diff --git a/cluster/apps/data/homer/helm-release.yaml b/cluster/apps/data/homer/helm-release.yaml deleted file mode 100644 index 0bdaaf18a..000000000 --- a/cluster/apps/data/homer/helm-release.yaml +++ /dev/null @@ -1,85 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: homer - namespace: data -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: homer - version: 8.0.2 - sourceRef: - kind: HelmRepository - name: k8s-at-home-charts - namespace: flux-system - interval: 5m - values: - image: - repository: b4bz/homer - tag: v22.08.1 - pullPolicy: IfNotPresent - - env: - TZ: "${TIMEZONE}" - - persistence: - config: - enabled: true - mountPath: /www/assets - existingClaim: homer-config - - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - - ingress: - main: - enabled: true - ingressClassName: "nginx" - hosts: - - host: "homer.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - - host: "services.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "homer.${SECRET_CLUSTER_DOMAIN}" - - "services.${SECRET_CLUSTER_DOMAIN}" - - addons: - codeserver: - enabled: true - image: - repository: ghcr.io/k8s-at-home/code-server - tag: v4.6.0 - workingDir: "/www/assets" - args: - - --auth - - "none" - - --user-data-dir - - "/www/assets/.vscode" - - --extensions-dir - - "/www/assets/.vscode" - ingress: - enabled: true - ingressClassName: "nginx" - hosts: - - host: "homer-config.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "homer-config.${SECRET_CLUSTER_DOMAIN}" - volumeMounts: - - name: config - mountPath: /www/assets diff --git a/cluster/apps/data/jobs/kustomization.yaml b/cluster/apps/data/jobs/kustomization.yaml deleted file mode 100644 index cf30275bb..000000000 --- a/cluster/apps/data/jobs/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - serviceaccount.yaml diff --git a/cluster/apps/data/jobs/serviceaccount.yaml b/cluster/apps/data/jobs/serviceaccount.yaml deleted file mode 100644 index a912eecad..000000000 --- a/cluster/apps/data/jobs/serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: jobs - namespace: data ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: jobs-edit - namespace: data -subjects: - - kind: ServiceAccount - name: jobs -roleRef: - kind: ClusterRole - name: edit - apiGroup: rbac.authorization.k8s.io diff --git a/cluster/apps/data/kustomization.yaml b/cluster/apps/data/kustomization.yaml deleted file mode 100644 index 6571efd47..000000000 --- a/cluster/apps/data/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - homer - - jobs - - pgadmin - - pgbackups - - resilio-sync - - tandoor - - truecommand diff --git a/cluster/apps/data/namespace.yaml b/cluster/apps/data/namespace.yaml deleted file mode 100644 index 1988068ac..000000000 --- a/cluster/apps/data/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: data diff --git a/cluster/apps/data/pgadmin/helm-release.yaml b/cluster/apps/data/pgadmin/helm-release.yaml deleted file mode 100644 index 7d009795e..000000000 --- a/cluster/apps/data/pgadmin/helm-release.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: pgadmin - namespace: data -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://helm.runix.net - chart: pgadmin4 - version: 1.12.1 - sourceRef: - kind: HelmRepository - name: runix-charts - namespace: flux-system - interval: 5m - values: - - image: - repository: dpage/pgadmin4 - tag: 6.13 - - env: - email: ${SECRET_PGADMIN_EMAIL} - password: ${SECRET_PGADMIN_PASSWORD} - - strategy: - type: Recreate - - persistentVolume: - enabled: true - existingClaim: pgadmin-config - - ingress: - enabled: true - hosts: - - host: "pgadmin.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "pgadmin.${SECRET_CLUSTER_DOMAIN}" - postRenderers: - - kustomize: - patchesJson6902: - - target: - kind: Ingress - name: pgadmin-pgadmin4 - patch: - - op: add - path: /spec/ingressClassName - value: nginx diff --git a/cluster/apps/data/pgbackups/deployment.yaml b/cluster/apps/data/pgbackups/deployment.yaml deleted file mode 100644 index bf1397c40..000000000 --- a/cluster/apps/data/pgbackups/deployment.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pgbackups - namespace: data - labels: - app.kubernetes.io/instance: pgbackups - app.kubernetes.io/name: pgbackups -spec: - selector: - matchLabels: - app.kubernetes.io/instance: pgbackups - app.kubernetes.io/name: pgbackups - replicas: 1 - template: - metadata: - labels: - app.kubernetes.io/instance: pgbackups - app.kubernetes.io/name: pgbackups - spec: - imagePullSecrets: - - name: regcred - containers: - - name: pgbackups - image: ghcr.io/auricom/postgres-backup-local:v14.4@sha256:b70f8ca203b38240c87c86c2d95f86d1e8e1e62602ebe1e8fd5830c2376b889e - env: - - name: POSTGRES_HOST - value: postgres.${SECRET_DOMAIN} - - name: POSTGRES_DB - value: authelia,freshrss,gitea,hass,healthchecks,joplin,lychee,recipes,sharry,outline,vaultwarden,vikunja,wallabag - - name: POSTGRES_USER - value: postgres - - name: POSTGRES_PASSWORD - value: ${SECRET_POSTGRESQL_POSTGRES_PASSWORD} - - name: POSTGRES_EXTRA_OPTS - value: "-Z9 --schema=public --blobs" - - name: SCHEDULE - value: "@daily" - - name: BACKUP_KEEP_DAYS - value: "7" - - name: BACKUP_KEEP_WEEKS - value: "4" - - name: BACKUP_KEEP_MONTHS - value: "3" - - name: HEALTHCHECK_PORT - value: "8080" - - name: WEBHOOK_URL - value: "http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/postgresql-backup" - resources: - requests: - cpu: 150m - memory: 256Mi - ports: - - containerPort: 8080 - volumeMounts: - - name: backups - mountPath: /backups - subPath: postgresql - volumes: - - name: backups - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/backups - dnsConfig: - options: - - name: ndots - value: "1" diff --git a/cluster/apps/data/pgbackups/kustomization.yaml b/cluster/apps/data/pgbackups/kustomization.yaml deleted file mode 100644 index 9c2d28b0c..000000000 --- a/cluster/apps/data/pgbackups/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - deployment.yaml diff --git a/cluster/apps/data/resilio-sync/statefulset.yaml b/cluster/apps/data/resilio-sync/statefulset.yaml deleted file mode 100644 index a6b7220a4..000000000 --- a/cluster/apps/data/resilio-sync/statefulset.yaml +++ /dev/null @@ -1,245 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: resilio-sync - namespace: data - labels: - app.kubernetes.io/instance: resilio-sync - app.kubernetes.io/name: resilio-sync -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: resilio-sync - app.kubernetes.io/name: resilio-sync - updateStrategy: - type: OnDelete - serviceName: resilio-sync - strategy: - template: - metadata: - labels: - app.kubernetes.io/instance: resilio-sync - app.kubernetes.io/name: resilio-sync - spec: - containers: - - image: ghcr.io/linuxserver/resilio-sync:version-2.7.3.1381-1 - name: resilio-sync-claude - env: - - name: TZ - value: "${TIMEZONE}" - - name: PUID - value: "1026" - - name: PGID - value: "1000" - ports: - - containerPort: 8888 - name: http-claude - - containerPort: 55555 - name: com-claude - volumeMounts: - - name: config - mountPath: /config - subPath: claude - - name: sync-conf-claude - mountPath: /config/sync.conf - subPath: sync.conf - - name: home-claude - mountPath: /sync/home/claude - - name: photo - mountPath: /sync/photo - - name: backups - mountPath: /sync/backup - - name: music-transcoded - mountPath: /sync/music_transcoded - - name: video - mountPath: /sync/video - - name: shared-documents - mountPath: /sync/shared-documents - - image: ghcr.io/linuxserver/resilio-sync:version-2.7.3.1381-1 - name: resilio-sync-helene - env: - - name: TZ - value: "${TIMEZONE}" - - name: PUID - value: "1027" - - name: PGID - value: "1000" - ports: - - containerPort: 8889 - name: http-helene - - containerPort: 55556 - name: com-helene - volumeMounts: - - name: config - mountPath: /config - subPath: helene - - name: sync-conf-helene - mountPath: /config/sync.conf - subPath: sync.conf - - name: home-helene - mountPath: /sync/home - - name: backups - mountPath: /sync/backup - volumes: - - name: config - persistentVolumeClaim: - claimName: resilio-sync-config - - name: sync-conf-claude - configMap: - name: resilio-sync-claude-conf - - name: sync-conf-helene - configMap: - name: resilio-sync-helene-conf - - name: home-claude - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/home/claude - - name: home-helene - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/home/helene - - name: backups - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/backups - - name: photo - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/photo - - name: music-transcoded - nfs: - server: "${LOCAL_LAN_OPENMEDIAVAULT}" - path: /export/music_transcoded - - name: video - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/video - - name: shared-documents - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/shared-documents - dnsConfig: - options: - - name: ndots - value: "1" ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: resilio-sync-claude-conf - namespace: data -data: - sync.conf: | - { - "listening_port" : 55555, - "storage_path" : "/config", - "vendor" : "docker", - "display_new_version": false, - - "directory_root_policy" : "belowroot", - "directory_root" : "/sync/", - "webui" : - { - "listen" : "0.0.0.0:8888", - "allow_empty_password" : false, - "dir_whitelist" : [ "/sync", "/sync/folders", "/sync/mounted_folders" ] - } - } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: resilio-sync-helene-conf - namespace: data -data: - sync.conf: | - { - "listening_port" : 55556, - "storage_path" : "/config", - "vendor" : "docker", - "display_new_version": false, - - "directory_root_policy" : "belowroot", - "directory_root" : "/sync/", - "webui" : - { - "listen" : "0.0.0.0:8889", - "allow_empty_password" : false, - "dir_whitelist" : [ "/sync", "/sync/folders", "/sync/mounted_folders" ] - } - } ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: tcp - labels: - app.kubernetes.io/instance: resilio-sync - app.kubernetes.io/name: resilio-sync - name: resilio-sync - namespace: data -spec: - ports: - - name: http-claude - port: 8888 - protocol: TCP - targetPort: 8888 - - name: http-helene - port: 8889 - protocol: TCP - targetPort: 8889 - - name: com-claude - port: 55555 - protocol: TCP - targetPort: 55555 - - name: com-helene - port: 55556 - protocol: TCP - targetPort: 55556 - selector: - app.kubernetes.io/instance: resilio-sync - app.kubernetes.io/name: resilio-sync - type: LoadBalancer - externalIPs: - - ${CLUSTER_LB_RESILIOSYNC} - externalTrafficPolicy: Local ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - labels: - app.kubernetes.io/instance: resilio-sync - app.kubernetes.io/name: resilio-sync - name: resilio-sync - namespace: data -spec: - ingressClassName: "nginx" - tls: - - hosts: - - "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}" - - "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}" - rules: - - host: "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: resilio-sync - port: - number: 8888 - - host: "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: resilio-sync - port: - number: 8889 diff --git a/cluster/apps/data/tandoor/helm-release.yaml b/cluster/apps/data/tandoor/helm-release.yaml deleted file mode 100644 index f63a0ef88..000000000 --- a/cluster/apps/data/tandoor/helm-release.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: tandoor - namespace: data -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: recipes - version: 6.6.2 - sourceRef: - kind: HelmRepository - name: k8s-at-home-charts - namespace: flux-system - interval: 5m - values: - image: - repository: vabene1111/recipes - tag: 1.3.3 - pullPolicy: IfNotPresent - - env: - SECRET_KEY: ${SECRET_RECIPES_SECRET_KEY} - DEBUG: "0" - ALLOWED_HOSTS: "*" - DB_ENGINE: django.db.backends.postgresql - POSTGRES_HOST: postgres.${SECRET_DOMAIN} - POSTGRES_PORT: 5432 - POSTGRES_DB: recipes - POSTGRES_USER: recipes - POSTGRES_PASSWORD: ${SECRET_RECIPES_DB_PASSWORD} - GUNICORN_MEDIA: "0" - TIMEZONE: ${TIMEZONE} - FRACTION_PREF_DEFAULT: "0" - COMMENT_PREF_DEFAULT: "1" - SHOPPING_MIN_AUTOSYNC_INTERVAL: "5" - - sidecar: - image: - repository: nginx - tag: 1.23.1 - pullPolicy: IfNotPresent - - persistence: - media: - enabled: true - existingClaim: recipes-files - mountPath: /opt/recipes/mediafiles - static: - enabled: true - type: emptyDir - - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - - ingress: - main: - enabled: true - ingressClassName: "nginx" - hosts: - - host: "tandoor.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "tandoor.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/databases/kustomization.yaml b/cluster/apps/databases/kustomization.yaml index b28be040c..2677f2376 100644 --- a/cluster/apps/databases/kustomization.yaml +++ b/cluster/apps/databases/kustomization.yaml @@ -3,5 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: + - pgadmin + - pgbackups - postgres - redis diff --git a/cluster/apps/databases/pgadmin/helm-release.yaml b/cluster/apps/databases/pgadmin/helm-release.yaml new file mode 100644 index 000000000..e381fb992 --- /dev/null +++ b/cluster/apps/databases/pgadmin/helm-release.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app pgadmin + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + values: + image: + repository: dpage/pgadmin4 + tag: "6.13" + env: + PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION: "False" + envFrom: + - secretRef: + name: *app + service: + main: + ports: + http: + port: 80 + ingress: + main: + enabled: true + ingressClassName: "nginx" + hosts: + - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + persistence: + config: + enabled: true + existingClaim: pgadmin-config + mountPath: /var/lib/pgadmin + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + memory: 500Mi diff --git a/cluster/apps/data/resilio-sync/kustomization.yaml b/cluster/apps/databases/pgadmin/kustomization.yaml similarity index 65% rename from cluster/apps/data/resilio-sync/kustomization.yaml rename to cluster/apps/databases/pgadmin/kustomization.yaml index c6a5fa7c7..1c805092e 100644 --- a/cluster/apps/data/resilio-sync/kustomization.yaml +++ b/cluster/apps/databases/pgadmin/kustomization.yaml @@ -1,5 +1,7 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - statefulset.yaml + - secret.sops.yaml - volume.yaml + - helm-release.yaml diff --git a/cluster/apps/databases/pgadmin/secret.sops.yaml b/cluster/apps/databases/pgadmin/secret.sops.yaml new file mode 100644 index 000000000..864f6b9c1 --- /dev/null +++ b/cluster/apps/databases/pgadmin/secret.sops.yaml @@ -0,0 +1,30 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: pgadmin + namespace: default +type: Opaque +stringData: + PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:Wd9Qcm7AmuvGHWyfe277NnCDaRiKQw==,iv:rP1B90nsQs5s0OAGvTAW9X99fprpTMa9Y1COgtrcPOI=,tag:odhJmt+W6yoXfEhYPj0Rcw==,type:str] + PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:SWUqh0QUjYWjCruuZPQ=,iv:F1rwMkkHu2lgFDlUK5ZPtvY4KWh9kF8S5B0VnsiBUoE=,tag:Haa3c8UsJpQDsYG9hWWj/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 + bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC + VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw + OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ + LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-17T07:32:43Z" + mac: ENC[AES256_GCM,data:iWV6sSItfSAGEjpEytnA/33bkseU+rguCuF3OG7ZAnECFgfLOkTqu4prATJwSKnowom+BcjjqbFMNuS3dQ5l+IIrOVkftpjJEXT0L2/5iry7NBePgqraqOvxSMJ9roxk+yHI1GOWo0UEKehYhLxoCe3g32YqTB4ASflKWJU5bzU=,iv:apZ2IbkwLG4Pppu1tvlXAWmsCZLKwbgRh/QBru4kUBI=,tag:hR5dIbKT3IZcQSCOToWFsw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/data/pgadmin/volume.yaml b/cluster/apps/databases/pgadmin/volume.yaml similarity index 70% rename from cluster/apps/data/pgadmin/volume.yaml rename to cluster/apps/databases/pgadmin/volume.yaml index 28caa8357..c28892b3c 100644 --- a/cluster/apps/data/pgadmin/volume.yaml +++ b/cluster/apps/databases/pgadmin/volume.yaml @@ -3,8 +3,10 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pgadmin-config - namespace: data + namespace: default labels: + app.kubernetes.io/name: &name pgadmin + app.kubernetes.io/instance: *name kasten-io/backup: "true" spec: accessModes: diff --git a/cluster/apps/databases/pgbackups/helm-release.yaml b/cluster/apps/databases/pgbackups/helm-release.yaml new file mode 100644 index 000000000..9173c5da0 --- /dev/null +++ b/cluster/apps/databases/pgbackups/helm-release.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app pgbackups + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + values: + image: + repository: prodrigestivill/postgres-backup-local + tag: 14-alpine@sha256:2985300b476382c727fc170d3f2b37972b8445cc92635f1bcc6fa48a1a061f01 + env: + POSTGRES_HOST: postgres-rw.default.svc.cluster.local. + POSTGRES_DB: "authelia,freshrss,gitea,hass,healthchecks,joplin,lychee,recipes,sharry,outline,vaultwarden,vikunja,wallabag" + POSTGRES_EXTRA_OPTS: "-Z9 --schema=public --blobs" + SCHEDULE: "@daily" + BACKUP_KEEP_DAYS: "7" + BACKUP_KEEP_WEEKS: "4" + BACKUP_KEEP_MONTHS: "3" + HEALTHCHECK_PORT: "8080" + WEBHOOK_URL: "http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/postgresql-backup" + service: + main: + ports: + http: + port: 8080 + persistence: + backups: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/backups + mountPath: /backups/postgresql + resources: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 512Mi diff --git a/cluster/apps/data/pgadmin/kustomization.yaml b/cluster/apps/databases/pgbackups/kustomization.yaml similarity index 82% rename from cluster/apps/data/pgadmin/kustomization.yaml rename to cluster/apps/databases/pgbackups/kustomization.yaml index 21f1d9e05..2d4a1b6e0 100644 --- a/cluster/apps/data/pgadmin/kustomization.yaml +++ b/cluster/apps/databases/pgbackups/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - secret.sops.yaml - helm-release.yaml - - volume.yaml diff --git a/cluster/apps/databases/pgbackups/secret.sops.yaml b/cluster/apps/databases/pgbackups/secret.sops.yaml new file mode 100644 index 000000000..cba71f0ad --- /dev/null +++ b/cluster/apps/databases/pgbackups/secret.sops.yaml @@ -0,0 +1,30 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: pgbackups + namespace: default +type: Opaque +stringData: + POSTGRES_USER: ENC[AES256_GCM,data:iIZa4nQ2GB4=,iv:TozvC0f2xbAau4d+Bh+lNyRf4KuQzrDnFHbJDdVqzp8=,tag:NcYaU6iZzTjDp2sFneQHdg==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:5HIfce9v8rwcd4l0txoGzw==,iv:KHE+3aTVyA9bDlE/9Padn+hMp+ltaPEjmf1jTCKgg+U=,tag:qBDcXfezg3NugXpeh29J1Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2 + bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC + VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw + OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ + LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-17T08:37:26Z" + mac: ENC[AES256_GCM,data:qeqt58+cc5BLlaTCaKS6t5q8P1jRQvHrGZjpXv91ONAk5clHQmL8NlOHwXs6ig/bSP8ihjhsI1A8DI6b644Cuti7LWdV/sbCiewZ+Uesu7pfiWSeUN1qMKIyNyWR27NK6BMzUmgjlqraRAsrDXsm25gQU5c8lq9Mw83/Svbds2c=,iv:IRUrRekFQXcQ9PNE9S0mXHfxAGXZoyJws4FZd+LuDSE=,tag:F9sqy/zHbv9pJYTcXy4taA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/documentation/outline/patches/postgres.yaml b/cluster/apps/documentation/outline/patches/postgres.yaml index 1b5c9d8cc..cabea0f1b 100644 --- a/cluster/apps/documentation/outline/patches/postgres.yaml +++ b/cluster/apps/documentation/outline/patches/postgres.yaml @@ -15,7 +15,10 @@ spec: - name: POSTGRES_DB value: *app - name: POSTGRES_SUPER_PASS - value: ${SECRET_POSTGRESQL_POSTGRES_PASSWORD} + valueFrom: + secretKeyRef: + name: postgres-superuser + key: password envFrom: - secretRef: name: *app diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index 624c92830..f97eec1f4 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -3,7 +3,6 @@ kind: Kustomization resources: - namespaces.yaml - authentication - - data - databases - development - documentation diff --git a/cluster/apps/storage/kustomization.yaml b/cluster/apps/storage/kustomization.yaml index 2c7da7c2b..4dbc0c44d 100644 --- a/cluster/apps/storage/kustomization.yaml +++ b/cluster/apps/storage/kustomization.yaml @@ -3,4 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - k10 + - resilio-sync-claude + - resilio-sync-helene - smartctl-exporter + - truecommand diff --git a/cluster/apps/storage/resilio-sync-claude/config/sync.conf b/cluster/apps/storage/resilio-sync-claude/config/sync.conf new file mode 100644 index 000000000..a07f5de05 --- /dev/null +++ b/cluster/apps/storage/resilio-sync-claude/config/sync.conf @@ -0,0 +1,15 @@ +{ + "listening_port" : 55555, + "storage_path" : "/config", + "vendor" : "docker", + "display_new_version": false, + + "directory_root_policy" : "belowroot", + "directory_root" : "/sync/", + "webui" : + { + "listen" : "0.0.0.0:8888", + "allow_empty_password" : false, + "dir_whitelist" : [ "/sync" ] + } +} diff --git a/cluster/apps/storage/resilio-sync-claude/helm-release.yaml b/cluster/apps/storage/resilio-sync-claude/helm-release.yaml new file mode 100644 index 000000000..3f2e0c85e --- /dev/null +++ b/cluster/apps/storage/resilio-sync-claude/helm-release.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app resilio-sync-claude + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + values: + image: + repository: ghcr.io/auricom/resilio-sync + tag: v2.7.3.1381-1@sha256:0dd28dcf8c6e4854fe1d6321ae4c9168d2ffd5d80b9fac90da54056eeb8d9510 + env: + - name: TZ + value: "${TIMEZONE}" + service: + main: + ports: + http: + port: 8888 + com: + port: 55555 + ingress: + main: + enabled: true + ingressClassName: "nginx" + hosts: + - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + persistence: + config: + enabled: true + existingClaim: resilio-sync-claude-config + sync-conf: + enabled: true + type: configMap + configMap: + name: resilio-sync-claude-sync-conf + mountPath: /config/sync.conf + subPath: sync.conf + backups: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/backups + mountPath: /sync/backup + home-claude: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/home/claude + mountPath: /sync/home/claude + music-transcoded: + enabled: true + type: nfs + server: "${LOCAL_LAN_OPENMEDIAVAULT}" + path: /export/music_transcoded + mountPath: /sync/music_transcoded + photo: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/photo + mountPath: /sync/photo + shared-documents: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/shared-documents + mountPath: /sync/shared-documents + video: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/video + mountPath: /sync/video + podSecurityContext: + runAsUser: 0 + resources: + requests: + cpu: 250m + memory: 512Mi + limits: + memory: 2Gi diff --git a/cluster/apps/storage/resilio-sync-claude/kustomization.yaml b/cluster/apps/storage/resilio-sync-claude/kustomization.yaml new file mode 100644 index 000000000..d3ce83c12 --- /dev/null +++ b/cluster/apps/storage/resilio-sync-claude/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - volume.yaml + - helm-release.yaml +configMapGenerator: + - name: resilio-sync-claude-sync-conf + namespace: default + files: + - config/sync.conf +generatorOptions: + disableNameSuffixHash: true diff --git a/cluster/apps/data/tandoor/volume.yaml b/cluster/apps/storage/resilio-sync-claude/volume.yaml similarity index 59% rename from cluster/apps/data/tandoor/volume.yaml rename to cluster/apps/storage/resilio-sync-claude/volume.yaml index dd5274359..461668565 100644 --- a/cluster/apps/data/tandoor/volume.yaml +++ b/cluster/apps/storage/resilio-sync-claude/volume.yaml @@ -2,9 +2,11 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: recipes-files - namespace: data + name: resilio-sync-claude-config + namespace: default labels: + app.kubernetes.io/name: &name resilio-sync-claude + app.kubernetes.io/instance: *name kasten-io/backup: "true" spec: accessModes: diff --git a/cluster/apps/storage/resilio-sync-helene/config/sync.conf b/cluster/apps/storage/resilio-sync-helene/config/sync.conf new file mode 100644 index 000000000..3b70ba451 --- /dev/null +++ b/cluster/apps/storage/resilio-sync-helene/config/sync.conf @@ -0,0 +1,15 @@ +{ + "listening_port" : 55556, + "storage_path" : "/config", + "vendor" : "docker", + "display_new_version": false, + + "directory_root_policy" : "belowroot", + "directory_root" : "/sync/", + "webui" : + { + "listen" : "0.0.0.0:8889", + "allow_empty_password" : false, + "dir_whitelist" : [ "/sync" ] + } +} diff --git a/cluster/apps/storage/resilio-sync-helene/helm-release.yaml b/cluster/apps/storage/resilio-sync-helene/helm-release.yaml new file mode 100644 index 000000000..52b4b44f2 --- /dev/null +++ b/cluster/apps/storage/resilio-sync-helene/helm-release.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app resilio-sync-helene + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + + values: + image: + repository: ghcr.io/auricom/resilio-sync + tag: v2.7.3.1381-1@sha256:0dd28dcf8c6e4854fe1d6321ae4c9168d2ffd5d80b9fac90da54056eeb8d9510 + env: + - name: TZ + value: "${TIMEZONE}" + service: + main: + ports: + http: + port: 8889 + com: + port: 55556 + ingress: + main: + enabled: true + ingressClassName: "nginx" + hosts: + - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + persistence: + config: + enabled: true + existingClaim: resilio-sync-helene-config + sync-conf: + enabled: true + type: configMap + configMap: + name: resilio-sync-helene-sync-conf + mountPath: /config/sync.conf + subPath: sync.conf + backups: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/backups + mountPath: /sync/backup + home-helene: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/home/helene + mountPath: /sync/home + podSecurityContext: + runAsUser: 0 + resources: + requests: + cpu: 250m + memory: 512Mi + limits: + memory: 2Gi diff --git a/cluster/apps/storage/resilio-sync-helene/kustomization.yaml b/cluster/apps/storage/resilio-sync-helene/kustomization.yaml new file mode 100644 index 000000000..3d67c6721 --- /dev/null +++ b/cluster/apps/storage/resilio-sync-helene/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - volume.yaml + - helm-release.yaml +configMapGenerator: + - name: resilio-sync-helene-sync-conf + namespace: default + files: + - config/sync.conf +generatorOptions: + disableNameSuffixHash: true diff --git a/cluster/apps/storage/resilio-sync-helene/volume.yaml b/cluster/apps/storage/resilio-sync-helene/volume.yaml new file mode 100644 index 000000000..aa099d2be --- /dev/null +++ b/cluster/apps/storage/resilio-sync-helene/volume.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: resilio-sync-helene-config + namespace: default + labels: + app.kubernetes.io/name: &name resilio-sync-helene + app.kubernetes.io/instance: *name + kasten-io/backup: "true" +spec: + accessModes: + - ReadWriteOnce + storageClassName: rook-ceph-block + resources: + requests: + storage: 1Gi diff --git a/cluster/apps/data/truecommand/helm-release.yaml b/cluster/apps/storage/truecommand/helm-release.yaml similarity index 83% rename from cluster/apps/data/truecommand/helm-release.yaml rename to cluster/apps/storage/truecommand/helm-release.yaml index 8ecfa96ce..931b3c453 100644 --- a/cluster/apps/data/truecommand/helm-release.yaml +++ b/cluster/apps/storage/truecommand/helm-release.yaml @@ -3,18 +3,17 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: &app truecommand - namespace: data + namespace: default spec: interval: 15m chart: spec: - chart: kah-common-chart - version: 1.2.2 + chart: app-template + version: 0.2.1 sourceRef: kind: HelmRepository - name: k8s-at-home-charts + name: bjw-s-charts namespace: flux-system - interval: 15m install: createNamespace: true remediation: @@ -23,29 +22,20 @@ spec: remediation: retries: 5 values: - global: - nameOverride: *app - image: repository: docker.io/ixsystems/truecommand tag: "2.2" - service: main: ports: http: port: 80 - - persistence: - config: - enabled: true - existingClaim: truecommand-config - mountPath: /data - ingress: main: enabled: true ingressClassName: "nginx" + annotations: + external-dns.home.arpa/enabled: "true" hosts: - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" paths: @@ -54,8 +44,14 @@ spec: tls: - hosts: - *host - + persistence: + config: + enabled: true + existingClaim: truecommand-config + mountPath: /data resources: requests: cpu: 50m memory: 256Mi + limits: + memory: 500Mi diff --git a/cluster/apps/data/homer/kustomization.yaml b/cluster/apps/storage/truecommand/kustomization.yaml similarity index 100% rename from cluster/apps/data/homer/kustomization.yaml rename to cluster/apps/storage/truecommand/kustomization.yaml diff --git a/cluster/apps/data/truecommand/volume.yaml b/cluster/apps/storage/truecommand/volume.yaml similarity index 70% rename from cluster/apps/data/truecommand/volume.yaml rename to cluster/apps/storage/truecommand/volume.yaml index 5511d3408..e7d323cd2 100644 --- a/cluster/apps/data/truecommand/volume.yaml +++ b/cluster/apps/storage/truecommand/volume.yaml @@ -3,13 +3,15 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: truecommand-config - namespace: data + namespace: default labels: + app.kubernetes.io/name: &name truecommand + app.kubernetes.io/instance: *name kasten-io/backup: "true" spec: accessModes: - ReadWriteOnce - storageClassName: rook-ceph-block resources: requests: storage: 1Gi + storageClassName: rook-ceph-block diff --git a/cluster/apps/web-tools/homer-code/helm-release.yaml b/cluster/apps/web-tools/homer-code/helm-release.yaml new file mode 100644 index 000000000..96c803789 --- /dev/null +++ b/cluster/apps/web-tools/homer-code/helm-release.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app homer-code + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: homer + namespace: default + values: + image: + repository: ghcr.io/coder/code-server + tag: 4.7.0 + env: + TZ: "${TIMEZONE}" + args: + - --auth + - "none" + - --user-data-dir + - "/config/.vscode" + - --extensions-dir + - "/config/.vscode" + - --port + - "80" + - "/config" + service: + main: + ports: + http: + port: 80 + ingress: + main: + enabled: true + ingressClassName: "nginx" + hosts: + - host: &host "homer-code.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + podSecurityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + persistence: + config: + enabled: true + existingClaim: homer-config + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: ["home-assistant"] + - key: app.kubernetes.io/instance + operator: In + values: ["home-assistant"] + topologyKey: kubernetes.io/hostname + resources: + requests: + cpu: 10m + memory: 100Mi + limits: + memory: 500Mi diff --git a/cluster/apps/data/tandoor/kustomization.yaml b/cluster/apps/web-tools/homer-code/kustomization.yaml similarity index 85% rename from cluster/apps/data/tandoor/kustomization.yaml rename to cluster/apps/web-tools/homer-code/kustomization.yaml index 21f1d9e05..2fa2de20c 100644 --- a/cluster/apps/data/tandoor/kustomization.yaml +++ b/cluster/apps/web-tools/homer-code/kustomization.yaml @@ -1,5 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - helm-release.yaml - - volume.yaml diff --git a/cluster/apps/web-tools/homer/helm-release.yaml b/cluster/apps/web-tools/homer/helm-release.yaml new file mode 100644 index 000000000..73af709b2 --- /dev/null +++ b/cluster/apps/web-tools/homer/helm-release.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app homer + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + values: + image: + repository: b4bz/homer + tag: v22.08.1 + env: + TZ: "${TIMEZONE}" + service: + main: + ports: + http: + port: 8080 + ingress: + main: + enabled: true + ingressClassName: "nginx" + hosts: + - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + persistence: + config: + enabled: true + mountPath: /www/assets + existingClaim: homer-config + resources: + requests: + cpu: 50m + memory: 256Mi + limits: + memory: 512Mi diff --git a/cluster/apps/data/truecommand/kustomization.yaml b/cluster/apps/web-tools/homer/kustomization.yaml similarity index 85% rename from cluster/apps/data/truecommand/kustomization.yaml rename to cluster/apps/web-tools/homer/kustomization.yaml index 21f1d9e05..2fa2de20c 100644 --- a/cluster/apps/data/truecommand/kustomization.yaml +++ b/cluster/apps/web-tools/homer/kustomization.yaml @@ -1,5 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - helm-release.yaml - - volume.yaml diff --git a/cluster/apps/data/homer/volume.yaml b/cluster/apps/web-tools/homer/volume.yaml similarity index 76% rename from cluster/apps/data/homer/volume.yaml rename to cluster/apps/web-tools/homer/volume.yaml index 0f364b30d..435518cf0 100644 --- a/cluster/apps/data/homer/volume.yaml +++ b/cluster/apps/web-tools/homer/volume.yaml @@ -5,6 +5,8 @@ metadata: name: homer-config namespace: data labels: + app.kubernetes.io/name: &name homer + app.kubernetes.io/instance: *name kasten-io/backup: "true" spec: accessModes: diff --git a/cluster/apps/web-tools/kustomization.yaml b/cluster/apps/web-tools/kustomization.yaml index 1e2c87750..8292da0af 100644 --- a/cluster/apps/web-tools/kustomization.yaml +++ b/cluster/apps/web-tools/kustomization.yaml @@ -4,9 +4,12 @@ kind: Kustomization namespace: default resources: - freshrss + - homer + - homer-code - joplin - music-transcode - sharry + - tandoor - theme-park - vaultwarden - vikunja diff --git a/cluster/apps/web-tools/tandoor/config/nginx-config b/cluster/apps/web-tools/tandoor/config/nginx-config new file mode 100644 index 000000000..28ecf826b --- /dev/null +++ b/cluster/apps/web-tools/tandoor/config/nginx-config @@ -0,0 +1,25 @@ +events { + worker_connections 1024; +} +http { + include /etc/nginx/mime.types; + server { + listen 80; + server_name _; + client_max_body_size 128M; + # serve media files + location /media/ { + alias /media/; + } + # serve static files + location /static/ { + alias /static/; + } + # pass requests for dynamic content to gunicorn + location / { + proxy_set_header Host $host; + proxy_set_header REMOTE-USER $http_x_authentik_username; + proxy_pass http://localhost:8080; + } + } +} diff --git a/cluster/apps/web-tools/tandoor/helm-release.yaml b/cluster/apps/web-tools/tandoor/helm-release.yaml new file mode 100644 index 000000000..8892a53e2 --- /dev/null +++ b/cluster/apps/web-tools/tandoor/helm-release.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app tandoor + namespace: default +spec: + interval: 15m + chart: + spec: + chart: app-template + version: 0.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: postgres + namespace: default + values: + image: + repository: vabene1111/recipes + tag: "1.3.3" + envFrom: + - secretRef: + name: *app + service: + main: + ports: + http: + port: 80 + ingress: + main: + enabled: true + ingressClassName: "nginx" + hosts: + - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + - host: &host2 "recipes.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + - *host2 + persistence: + files: + enabled: true + existingClaim: recipes-files + mountPath: /opt/recipes/mediafiles + nginx-config: + enabled: "true" + mountPath: /etc/nginx/nginx.conf + subPath: nginx-config + type: "custom" + volumeSpec: + configMap: + name: *app + static: + enabled: true + mountPath: /opt/recipes/staticfiles + type: emptyDir + podSecurityContext: + runAsUser: 0 + podAnnotations: + configMap.reloader.stakater.com/reload: *app + secret.reloader.stakater.com/reload: *app + securityContext: + runAsUser: 65534 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + memory: 512Mi + additionalContainers: + nginx: + name: nginx + image: nginx:1.23.1 + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 80 + protocol: TCP + volumeMounts: + - name: nginx-config + readOnly: true + mountPath: /etc/nginx/nginx.conf + subPath: nginx-config + - name: files + mountPath: /media + - name: static + mountPath: /static diff --git a/cluster/apps/web-tools/tandoor/kustomization.yaml b/cluster/apps/web-tools/tandoor/kustomization.yaml new file mode 100644 index 000000000..24347ceea --- /dev/null +++ b/cluster/apps/web-tools/tandoor/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - secret.sops.yaml + - helm-release.yaml + - volume.yaml +patchesStrategicMerge: + - patches/env.yaml + - patches/postgres.yaml +configMapGenerator: + - name: tandoor + files: + - config/nginx-config +generatorOptions: + disableNameSuffixHash: true diff --git a/cluster/apps/web-tools/tandoor/patches/env.yaml b/cluster/apps/web-tools/tandoor/patches/env.yaml new file mode 100644 index 000000000..3dc393898 --- /dev/null +++ b/cluster/apps/web-tools/tandoor/patches/env.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: tandoor + namespace: default +spec: + values: + env: + DEBUG: "0" + ALLOWED_HOSTS: "*" + DB_ENGINE: django.db.backends.postgresql_psycopg2 + POSTGRES_HOST: postgres-rw.default.svc.cluster.local. + POSTGRES_PORT: 5432 + POSTGRES_DB: recipes + GUNICORN_MEDIA: "0" + TIMEZONE: ${TIMEZONE} + TANDOOR_PORT: 8080 + FRACTION_PREF_DEFAULT: "0" + COMMENT_PREF_DEFAULT: "1" + SHOPPING_MIN_AUTOSYNC_INTERVAL: "5" diff --git a/cluster/apps/web-tools/tandoor/patches/postgres.yaml b/cluster/apps/web-tools/tandoor/patches/postgres.yaml new file mode 100644 index 000000000..381599c78 --- /dev/null +++ b/cluster/apps/web-tools/tandoor/patches/postgres.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: tandoor + namespace: default +spec: + values: + initContainers: + init-db: + image: ghcr.io/onedr0p/postgres-initdb:14.5 + env: + - name: POSTGRES_HOST + value: postgres-rw.default.svc.cluster.local. + - name: POSTGRES_DB + value: recipes + - name: POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + name: postgres-superuser + key: password + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: tandoor + key: POSTGRES_USER + - name: POSTGRES_PASS + valueFrom: + secretKeyRef: + name: tandoor + key: POSTGRES_PASSWORD diff --git a/cluster/apps/web-tools/tandoor/secret.sops.yaml b/cluster/apps/web-tools/tandoor/secret.sops.yaml new file mode 100644 index 000000000..9ba965e1e --- /dev/null +++ b/cluster/apps/web-tools/tandoor/secret.sops.yaml @@ -0,0 +1,31 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: tandoor + namespace: default +type: Opaque +stringData: + SECRET_KEY: ENC[AES256_GCM,data:Em/RAzEFrQ0vSHrTUAe2CfWii49IVRZkZQt9czp41j0=,iv:cF+q2+E9gtF5LKP974Y5o/MOrdxcvfe8VXUqHhP46Mc=,tag:RlY7ciWvKsZl5S/ljUc9GA==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:2l2CmdToJg==,iv:lP3yvRedxN3L8sheO71sI5BNOBIEAnQ+QoAm5j4pyyc=,tag:b0yimiebuxKE/PIjhpWr6g==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:eGkJzNO6i0vARiw3XXK87g==,iv:iVwOOiTuwI3aK+zdDIZotgLCvbyvYC7sl8vuhyMSyUg=,tag:Vix0RHru20p0fj0a5LH9Sw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2 + akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC + Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT + Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq + DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-09-17T09:12:23Z" + mac: ENC[AES256_GCM,data:aftbkgTFye4mvKE2cT8ygQ76Ybx8Lt5dd9moHJgdMqRzQZBeOctMlaMD2Jm7EY0psuAUkGz4+OS5pv7HJ2/1/rVYNqMsLSpoIYs236te0F58BS1yjHHi1YPNsfhdskPBs6e7xONQTrwQ9Swp/jynosNvuchDCBufxDVk5WG8auo=,iv:JjmbM44EKp6Suw/B2VLLcBZmsfxNuA6OZPaUoWQDvVo=,tag:X1Cuo0XvgmyOWiOQxIZiKg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/data/resilio-sync/volume.yaml b/cluster/apps/web-tools/tandoor/volume.yaml similarity index 69% rename from cluster/apps/data/resilio-sync/volume.yaml rename to cluster/apps/web-tools/tandoor/volume.yaml index 28b7bd382..faba3cb2b 100644 --- a/cluster/apps/data/resilio-sync/volume.yaml +++ b/cluster/apps/web-tools/tandoor/volume.yaml @@ -2,9 +2,11 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: resilio-sync-config + name: tandoor-files namespace: data labels: + app.kubernetes.io/name: &name tandoor + app.kubernetes.io/instance: *name kasten-io/backup: "true" spec: accessModes: diff --git a/cluster/apps/web-tools/vikunja/volume.yaml b/cluster/apps/web-tools/vikunja/volume.yaml index c9a8bbc8c..eb508abb4 100644 --- a/cluster/apps/web-tools/vikunja/volume.yaml +++ b/cluster/apps/web-tools/vikunja/volume.yaml @@ -5,6 +5,8 @@ metadata: name: vikunja-files namespace: data labels: + app.kubernetes.io/name: &name vikunja + app.kubernetes.io/instance: *name kasten-io/backup: "true" spec: accessModes: diff --git a/cluster/charts/influxdata-charts.yaml b/cluster/charts/influxdata-charts.yaml deleted file mode 100644 index b3ffe903e..000000000 --- a/cluster/charts/influxdata-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: HelmRepository -metadata: - name: influxdata-charts - namespace: flux-system -spec: - interval: 1h - url: https://helm.influxdata.com/ - timeout: 3m diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml index 00fba05ba..669937b3b 100644 --- a/cluster/charts/kustomization.yaml +++ b/cluster/charts/kustomization.yaml @@ -12,7 +12,6 @@ resources: - fairwinds-charts.yaml - gitea-charts.yaml - grafana-charts.yaml - - influxdata-charts.yaml - ingress-nginx-charts.yaml - jetstack-charts.yaml - k8s-at-home.yaml @@ -24,7 +23,6 @@ resources: - project-calico-charts.yaml - prometheus-community-charts.yaml - rook-ceph-charts.yaml - - runix-charts.yaml - stakater-charts.yaml - vector-charts.yaml - weaveworks-kured-charts.yaml diff --git a/cluster/charts/runix-charts.yaml b/cluster/charts/runix-charts.yaml deleted file mode 100644 index 3513fdc79..000000000 --- a/cluster/charts/runix-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: HelmRepository -metadata: - name: runix-charts - namespace: flux-system -spec: - interval: 1h - url: https://helm.runix.net - timeout: 3m diff --git a/cluster/configuration/cluster-secrets.sops.yaml b/cluster/configuration/cluster-secrets.sops.yaml index 57ee487d1..1a012ef61 100644 --- a/cluster/configuration/cluster-secrets.sops.yaml +++ b/cluster/configuration/cluster-secrets.sops.yaml @@ -21,25 +21,15 @@ stringData: SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str] SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str] - SECRET_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:cv4//sg=,iv:dx1hciCvVBFcKXbAqoArkTjc/YLyKUp1sXPGuPoX7lw=,tag:+AYVkGKVWXR06h+TwTO9ZQ==,type:str] - SECRET_MINIO_SECRET_KEY: ENC[AES256_GCM,data:qcV/b9q12949ZYExzDP3Yy2nAOY=,iv:7qg5IGEWBF1idgZxObcbWyxeNDAXbuwuf4BqwqC67Qo=,tag:wx44bn38jTel2TocUkCghA==,type:str] - SECRET_MINIO_ENDPOINT: ENC[AES256_GCM,data:2/+oaWr84857KBx8yXrR7JK+EFIGw7ed,iv:iyfCkYl7yIgwDn0fR95rjcLj5Tsrho17ubGW1KDfym8=,tag:o2VTxHOjKrbX94wbRKHRRA==,type:str] SECRET_MQTT_USER: ENC[AES256_GCM,data:Ggn82GysDHM2b/uNhQ==,iv:f5NXCE5/nfTqq1zdtBNH6Lu8ndf5YZKHgEWc9O0fB0I=,tag:z1OUzEeVgm+a9QRBxo9BEg==,type:str] SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:WBqLezPi1sbzyzfubG71KfR+tg==,iv:gKDgjpPwZ+fEWs+zn3aHiiKglsEl/kue/vx2FaSAtsA=,tag:jXECLxyekqmejJfi11DKsQ==,type:str] SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] - SECRET_PGADMIN_EMAIL: ENC[AES256_GCM,data:Cqvgf0l1A3V8C43YJ20RkCToOGQrxA==,iv:6TsLUzW0yMnx+pGK9MLD/1pm7TGcoVz/Ibn4wYGWZ3k=,tag:YBHhIJl28Cnnncz+fPbPNw==,type:str] - SECRET_PGADMIN_PASSWORD: ENC[AES256_GCM,data:1TDN5XLr4ZGQC4qjF9A=,iv:ydluXBbIfFYNEfhgNKxtVOOdqsY2SX+40CjyN4nOsvQ=,tag:hPmQpDYQR3X67AEIOa6sog==,type:str] - SECRET_POSTGRESQL_POSTGRES_PASSWORD: ENC[AES256_GCM,data:AVc452aMFD0v7yemNC/KdA==,iv:fkCQPJJXP/PSyOjvvi3USHfpodT0DY6LDubbr7sITo4=,tag:8Fp5aTnnhg0ojGUN1DP6Xg==,type:str] SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str] - SECRET_RECIPES_DB_PASSWORD: ENC[AES256_GCM,data:p48hux/huJTkYPJaciglPQ==,iv:5rOHaqYSPZbVvh2anmNEtkMNk2OlsPqCRCasV4EPpUM=,tag:Ot5BDGTKfnEPKCriGaTEbA==,type:str] - SECRET_RECIPES_SECRET_KEY: ENC[AES256_GCM,data:qW6IeclLI1PeLkuRcLyTtA==,iv:6aJoRDjNS1Mtf6IC+R8ubcEO/dIc6GU36GZE1IJgqsw=,tag:LdKVsoA4AtYpvrROY30OAg==,type:str] SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str] SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str] SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str] SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:KsgAP5n1w8Y38bF0F5tSiNRuvG4=,iv:i8DtlG3qlwl/RGz8xbthCuFMTlKA3/G1eHxeYCC7GBQ=,tag:GZvYnEmDiDPUm5LyWxORCA==,type:str] SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:CjOaczbEjtyjSkjFJjYFXBmqtkL7vFK1p13qbpVi1vWbUXSh00fFKw==,iv:NnNt6g1pLE1ieu/xjUhzgbIg1KbpsRhtcdQfUlhPEjo=,tag:ezrGRDHDJJ/A5foabeZw6A==,type:str] - SECRET_VIKUNJA_JWT_SECRET: ENC[AES256_GCM,data:8axiOB5PPhjEwBoYB3NtT0ewlNWNK92EAIEAi+NR1J4=,iv:uNBL/FfhamQwBzfKbZTPBeGUgbOfKKQM4SdDCGMv+HU=,tag:YpK+cW/ISWj9jGCeWBeJSg==,type:str] - SECRET_VIKUNJA_PASSWORD: ENC[AES256_GCM,data:m3pGmQGYvqPO0ubxhaDGNg==,iv:hIzZP5JMnG9W3QWr50YeZ9FDRNRh1qOWFliRIDHV6+I=,tag:6/ymdGs4Q2cla+bN8r9KGw==,type:str] sops: kms: [] gcp_kms: [] @@ -55,8 +45,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-09-16T21:48:32Z" - mac: ENC[AES256_GCM,data:FrE2y1B7Wq784Ey2OHF4K00M6VUYKSwHzFW1RoW9vJ1AZYCuc1N27bs4fGtAAlTARl9MENFEhLx02a+Vyo0zxx9fy3X+lOqH4XEh4AgTcRUDOKuHuGLeHkcKIHhLUQBQh6FDdSrMlai+feCq4QPW2BCVNisrKf65AowO2Tmg9PE=,iv:lznSLR602Mqngy7X8kYG6rVe46wBQZHZczMj9FtGxQc=,tag:KcMp5a/j2AU+ZGsLocGgQA==,type:str] + lastmodified: "2022-09-17T08:21:38Z" + mac: ENC[AES256_GCM,data:sMAsNdWMRUP0SF3VPpwsRiKKf2+iXicuf02jFtPATqriU/Aa9VhmS7c6ERfysvtEmMD/sZQq4XjM7+mxBNt6JsQEHed/dFJ+mHlQo9jTROqo7lwfH2Av4iMyX+x4nsZWsZ6EPqSGdifQhg70vGRteM3hEAofGHTY6bBx+PM8kSY=,iv:7PveSfpQTZJdBzQit5ZNU4UrlBcyqcOPz+o5BZQpHvw=,tag:hAPLANvwhVNRylJOgHWDVw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/cluster/configuration/cluster-settings.yaml b/cluster/configuration/cluster-settings.yaml index c9a03cd68..08a0aa29d 100644 --- a/cluster/configuration/cluster-settings.yaml +++ b/cluster/configuration/cluster-settings.yaml @@ -11,11 +11,12 @@ data: CLUSTER_LB_UNIFI: 192.168.169.103 CLUSTER_LB_GITEA: 192.168.169.104 CLUSTER_LB_QBITTORRENT: 192.168.169.105 - CLUSTER_LB_RESILIOSYNC: 192.168.169.106 + CLUSTER_LB_RESILIOSYNC_CLAUDE: 192.168.169.106 CLUSTER_LB_HASS: 192.168.169.107 CLUSTER_LB_SYSLOG: 192.168.169.108 CLUSTER_LB_EMQX: 192.168.169.109 CLUSTER_LB_JELLYFIN: 192.168.169.110 + CLUSTER_LB_RESILIOSYNC_HELENE: 192.168.169.111 LOCAL_LAN: 192.168.8.0/22 LOCAL_LAN_OPNSENSE: 192.168.8.1 LOCAL_LAN_TRUENAS: 192.168.9.10