "Spanish (Latin America)",
## "Sundanese", "Swahili", "Swedish", "Tajik", "Tamil",
## "Telugu", "Thai", "Turkish", "Ukrainian", "Urdu",
## "Uzbek", "Vietnamese", "Welsh", "Western Frisian",
## "Xhosa", "Yiddish", "Yoruba", "Zulu"
##
## Default: ["", "", ""]
##
#captions: ["", "", ""]
# -----------------------------
# Interface
# -----------------------------
##
## Enable/Disable dark mode.
##
## Accepted values: true, false
## Default: <none>
##
#dark_mode:
##
## Enable/Disable thin mode (no video thumbnails).
##
## Accepted values: true, false
## Default: false
##
#thin_mode: false
##
## List of feeds available on the home page.
##
## Note: "Subscriptions" and "Playlists" are only visible
## when the user is logged in.
##
## Accepted values: A list of strings
## Each entry can be one of: "Popular", "Trending",
## "Subscriptions", "Playlists"
##
## Default: ["Popular", "Trending", "Subscriptions", "Playlists"] (show all feeds)
##
#feed_menu: ["Popular", "Trending", "Subscriptions", "Playlists"]
##
## Default feed to display on the home page.
##
## Note: setting this option to "Popular" has no
## effect when 'popular_enabled' is set to false.
##
## Accepted values: Popular, Trending, Subscriptions, Playlists, <none>
## Default: Popular
##
#default_home: Popular
##
## Default number of results to display per page.
##
## Note: this affects invidious-generated pages only, such
## as watch history and subscription feeds. Playlists, search
## results and channel videos depend on the data returned by
## the Youtube API.
##
## Accepted values: any positive integer
## Default: 40
##
#max_results: 40
##
## Show/hide annotations.
##
## Accepted values: true, false
## Default: false
##
#annotations: false
##
## Show/hide annotation.
##
## Accepted values: true, false
## Default: false
##
#annotations_subscribed: false
##
## Type of comments to display below video.
##
## Accepted values: a two-entries array.
## Each entry can be one of: "youtube", "reddit", ""
##
## Default: ["youtube", ""]
##
#comments: ["youtube", ""]
##
## Default player style.
##
## Accepted values: invidious, youtube
## Default: invidious
##
#player_style: invidious
##
## Show/Hide the "related videos" sidebar when
## watching a video.
##
## Accepted values: true, false
## Default: true
##
#related_videos: true
# -----------------------------
# Video player behavior
# -----------------------------
##
## Automatically play videos on page load.
##
## Accepted values: true, false
## Default: false
##
#autoplay: false
##
## Automatically load the "next" video (either next in
## playlist or proposed) when the current video ends.
##
## Accepted values: true, false
## Default: false
##
#continue: false
##
## Autoplay next video by default.
##
## Note: Only effective if 'continue' is set to true.
##
## Accepted values: true, false
## Default: true
##
#continue_autoplay: true
##
## Play videos in Audio-only mode by default.
##
## Accepted values: true, false
## Default: false
##
#listen: false
##
## Loop videos automatically.
##
## Accepted values: true, false
## Default: false
##
#video_loop: false
# -----------------------------
# Video playback settings
# -----------------------------
##
## Default video quality.
##
## Accepted values: dash, hd720, medium, small
## Default: hd720
##
#quality: hd720
##
## Default dash video quality.
##
## Note: this setting only takes effet if the
## 'quality' parameter is set to "dash".
##
## Accepted values:
## auto, best, 4320p, 2160p, 1440p, 1080p,
## 720p, 480p, 360p, 240p, 144p, worst
## Default: auto
##
#quality_dash: auto
##
## Default video playback speed.
##
## Accepted values: 0.25, 0.5, 0.75, 1.0, 1.25, 1.5, 1.75, 2.0
## Default: 1.0
##
#speed: 1.0
##
## Default volume.
##
## Accepted values: 0-100
## Default: 100
##
#volume: 100
##
## Allow 360° videos to be played.
##
## Note: This feature requires a WebGL-enabled browser.
##
## Accepted values: true, false
## Default: true
##
#vr_mode: true
# -----------------------------
# Subscription feed
# -----------------------------
##
## In the "Subscription" feed, only show the latest video
## of each channel the user is subscribed to.
##
## Note: when combined with 'unseen_only', the latest unseen
## video of each channel will be displayed instead of the
## latest by date.
##
## Accepted values: true, false
## Default: false
##
#latest_only: false
##
## Enable/Disable user subscriptions desktop notifications.
##
## Accepted values: true, false
## Default: false
##
#notifications_only: false
##
## In the "Subscription" feed, Only show the videos that the
## user haven't watched yet (i.e which are not in their watch
## history).
##
## Accepted values: true, false
## Default: false
##
#unseen_only: false
##
## Default sorting parameter for subscription feeds.
##
## Accepted values:
## 'alphabetically'
## 'alphabetically - reverse'
## 'channel name'
## 'channel name - reverse'
## 'published'
## 'published - reverse'
##
## Default: published
##
#sort: published
# -----------------------------
# Miscellaneous
# -----------------------------
##
## Proxy videos through instance by default.
##
## Warning: As most users won't change this setting in their
## preferences, defaulting to true will significantly
## increase the instance's network usage, so make sure that
## your server's connection can handle it.
##
## Accepted values: true, false
## Default: false
##
#local: false
##
## Show the connected user's nick at the top right.
##
## Accepted values: true, false
## Default: true
##
#show_nick: true
##
## Automatically redirect to a random instance when the user uses
## any "switch invidious instance" link (For videos, it's the plane
## icon, next to "watch on youtube" and "listen"). When set to false,
## the user is sent to https://redirect.invidious.io instead, where
## they can manually select an instance.
##
## Accepted values: true, false
## Default: false
##
#automatic_instance_redirect: false
##
## Show the entire video description by default (when set to 'false',
## only the first few lines of the description are shown and a
## "show more" button allows to expand it).
##
## Accepted values: true, false
## Default: false
##
#extend_desc: false

64
kubernetes/cluster-0/apps/web-tools/invidious/helm-release.yaml Normal file
View File

@@ -0,0 +1,64 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app invidious-server
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
image:
repository: quay.io/invidious/invidious
tag: 09942dee6621e7047a63dffcc61b3bbf78cef2c6
service:
main:
ports:
http:
port: 3000
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
auth.home.arpa/enabled: "true"
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "invidious.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
type: configMap
name: *app
subPath: config.yml
mountPath: /invidious/config/config.yml
readOnly: false
podAnnotations:
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 50m
memory: 256Mi

12
kubernetes/cluster-0/apps/web-tools/invidious/kustomization.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
patchesStrategicMerge:
- patches/postgres.yaml
configMapGenerator:
- name: invidious-server
files:
- config/config.yml
generatorOptions:
disableNameSuffixHash: true

25
kubernetes/cluster-0/apps/web-tools/invidious/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: invidious-server
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: invidious
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
value: ${SECRET_INVIDIOUS_DB_USER}
- name: POSTGRES_PASS
value: ${SECRET_INVIDIOUS_DB_PASSWORD}

67
kubernetes/cluster-0/apps/web-tools/joplin/helm-release.yaml Normal file
View File

@@ -0,0 +1,67 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app joplin
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
global:
nameOverride: *app
image:
repository: joplin/server
tag: 2.9.7-beta
env:
APP_BASE_URL: https://joplin.${SECRET_CLUSTER_DOMAIN}
APP_PORT: 80
DB_CLIENT: pg
POSTGRES_HOST: postgres-rw.default.svc.cluster.local.
POSTGRES_PORT: 5432
POSTGRES_DATABASE: joplin
envFrom:
- secretRef:
name: *app
podAnnotations:
secret.reloader.stakater.com/reload: *app
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
resources:
requests:
cpu: 50m
memory: 256Mi

7
kubernetes/cluster-0/apps/web-tools/joplin/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- secret.sops.yaml
patchesStrategicMerge:
- patches/postgres.yaml

31
kubernetes/cluster-0/apps/web-tools/joplin/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: joplin
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: joplin
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: joplin
key: POSTGRES_USER
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: joplin
key: POSTGRES_PASSWORD

30
kubernetes/cluster-0/apps/web-tools/joplin/secret.sops.yaml Normal file
View File

@@ -0,0 +1,30 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: joplin
namespace: default
type: Opaque
stringData:
POSTGRES_USER: ENC[AES256_GCM,data:jNdktSC6,iv:MMJlnCvXm5w5fWU/oe3bJINrZNbzkJIs3bAqGswrEFA=,tag:iw38sQO32V1eR8XNyAV2gQ==,type:str]
POSTGRES_PASSWORD: ENC[AES256_GCM,data:cDAlN/Hr30o+sWpaSQNHMw==,iv:0/eswlxH8w2IQc3ca7XWcEmEojUnJQ6bo61NK+ip1pg=,tag:CnI75YyzApe9n5o8m7MZKw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-15T21:00:13Z"
mac: ENC[AES256_GCM,data:MLJDC9OZG0lgOSI93kOso4XDwnh6plwn3RddjS5zG34Ja/T+i5BG52HwdYs+XUgQWFvawX9ZUGwarCrNmJTMaYAJzjDBEF4TzR+sF9pGAlAtraL5RKM5H8cr9Hwy7UkQxNvVJu1kZ7rCUDWhYp7x9jEuGzXpiZwlwDq+C1XwD3A=,iv:GAc/oGqtc8gkHM1XCuAB+N7+T8vxBHQ7WPQxXOSZUIY=,tag:JlXR6ANyyEZZHrONHkNSTg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

19
kubernetes/cluster-0/apps/web-tools/kustomization.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- freshrss
- homer
- homer-code
- invidious
- joplin
- libreddit
- nitter
- sharry
- tandoor
- theme-park
- vaultwarden
- vikunja
- wallabag
- whoogle

69
kubernetes/cluster-0/apps/web-tools/libreddit/helm-release.yaml Normal file
View File

@@ -0,0 +1,69 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app libreddit
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
image:
repository: ghcr.io/auricom/libreddit
tag: 0.24.0@sha256:1455b0ed61a45c4670b11c6f4825168c622dfd90638a069bf02b5a21d1515236
service:
main:
ports:
http:
port: &port 8080
probes:
liveness: &probes
enabled: true
custom: true
spec:
httpGet:
path: /settings
port: *port
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
readiness: *probes
startup:
enabled: false
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
auth.home.arpa/enabled: "true"
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
resources:
requests:
cpu: 50m
memory: 256Mi

4
kubernetes/cluster-0/apps/web-tools/libreddit/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

45
kubernetes/cluster-0/apps/web-tools/nitter/config/config.yml Normal file
View File

@@ -0,0 +1,45 @@
[Server]
address = "0.0.0.0"
port = 8080
https = false # disable to enable cookies when not using https
httpMaxConnections = 100
staticDir = "./public"
title = "nitter"
hostname = "nitter.${SECRET_CLUSTER_DOMAIN}"
[Cache]
listMinutes = 240 # how long to cache list info (not the tweets, so keep it high)
rssMinutes = 10 # how long to cache rss queries
redisHost = "redis.default.svc.cluster.local." # Change to "nitter-redis" if using docker-compose
redisPort = 6379
redisPassword = ""
redisConnections = 20 # connection pool size
redisMaxConnections = 30
# max, new connections are opened when none are available, but if the pool size
# goes above this, they're closed when released. don't worry about this unless
# you receive tons of requests per second
[Config]
hmacKey = "${SECRET_NITTER_HMAC}" # random key for cryptographic signing of video urls
base64Media = false # use base64 encoding for proxied media urls
enableRSS = true # set this to false to disable RSS feeds
enableDebug = false # enable request logs and debug endpoints
#proxy = "" # http/https url, SOCKS proxies are not supported
#proxyAuth = ""
#tokenCount = 10
# minimum amount of usable tokens. tokens are used to authorize API requests,
# but they expire after ~1 hour, and have a limit of 187 requests.
# the limit gets reset every 15 minutes, and the pool is filled up so there's
# always at least $tokenCount usable tokens. again, only increase this if
# you receive major bursts all the time
# Change default preferences here, see src/prefs_impl.nim for a complete list
[Preferences]
theme = "Nitter"
replaceTwitter = "nitter.${SECRET_CLUSTER_DOMAIN}"
replaceYouTube = "invidious.${SECRET_CLUSTER_DOMAIN}"
replaceReddit = "libreddit.${SECRET_CLUSTER_DOMAIN}"
replaceInstagram = ""
proxyVideos = true
hlsPlayback = false
infiniteScroll = true

79
kubernetes/cluster-0/apps/web-tools/nitter/helm-release.yaml Normal file
View File

@@ -0,0 +1,79 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app nitter
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
image:
repository: docker.io/zedeus/nitter
tag: 2ac3afa5b273a502d7632e9346c7c3bc9283fb48
service:
main:
ports:
http:
port: &port 8080
probes:
liveness: &probes
enabled: false
# custom: true
# spec:
# httpGet:
# path: /Jack/status/20
# port: *port
# initialDelaySeconds: 0
# periodSeconds: 10
# timeoutSeconds: 1
# failureThreshold: 3
readiness: *probes
startup:
enabled: false
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
auth.home.arpa/enabled: "true"
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "nitter.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
type: configMap
name: *app
subPath: config.yml
mountPath: /src/nitter.conf
readOnly: false
podAnnotations:
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 50m
memory: 256Mi

10
kubernetes/cluster-0/apps/web-tools/nitter/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
configMapGenerator:
- name: nitter
files:
- config/config.yml
generatorOptions:
disableNameSuffixHash: true

67
kubernetes/cluster-0/apps/web-tools/readme.md Normal file
View File

@@ -0,0 +1,67 @@
# Databases
## Sharry
### S3 Configuration
1. Create `~/.mc/config.json`
```json
{
"version": "10",
"aliases": {
"minio": {
"url": "https://s3.<domain>",
"accessKey": "<access-key>",
"secretKey": "<secret-key>",
"api": "S3v4",
"path": "auto"
}
}
}
```
2. Create the outline user and password
```sh
mc admin user add minio sharry <super-secret-password>
```
3. Create the outline bucket
```sh
mc mb minio/sharry
```
4. Create `sharry-user-policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::sharry/*", "arn:aws:s3:::sharry"],
"Sid": ""
}
]
}
```
5. Apply the bucket policies
```sh
mc admin policy add minio sharry-private sharry-user-policy.json
```
6. Associate private policy with the user
```sh
mc admin policy set minio sharry-private user=sharry
```

100
kubernetes/cluster-0/apps/web-tools/sharry/config/sharry.conf Normal file
View File

@@ -0,0 +1,100 @@
sharry.restserver {
base-url = "https://sharry.${SECRET_CLUSTER_DOMAIN}"
bind {
address = "0.0.0.0"
port =9090
}
# Configures logging
logging {
format = "Fancy"
minimum-level = "Info"
}
backend {
auth {
fixed.enabled = false
}
jdbc {
url = "jdbc:postgresql://postgres-rw.default.svc.cluster.local.:5432/sharry"
user = "${SECRET_SHARRY_DB_USERNAME}"
password = "${SECRET_SHARRY_DB_PASSWORD}"
}
# How files are stored.
files {
# The id of an enabled store from the `stores` array that should
# be used.
default-store = "minio"
# A list of possible file stores. Each entry must have a unique
# id. The `type` is one of: default-database, filesystem, s3.
#
# All stores with enabled=false are
# removed from the list. The `default-store` must be enabled.
stores = {
minio =
{ enabled = true
type = "s3"
endpoint = "https://truenas.${SECRET_DOMAIN}:9000"
access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}"
secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}"
bucket = "sharry"
}
}
}
webapp {
# This is shown in the top right corner of the web application
app-name = "Sharry"
# The icon next to the app-name. Needs to be an URL to a image.
app-icon = ""
# The login and register page displays a logo image, by default
# the Sharry logo. This can be changed here. It needs to be an URL
# to an image.
app-logo = ""
# This is markdown that is inserted as the footer on each page in
# the ui. If left empty, a link to the project is rendered.
app-footer = ""
# Whether to display the footer on each page in the ui. Set it to
# false to hide it.
app-footer-visible = true
# Chunk size used for one request. The server will re-chunk the
# stream into smaller chunks. But the client can transfer more in
# one requests, resulting in faster uploads.
#
# You might need to adjust this value depending on your setup. A
# higher value usually means faster uploads.
chunk-size = "100M"
# Number of milliseconds the client should wait before doing a new
# upload attempt after something failed. The length of the array
# denotes the number of retries.
retry-delays = [0, 3000, 6000, 12000, 24000, 48000]
# The login page can display a welcome message that is readable by
# everyone. The text is processed as markdown.
welcome-message = ""
}
share {
# When storing binary data use chunks of this size.
chunk-size = "512K"
# Maximum size of a share.
max-size = "1.5G"
# Maximum validity for uploads
max-validity =31 days
}
signup {
mode = "invite"
invite-time = "14 days"
invite-password = "generate-invite"
}
mail {
enabled = true
smtp {
host = "smtp-relay.default.svc.cluster.local."
port = 2525
user = ""
password = ""
ssl-type = "none"
default-from = "Sharry <sharry@${SECRET_DOMAIN}>"
}
}
}
}

71
kubernetes/cluster-0/apps/web-tools/sharry/helm-release.yaml Normal file
View File

@@ -0,0 +1,71 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app sharry
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
controller:
replicas: 1
strategy: Recreate
image:
repository: eikek0/sharry
tag: v1.11.0
args:
- "/opt/sharry.conf"
service:
main:
ports:
http:
port: 9090
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podAnnotations:
configMap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 50m
memory: 250Mi
limits:
memory: 1Gi
persistence:
config:
enabled: true
type: configMap
name: sharry
mountPath: /opt/sharry.conf
subPath: sharry.conf

14
kubernetes/cluster-0/apps/web-tools/sharry/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- helm-release.yaml
patchesStrategicMerge:
- patches/postgres.yaml
configMapGenerator:
- name: sharry
files:
- config/sharry.conf
generatorOptions:
disableNameSuffixHash: true

25
kubernetes/cluster-0/apps/web-tools/sharry/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: sharry
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: sharry
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
value: ${SECRET_SHARRY_DB_USERNAME}
- name: POSTGRES_PASS
value: ${SECRET_SHARRY_DB_PASSWORD}

25
kubernetes/cluster-0/apps/web-tools/tandoor/config/nginx-config Normal file
View File

@@ -0,0 +1,25 @@
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
server {
listen 80;
server_name _;
client_max_body_size 128M;
# serve media files
location /media/ {
alias /media/;
}
# serve static files
location /static/ {
alias /static/;
}
# pass requests for dynamic content to gunicorn
location / {
proxy_set_header Host $host;
proxy_set_header REMOTE-USER $http_x_authentik_username;
proxy_pass http://localhost:8080;
}
}
}

103
kubernetes/cluster-0/apps/web-tools/tandoor/helm-release.yaml Normal file
View File

@@ -0,0 +1,103 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app tandoor
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
image:
repository: vabene1111/recipes
tag: "1.4.5"
envFrom:
- secretRef:
name: *app
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
- host: &host2 "recipes.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
- *host2
persistence:
files:
enabled: true
existingClaim: tandoor-files
mountPath: /opt/recipes/mediafiles
nginx-config:
enabled: "true"
mountPath: /etc/nginx/nginx.conf
subPath: nginx-config
type: "custom"
volumeSpec:
configMap:
name: *app
static:
enabled: true
mountPath: /opt/recipes/staticfiles
type: emptyDir
podSecurityContext:
runAsUser: 0
podAnnotations:
configMap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
securityContext:
runAsUser: 65534
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 512Mi
additionalContainers:
nginx:
name: nginx
image: nginx:1.23.2
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
volumeMounts:
- name: nginx-config
readOnly: true
mountPath: /etc/nginx/nginx.conf
subPath: nginx-config
- name: files
mountPath: /media
- name: static
mountPath: /static

17
kubernetes/cluster-0/apps/web-tools/tandoor/kustomization.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- secret.sops.yaml
- helm-release.yaml
- volume.yaml
patchesStrategicMerge:
- patches/env.yaml
- patches/postgres.yaml
configMapGenerator:
- name: tandoor
files:
- config/nginx-config
generatorOptions:
disableNameSuffixHash: true

21
kubernetes/cluster-0/apps/web-tools/tandoor/patches/env.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tandoor
namespace: default
spec:
values:
env:
DEBUG: "0"
ALLOWED_HOSTS: "*"
DB_ENGINE: django.db.backends.postgresql_psycopg2
POSTGRES_HOST: postgres-rw.default.svc.cluster.local.
POSTGRES_PORT: 5432
POSTGRES_DB: recipes
GUNICORN_MEDIA: "0"
TIMEZONE: ${TIMEZONE}
TANDOOR_PORT: 8080
FRACTION_PREF_DEFAULT: "0"
COMMENT_PREF_DEFAULT: "1"
SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"

31
kubernetes/cluster-0/apps/web-tools/tandoor/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tandoor
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: recipes
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor
key: POSTGRES_USER
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: tandoor
key: POSTGRES_PASSWORD

31
kubernetes/cluster-0/apps/web-tools/tandoor/secret.sops.yaml Normal file
View File

@@ -0,0 +1,31 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: tandoor
namespace: default
type: Opaque
stringData:
SECRET_KEY: ENC[AES256_GCM,data:Em/RAzEFrQ0vSHrTUAe2CfWii49IVRZkZQt9czp41j0=,iv:cF+q2+E9gtF5LKP974Y5o/MOrdxcvfe8VXUqHhP46Mc=,tag:RlY7ciWvKsZl5S/ljUc9GA==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:2l2CmdToJg==,iv:lP3yvRedxN3L8sheO71sI5BNOBIEAnQ+QoAm5j4pyyc=,tag:b0yimiebuxKE/PIjhpWr6g==,type:str]
POSTGRES_PASSWORD: ENC[AES256_GCM,data:eGkJzNO6i0vARiw3XXK87g==,iv:iVwOOiTuwI3aK+zdDIZotgLCvbyvYC7sl8vuhyMSyUg=,tag:Vix0RHru20p0fj0a5LH9Sw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-17T09:12:23Z"
mac: ENC[AES256_GCM,data:aftbkgTFye4mvKE2cT8ygQ76Ybx8Lt5dd9moHJgdMqRzQZBeOctMlaMD2Jm7EY0psuAUkGz4+OS5pv7HJ2/1/rVYNqMsLSpoIYs236te0F58BS1yjHHi1YPNsfhdskPBs6e7xONQTrwQ9Swp/jynosNvuchDCBufxDVk5WG8auo=,iv:JjmbM44EKp6Suw/B2VLLcBZmsfxNuA6OZPaUoWQDvVo=,tag:X1Cuo0XvgmyOWiOQxIZiKg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/web-tools/tandoor/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tandoor-files
namespace: default
labels:
app.kubernetes.io/name: &name tandoor
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

62
kubernetes/cluster-0/apps/web-tools/theme-park/helm-release.yaml Normal file
View File

@@ -0,0 +1,62 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app theme-park
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
controller:
replicas: 1
strategy: RollingUpdate
image:
repository: ghcr.io/onedr0p/theme-park
tag: 1.13.1@sha256:f6ad58cc7072e9abef102ec600e1c9fa7ac23ca00f57bdd5878a24443aa55d44
service:
main:
ports:
http:
port: 8080
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 50Mi

5
kubernetes/cluster-0/apps/web-tools/theme-park/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

93
kubernetes/cluster-0/apps/web-tools/vaultwarden/helm-release.yaml Normal file
View File

@@ -0,0 +1,93 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app vaultwarden
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
image:
repository: vaultwarden/server
tag: 1.26.0
env:
DATA_FOLDER: "data"
ICON_CACHE_FOLDER: "data/icon_cache"
ATTACHMENTS_FOLDER: "data/attachments"
DOMAIN: "https://vaultwarden.${SECRET_CLUSTER_DOMAIN}"
TZ: "${TIMEZONE}"
SIGNUPS_ALLOWED: "false"
WEBSOCKET_ENABLED: "true"
WEBSOCKET_ADDRESS: 0.0.0.0
WEBSOCKET_PORT: 3012
SMTP_HOST: smtp-relay.default.svc.cluster.local.
SMTP_FROM: vaultwarden@${SECRET_DOMAIN}
SMTP_FROM_NAME: vaultwarden
SMTP_PORT: 2525
SMTP_SECURITY: off
envFrom:
- secretRef:
name: *app
podAnnotations:
secret.reloader.stakater.com/reload: *app
service:
main:
ports:
http:
port: &port 80
websocket:
enabled: true
port: &websocket-port 3012
persistence:
data:
enabled: true
existingClaim: vaultwarden-data
mountPath: /data
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
service:
port: *port
- path: /notifications/hub/negotiate
pathType: Prefix
service:
port: *port
- path: /notifications/hub
pathType: Prefix
service:
port: *websocket-port
tls:
- hosts:
- *host
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
memory: 2Gi

8
kubernetes/cluster-0/apps/web-tools/vaultwarden/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- secret.sops.yaml
- volume.yaml
patchesStrategicMerge:
- patches/postgres.yaml

31
kubernetes/cluster-0/apps/web-tools/vaultwarden/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: vaultwarden
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: vaultwarden
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: vaultwarden
key: POSTGRES_USER
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: vaultwarden
key: POSTGRES_PASS

32
kubernetes/cluster-0/apps/web-tools/vaultwarden/secret.sops.yaml Normal file
View File

@@ -0,0 +1,32 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: vaultwarden
namespace: default
type: Opaque
stringData:
ADMIN_TOKEN: ENC[AES256_GCM,data:lckmNXsxah0qbl0Lj+U9ow9iL8i2UcELDBVHX/auyfqW+1Lp6QzutQ9A20m04y9RHRU8ifXo4mfaA5Bn6FvuYQ==,iv:qWBB0oeZJ7Bju+nGdrGZm/hjODi7vPVnRb6Qiw0jmFY=,tag:Sg5nfHjFx5jo6GD0GGglwg==,type:str]
DATABASE_URL: ENC[AES256_GCM,data:mFxeL8sQIuEG0x+c9ZN9cgFzx4xLOEFprQuNL12w6ZuGxMlY2gAJ3W/fktnbSqHveaKqBulKrh8StS/AtFZ9P27EPZqZuIPDJ3JI42zWtB2krW9CmK7SIa+oxfRLCdXug646,iv:vwlwfOcuXjE6kXLcASqq4yXNrA6jblfr5d0j8jlFTSw=,tag:yR2TzKyhpRlc91U3ob5rkg==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:C8AE1A15q9TnIqk=,iv:4B+9fmpVu6B4HyQ2FF6tiCBYBP8q88ExRfLZuyIbbIA=,tag:tCPk0oYjP2uQfKu6a4HP4g==,type:str]
POSTGRES_PASS: ENC[AES256_GCM,data:er6JHXy0vxBperPCq3fWOWYh,iv:aUh/ZwFb4XWirA5V0/9O8dIsQHQlWJIqe8cq5WXAlv4=,tag:M++5dqnSyY5DVKyxaoCkMg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-16T11:38:24Z"
mac: ENC[AES256_GCM,data:UvnBQRkO/GDyUkTVPGkXsDCy3HTpjTtFJdQPU6Y375qy+3kI8SJFQ/YlYL3Z5W5OBnriOfMrfzOK8+QbaPGHK9hg2A6dDXPwjF+8YYesUspOJ+lRCoWsuubYJragW7nKcpeNVcMMWPNFK1vPwCR0pC8rBZDOF8dXoGe9Ozk1yvA=,iv:2P/c5IXti6zV/j9QFynvS+bXwgH6mANh6CzB4vCmE1Q=,tag:GmOovYX2kVjDL9fm17gAHw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/web-tools/vaultwarden/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden-data
namespace: default
labels:
app.kubernetes.io/name: &name vaultwarden
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

31
kubernetes/cluster-0/apps/web-tools/vikunja/config/Caddyfile Normal file
View File

@@ -0,0 +1,31 @@
{
admin off
auto_https off
}
:8080 {
log {
output stdout
}
@api {
path /api/*
path /.well-known/*
path /dav/*
}
header {
# Remove Server header
-Server
}
# API
handle @api {
reverse_proxy localhost:3456
}
# Filtron
handle {
reverse_proxy localhost:80
}
}

120
kubernetes/cluster-0/apps/web-tools/vikunja/helm-release.yaml Normal file
View File

@@ -0,0 +1,120 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app vikunja
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
controller:
replicas: 1
strategy: Recreate
image:
repository: caddy
tag: 2.6.2-alpine
envFrom:
- secretRef:
name: *app
service:
main:
ports:
http:
port: 8080
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
files:
enabled: true
existingClaim: vikunja-files
mountpath: /app/vikunja/files
caddy-config:
enabled: "true"
mountPath: /etc/caddy/Caddyfile
subPath: Caddyfile
type: "custom"
volumeSpec:
configMap:
name: *app
vikunja-config:
enabled: "true"
mountPath: /etc/vikunja/config.yml
subPath: Vikunja.yaml
type: "custom"
volumeSpec:
configMap:
name: *app
podAnnotations:
configMap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi
additionalContainers:
api:
name: api
image: vikunja/api:0.20.1
imagePullPolicy: IfNotPresent
env:
- name: VIKUNJA_SERVICE_JWTSECRET
valueFrom:
secretKeyRef:
name: vikunja
key: VIKUNJA_SERVICE_JWTSECRET
- name: VIKUNJA_DATABASE_TYPE
value: postgres
- name: VIKUNJA_DATABASE_HOST
value: postgres-rw.default.svc.cluster.local.
- name: VIKUNJA_DATABASE_DATABASE
value: vikunja
- name: VIKUNJA_DATABASE_USER
valueFrom:
secretKeyRef:
name: vikunja
key: VIKUNJA_DATABASE_USER
- name: VIKUNJA_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: vikunja
key: VIKUNJA_DATABASE_PASSWORD
volumeMounts:
- name: vikunja-config
mountPath: /etc/vikunja/config.yml
subPath: Vikunja.yaml
frontend:
name: frontend
image: vikunja/frontend:0.20.1
imagePullPolicy: IfNotPresent

16
kubernetes/cluster-0/apps/web-tools/vikunja/kustomization.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- secret.sops.yaml
- helm-release.yaml
- volume.yaml
patchesStrategicMerge:
- patches/postgres.yaml
configMapGenerator:
- name: vikunja
files:
- config/Caddyfile
generatorOptions:
disableNameSuffixHash: true

31
kubernetes/cluster-0/apps/web-tools/vikunja/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: vikunja
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: vikunja
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: vikunja
key: VIKUNJA_DATABASE_USER
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: vikunja
key: VIKUNJA_DATABASE_PASSWORD

34
kubernetes/cluster-0/apps/web-tools/vikunja/secret.sops.yaml Normal file
View File

@@ -0,0 +1,34 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: vikunja
namespace: default
type: Opaque
stringData:
VIKUNJA_SERVICE_JWTSECRET: ENC[AES256_GCM,data:4J8HtMOUKxNTEksSXYKrAAQ2KNFvdluzTvzY05/8T7k=,iv:h/666tO3f5hplYEaVJsh4BGjPlO/sFopb3+ryI3dzsQ=,tag:8dJLb9f2QgH9S/8qwF2ryg==,type:str]
VIKUNJA_DATABASE_USER: ENC[AES256_GCM,data:IzqNYqs+HQ==,iv:bfIcOoN/DhtqAcTYtSRBXnnPF+0zM4YY+kKYGesEUJo=,tag:4C1FeAoG6QOc2AqKRKxaSw==,type:str]
VIKUNJA_DATABASE_PASSWORD: ENC[AES256_GCM,data:7EylHKZA0JLmu+9ooB8oVw==,iv:AaXKHrU9yBPE1hci/cfOtnkxq5XHVeoJbRLzJ/SjLxE=,tag:x9stCWILtUYHjxBKNrhXEg==,type:str]
VIKUNJA_MAILER_HOST: ENC[AES256_GCM,data:oRfkMDOjxFl1f/EOlAkkHgEFTufyYjcvv6RwFSMRyLGKt/wr8A==,iv:U3Jafk0PMBnjzEfvyZ9x5oUUfulCee7j6FTgg+bNGiA=,tag:b0EYelcD1+mZJgF6MGQbiA==,type:str]
VIKUNJA_MAILER_PORT: ENC[AES256_GCM,data:hR5uWg==,iv:r7C2+WKphiadrgSC5yPlSEzB848im2sycU/3JW/B8PQ=,tag:W1wZ+onDoOtQc/Ew40JFkg==,type:str]
VIKUNJA_MAILER_FROMEMAIL: ENC[AES256_GCM,data:UpQWnJN0aLcBYAi238SGkWg1TrjOqUXA3JtBSalZVfuroA==,iv:VVUjuNiIc82KlH2pd0qMlOIZEoRi3DHcRqP1yGTk/IU=,tag:PVqBIYoD9Tz1hg74coLeHA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-16T20:42:23Z"
mac: ENC[AES256_GCM,data:0fH3fnxti4QLymzxc0gN5SWXbzpKUl0Mq2OG/fs5jx3YB9YW2ZNR6D7eO7A0dtF8G61YZT/fL4+MJtcQW8Gl/snVAFdEU2GLs6Jr5orCFvoHzaIzkl68/eehrWC6CFHpfljlBqNn5lA85GU8t4zrIbZiO207rDdPYsTZIXu3G8E=,iv:bOzx4OVPkoTbvABLsRF11VshmYIyTImhgRbPEiCF6lM=,tag:3I2VNKnAeqwK5yqdYiK0hQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/web-tools/vikunja/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vikunja-files
namespace: default
labels:
app.kubernetes.io/name: &name vikunja
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

72
kubernetes/cluster-0/apps/web-tools/wallabag/helm-release.yaml Normal file
View File

@@ -0,0 +1,72 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app wallabag
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
- name: redis
namespace: default
values:
controller:
replicas: 1
strategy: Recreate
image:
repository: wallabag/wallabag
tag: 2.5.2
envFrom:
- secretRef:
name: *app
enableServiceLinks: false
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
securityContext:
runAsUser: 0
persistence:
images:
enabled: true
existingClaim: wallabag-images
podAnnotations:
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 100m
memory: 250Mi
limits:
memory: 512Mi

11
kubernetes/cluster-0/apps/web-tools/wallabag/kustomization.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- helm-release.yaml
- secret.sops.yaml
- volume.yaml
patchesStrategicMerge:
- patches/env.yaml
- patches/postgres.yaml

19
kubernetes/cluster-0/apps/web-tools/wallabag/patches/env.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: wallabag
namespace: default
spec:
values:
env:
SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql
SYMFONY__ENV__DATABASE_HOST: postgres-rw.default.svc.cluster.local.
SYMFONY__ENV__DATABASE_PORT: 5432
SYMFONY__ENV__DATABASE_NAME: wallabag
SYMFONY__ENV__REDIS_HOST: redis.default.svc.cluster.local.
SYMFONY__ENV__DOMAIN_NAME: https://wallabag.${SECRET_CLUSTER_DOMAIN}
SYMFONY__ENV__SERVER_NAME: Wallabag
SYMFONY__ENV__FOSUSER_REGISTRATION: "false"
SYMFONY__ENV__FOSUSER_CONFIRMATION: "false"
POPULATE_DATABASE: "false"

31
kubernetes/cluster-0/apps/web-tools/wallabag/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: wallabag
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: wallabag
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: wallabag
key: SYMFONY__ENV__DATABASE_USER
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: wallabag
key: SYMFONY__ENV__DATABASE_PASSWORD

30
kubernetes/cluster-0/apps/web-tools/wallabag/secret.sops.yaml Normal file
View File

@@ -0,0 +1,30 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: wallabag
namespace: default
type: Opaque
stringData:
SYMFONY__ENV__DATABASE_USER: ENC[AES256_GCM,data:h8pfT3ZnClc=,iv:2zW23/OmEWJJIf1NFJKqnVBenNsB+NA4qchYNLzuiJ4=,tag:JCl+8+z2tCByWzEomYsiCQ==,type:str]
SYMFONY__ENV__DATABASE_PASSWORD: ENC[AES256_GCM,data:1fIzVV2zPYBs/NUimG8=,iv:4LiY6LJtmV7UHlvw+GQn0HmISm3WL11y382gkPl+aCQ=,tag:CCL/dmqz2JolNe7H8ybDVg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-16T09:15:34Z"
mac: ENC[AES256_GCM,data:RQzfap7GaeaS0dnZs0wdzPsNT4T1Wsz0ovSO1d766U/w9FlfU2nLfmVCHjKdmhCDq99gxazA5mKzaE1sUPtRrtO1td80G4KTe7jm8DDOLMQOQXgo+QN+W6hJ398uCfkrobtaQFE3YCa9sGyON5Rq2jubQ3+WyvZv/gV1oIvCVAU=,iv:o/wxk2bB97j9wcKqM3/T4kCYWrrKSGlIqgFhvTo9H9E=,tag:0VKKqxudYaNBDjGUm9O/ww==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/web-tools/wallabag/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wallabag-images
namespace: default
labels:
app.kubernetes.io/name: &name wallabag
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 2Gi

76
kubernetes/cluster-0/apps/web-tools/whoogle/helm-release.yaml Normal file
View File

@@ -0,0 +1,76 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app whoogle
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
controller:
replicas: 2
strategy: RollingUpdate
image:
repository: docker.io/benbusby/whoogle-search
tag: 0.7.4
env:
WHOOGLE_ALT_TW: nitter.${SECRET_CLUSTER_DOMAIN}
WHOOGLE_ALT_YT: invidious.${SECRET_CLUSTER_DOMAIN}
WHOOGLE_ALT_IG: imginn.com
WHOOGLE_ALT_RD: libreddit.${SECRET_CLUSTER_DOMAIN}
WHOOGLE_ALT_MD: scripe.rip
WHOOGLE_ALT_TL: farside.link/lingva
WHOOGLE_ALT_IMG: bibliogram.art
# WHOOGLE_ALT_WIKI: wikiless.org
WHOOGLE_CONFIG_ALTS: 1
WHOOGLE_CONFIG_COUNTRY: FR
WHOOGLE_CONFIG_GET_ONLY: 1
WHOOGLE_CONFIG_THEME: system
WHOOGLE_CONFIG_URL: https://whoogle.${SECRET_CLUSTER_DOMAIN}/
service:
main:
ports:
http:
port: 5000
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
resources:
requests:
cpu: 10m
memory: 50Mi
limits:
memory: 250Mi

5
kubernetes/cluster-0/apps/web-tools/whoogle/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml