shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

♻️ data

Browse Source
This commit is contained in:
auricom
2022-09-17 09:32:06 +02:00
parent 737198c7ce
commit 7a08b552b3
51 changed files with 856 additions and 633 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
cluster/apps/data/homer/helm-release.yaml
View File

@@ -1,85 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: homer
namespace: data
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://k8s-at-home.com/charts/
chart: homer
version: 8.0.2
sourceRef:
kind: HelmRepository
name: k8s-at-home-charts
namespace: flux-system
interval: 5m
values:
image:
repository: b4bz/homer
tag: v22.08.1
pullPolicy: IfNotPresent
env:
TZ: "${TIMEZONE}"
persistence:
config:
enabled: true
mountPath: /www/assets
existingClaim: homer-config
service:
main:
annotations:
prometheus.io/probe: "true"
prometheus.io/protocol: http
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: "homer.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
- host: "services.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "homer.${SECRET_CLUSTER_DOMAIN}"
- "services.${SECRET_CLUSTER_DOMAIN}"
addons:
codeserver:
enabled: true
image:
repository: ghcr.io/k8s-at-home/code-server
tag: v4.6.0
workingDir: "/www/assets"
args:
- --auth
- "none"
- --user-data-dir
- "/www/assets/.vscode"
- --extensions-dir
- "/www/assets/.vscode"
ingress:
enabled: true
ingressClassName: "nginx"
hosts:
- host: "homer-config.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "homer-config.${SECRET_CLUSTER_DOMAIN}"
volumeMounts:
- name: config
mountPath: /www/assets

4
cluster/apps/data/jobs/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- serviceaccount.yaml

18
cluster/apps/data/jobs/serviceaccount.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: jobs
namespace: data
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jobs-edit
namespace: data
subjects:
- kind: ServiceAccount
name: jobs
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io

12
cluster/apps/data/kustomization.yaml
View File

@@ -1,12 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- homer
- jobs
- pgadmin
- pgbackups
- resilio-sync
- tandoor
- truecommand

5
cluster/apps/data/namespace.yaml
View File

@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: data

55
cluster/apps/data/pgadmin/helm-release.yaml
View File

@@ -1,55 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: pgadmin
namespace: data
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://helm.runix.net
chart: pgadmin4
version: 1.12.1
sourceRef:
kind: HelmRepository
name: runix-charts
namespace: flux-system
interval: 5m
values:
image:
repository: dpage/pgadmin4
tag: 6.13
env:
email: ${SECRET_PGADMIN_EMAIL}
password: ${SECRET_PGADMIN_PASSWORD}
strategy:
type: Recreate
persistentVolume:
enabled: true
existingClaim: pgadmin-config
ingress:
enabled: true
hosts:
- host: "pgadmin.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "pgadmin.${SECRET_CLUSTER_DOMAIN}"
postRenderers:
- kustomize:
patchesJson6902:
- target:
kind: Ingress
name: pgadmin-pgadmin4
patch:
- op: add
path: /spec/ingressClassName
value: nginx

68
cluster/apps/data/pgbackups/deployment.yaml
View File

@@ -1,68 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgbackups
namespace: data
labels:
app.kubernetes.io/instance: pgbackups
app.kubernetes.io/name: pgbackups
spec:
selector:
matchLabels:
app.kubernetes.io/instance: pgbackups
app.kubernetes.io/name: pgbackups
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/instance: pgbackups
app.kubernetes.io/name: pgbackups
spec:
imagePullSecrets:
- name: regcred
containers:
- name: pgbackups
image: ghcr.io/auricom/postgres-backup-local:v14.4@sha256:b70f8ca203b38240c87c86c2d95f86d1e8e1e62602ebe1e8fd5830c2376b889e
env:
- name: POSTGRES_HOST
value: postgres.${SECRET_DOMAIN}
- name: POSTGRES_DB
value: authelia,freshrss,gitea,hass,healthchecks,joplin,lychee,recipes,sharry,outline,vaultwarden,vikunja,wallabag
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
value: ${SECRET_POSTGRESQL_POSTGRES_PASSWORD}
- name: POSTGRES_EXTRA_OPTS
value: "-Z9 --schema=public --blobs"
- name: SCHEDULE
value: "@daily"
- name: BACKUP_KEEP_DAYS
value: "7"
- name: BACKUP_KEEP_WEEKS
value: "4"
- name: BACKUP_KEEP_MONTHS
value: "3"
- name: HEALTHCHECK_PORT
value: "8080"
- name: WEBHOOK_URL
value: "http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/postgresql-backup"
resources:
requests:
cpu: 150m
memory: 256Mi
ports:
- containerPort: 8080
volumeMounts:
- name: backups
mountPath: /backups
subPath: postgresql
volumes:
- name: backups
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups
dnsConfig:
options:
- name: ndots
value: "1"

4
cluster/apps/data/pgbackups/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml

245
cluster/apps/data/resilio-sync/statefulset.yaml
View File

@@ -1,245 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: resilio-sync
namespace: data
labels:
app.kubernetes.io/instance: resilio-sync
app.kubernetes.io/name: resilio-sync
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: resilio-sync
app.kubernetes.io/name: resilio-sync
updateStrategy:
type: OnDelete
serviceName: resilio-sync
strategy:
template:
metadata:
labels:
app.kubernetes.io/instance: resilio-sync
app.kubernetes.io/name: resilio-sync
spec:
containers:
- image: ghcr.io/linuxserver/resilio-sync:version-2.7.3.1381-1
name: resilio-sync-claude
env:
- name: TZ
value: "${TIMEZONE}"
- name: PUID
value: "1026"
- name: PGID
value: "1000"
ports:
- containerPort: 8888
name: http-claude
- containerPort: 55555
name: com-claude
volumeMounts:
- name: config
mountPath: /config
subPath: claude
- name: sync-conf-claude
mountPath: /config/sync.conf
subPath: sync.conf
- name: home-claude
mountPath: /sync/home/claude
- name: photo
mountPath: /sync/photo
- name: backups
mountPath: /sync/backup
- name: music-transcoded
mountPath: /sync/music_transcoded
- name: video
mountPath: /sync/video
- name: shared-documents
mountPath: /sync/shared-documents
- image: ghcr.io/linuxserver/resilio-sync:version-2.7.3.1381-1
name: resilio-sync-helene
env:
- name: TZ
value: "${TIMEZONE}"
- name: PUID
value: "1027"
- name: PGID
value: "1000"
ports:
- containerPort: 8889
name: http-helene
- containerPort: 55556
name: com-helene
volumeMounts:
- name: config
mountPath: /config
subPath: helene
- name: sync-conf-helene
mountPath: /config/sync.conf
subPath: sync.conf
- name: home-helene
mountPath: /sync/home
- name: backups
mountPath: /sync/backup
volumes:
- name: config
persistentVolumeClaim:
claimName: resilio-sync-config
- name: sync-conf-claude
configMap:
name: resilio-sync-claude-conf
- name: sync-conf-helene
configMap:
name: resilio-sync-helene-conf
- name: home-claude
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/home/claude
- name: home-helene
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/home/helene
- name: backups
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups
- name: photo
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/photo
- name: music-transcoded
nfs:
server: "${LOCAL_LAN_OPENMEDIAVAULT}"
path: /export/music_transcoded
- name: video
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/video
- name: shared-documents
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/shared-documents
dnsConfig:
options:
- name: ndots
value: "1"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: resilio-sync-claude-conf
namespace: data
data:
sync.conf: |
{
"listening_port" : 55555,
"storage_path" : "/config",
"vendor" : "docker",
"display_new_version": false,
"directory_root_policy" : "belowroot",
"directory_root" : "/sync/",
"webui" :
{
"listen" : "0.0.0.0:8888",
"allow_empty_password" : false,
"dir_whitelist" : [ "/sync", "/sync/folders", "/sync/mounted_folders" ]
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: resilio-sync-helene-conf
namespace: data
data:
sync.conf: |
{
"listening_port" : 55556,
"storage_path" : "/config",
"vendor" : "docker",
"display_new_version": false,
"directory_root_policy" : "belowroot",
"directory_root" : "/sync/",
"webui" :
{
"listen" : "0.0.0.0:8889",
"allow_empty_password" : false,
"dir_whitelist" : [ "/sync", "/sync/folders", "/sync/mounted_folders" ]
}
}
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/probe: "true"
prometheus.io/protocol: tcp
labels:
app.kubernetes.io/instance: resilio-sync
app.kubernetes.io/name: resilio-sync
name: resilio-sync
namespace: data
spec:
ports:
- name: http-claude
port: 8888
protocol: TCP
targetPort: 8888
- name: http-helene
port: 8889
protocol: TCP
targetPort: 8889
- name: com-claude
port: 55555
protocol: TCP
targetPort: 55555
- name: com-helene
port: 55556
protocol: TCP
targetPort: 55556
selector:
app.kubernetes.io/instance: resilio-sync
app.kubernetes.io/name: resilio-sync
type: LoadBalancer
externalIPs:
- ${CLUSTER_LB_RESILIOSYNC}
externalTrafficPolicy: Local
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: resilio-sync
app.kubernetes.io/name: resilio-sync
name: resilio-sync
namespace: data
spec:
ingressClassName: "nginx"
tls:
- hosts:
- "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}"
- "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}"
rules:
- host: "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: resilio-sync
port:
number: 8888
- host: "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: resilio-sync
port:
number: 8889

73
cluster/apps/data/tandoor/helm-release.yaml
View File

@@ -1,73 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tandoor
namespace: data
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://k8s-at-home.com/charts/
chart: recipes
version: 6.6.2
sourceRef:
kind: HelmRepository
name: k8s-at-home-charts
namespace: flux-system
interval: 5m
values:
image:
repository: vabene1111/recipes
tag: 1.3.3
pullPolicy: IfNotPresent
env:
SECRET_KEY: ${SECRET_RECIPES_SECRET_KEY}
DEBUG: "0"
ALLOWED_HOSTS: "*"
DB_ENGINE: django.db.backends.postgresql
POSTGRES_HOST: postgres.${SECRET_DOMAIN}
POSTGRES_PORT: 5432
POSTGRES_DB: recipes
POSTGRES_USER: recipes
POSTGRES_PASSWORD: ${SECRET_RECIPES_DB_PASSWORD}
GUNICORN_MEDIA: "0"
TIMEZONE: ${TIMEZONE}
FRACTION_PREF_DEFAULT: "0"
COMMENT_PREF_DEFAULT: "1"
SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"
sidecar:
image:
repository: nginx
tag: 1.23.1
pullPolicy: IfNotPresent
persistence:
media:
enabled: true
existingClaim: recipes-files
mountPath: /opt/recipes/mediafiles
static:
enabled: true
type: emptyDir
service:
main:
annotations:
prometheus.io/probe: "true"
prometheus.io/protocol: http
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: "tandoor.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "tandoor.${SECRET_CLUSTER_DOMAIN}"

2
cluster/apps/databases/kustomization.yaml
View File

@@ -3,5 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: default namespace: default
resources: resources:
- pgadmin
- pgbackups
- postgres - postgres
- redis - redis

60
cluster/apps/databases/pgadmin/helm-release.yaml Normal file
View File

@@ -0,0 +1,60 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app pgadmin
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 0.2.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: dpage/pgadmin4
tag: "6.13"
env:
PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION: "False"
envFrom:
- secretRef:
name: *app
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
existingClaim: pgadmin-config
mountPath: /var/lib/pgadmin
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
memory: 500Mi

4
cluster/apps/data/resilio-sync/kustomization.yaml → cluster/apps/databases/pgadmin/kustomization.yaml
View File

@@ -1,5 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- statefulset.yaml - secret.sops.yaml
- volume.yaml - volume.yaml
- helm-release.yaml

30
cluster/apps/databases/pgadmin/secret.sops.yaml Normal file
View File

@@ -0,0 +1,30 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: pgadmin
namespace: default
type: Opaque
stringData:
PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:Wd9Qcm7AmuvGHWyfe277NnCDaRiKQw==,iv:rP1B90nsQs5s0OAGvTAW9X99fprpTMa9Y1COgtrcPOI=,tag:odhJmt+W6yoXfEhYPj0Rcw==,type:str]
PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:SWUqh0QUjYWjCruuZPQ=,iv:F1rwMkkHu2lgFDlUK5ZPtvY4KWh9kF8S5B0VnsiBUoE=,tag:Haa3c8UsJpQDsYG9hWWj/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-17T07:32:43Z"
mac: ENC[AES256_GCM,data:iWV6sSItfSAGEjpEytnA/33bkseU+rguCuF3OG7ZAnECFgfLOkTqu4prATJwSKnowom+BcjjqbFMNuS3dQ5l+IIrOVkftpjJEXT0L2/5iry7NBePgqraqOvxSMJ9roxk+yHI1GOWo0UEKehYhLxoCe3g32YqTB4ASflKWJU5bzU=,iv:apZ2IbkwLG4Pppu1tvlXAWmsCZLKwbgRh/QBru4kUBI=,tag:hR5dIbKT3IZcQSCOToWFsw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

4
cluster/apps/data/pgadmin/volume.yaml → cluster/apps/databases/pgadmin/volume.yaml
View File

@@ -3,8 +3,10 @@ apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: pgadmin-config name: pgadmin-config
namespace: data namespace: default
labels: labels:
app.kubernetes.io/name: &name pgadmin
app.kubernetes.io/instance: *name
kasten-io/backup: "true" kasten-io/backup: "true"
spec: spec:
accessModes: accessModes:

55
cluster/apps/databases/pgbackups/helm-release.yaml Normal file
View File

@@ -0,0 +1,55 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app pgbackups
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 0.2.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: prodrigestivill/postgres-backup-local
tag: 14-alpine@sha256:2985300b476382c727fc170d3f2b37972b8445cc92635f1bcc6fa48a1a061f01
env:
POSTGRES_HOST: postgres-rw.default.svc.cluster.local.
POSTGRES_DB: "authelia,freshrss,gitea,hass,healthchecks,joplin,lychee,recipes,sharry,outline,vaultwarden,vikunja,wallabag"
POSTGRES_EXTRA_OPTS: "-Z9 --schema=public --blobs"
SCHEDULE: "@daily"
BACKUP_KEEP_DAYS: "7"
BACKUP_KEEP_WEEKS: "4"
BACKUP_KEEP_MONTHS: "3"
HEALTHCHECK_PORT: "8080"
WEBHOOK_URL: "http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/postgresql-backup"
service:
main:
ports:
http:
port: 8080
persistence:
backups:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups
mountPath: /backups/postgresql
resources:
requests:
memory: 128Mi
cpu: 50m
limits:
memory: 512Mi

2
cluster/apps/data/pgadmin/kustomization.yaml → cluster/apps/databases/pgbackups/kustomization.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- secret.sops.yaml
- helm-release.yaml - helm-release.yaml
- volume.yaml

30
cluster/apps/databases/pgbackups/secret.sops.yaml Normal file
View File

@@ -0,0 +1,30 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: pgbackups
namespace: default
type: Opaque
stringData:
POSTGRES_USER: ENC[AES256_GCM,data:iIZa4nQ2GB4=,iv:TozvC0f2xbAau4d+Bh+lNyRf4KuQzrDnFHbJDdVqzp8=,tag:NcYaU6iZzTjDp2sFneQHdg==,type:str]
POSTGRES_PASSWORD: ENC[AES256_GCM,data:5HIfce9v8rwcd4l0txoGzw==,iv:KHE+3aTVyA9bDlE/9Padn+hMp+ltaPEjmf1jTCKgg+U=,tag:qBDcXfezg3NugXpeh29J1Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-17T08:37:26Z"
mac: ENC[AES256_GCM,data:qeqt58+cc5BLlaTCaKS6t5q8P1jRQvHrGZjpXv91ONAk5clHQmL8NlOHwXs6ig/bSP8ihjhsI1A8DI6b644Cuti7LWdV/sbCiewZ+Uesu7pfiWSeUN1qMKIyNyWR27NK6BMzUmgjlqraRAsrDXsm25gQU5c8lq9Mw83/Svbds2c=,iv:IRUrRekFQXcQ9PNE9S0mXHfxAGXZoyJws4FZd+LuDSE=,tag:F9sqy/zHbv9pJYTcXy4taA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

5
cluster/apps/documentation/outline/patches/postgres.yaml
View File

@@ -15,7 +15,10 @@ spec:
- name: POSTGRES_DB - name: POSTGRES_DB
value: *app value: *app
- name: POSTGRES_SUPER_PASS - name: POSTGRES_SUPER_PASS
value: ${SECRET_POSTGRESQL_POSTGRES_PASSWORD} valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
envFrom: envFrom:
- secretRef: - secretRef:
name: *app name: *app

1
cluster/apps/kustomization.yaml
View File

@@ -3,7 +3,6 @@ kind: Kustomization
resources: resources:
- namespaces.yaml - namespaces.yaml
- authentication - authentication
- data
- databases - databases
- development - development
- documentation - documentation

3
cluster/apps/storage/kustomization.yaml
View File

@@ -3,4 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- k10 - k10
- resilio-sync-claude
- resilio-sync-helene
- smartctl-exporter - smartctl-exporter
- truecommand

15
cluster/apps/storage/resilio-sync-claude/config/sync.conf Normal file
View File

@@ -0,0 +1,15 @@
{
"listening_port" : 55555,
"storage_path" : "/config",
"vendor" : "docker",
"display_new_version": false,
"directory_root_policy" : "belowroot",
"directory_root" : "/sync/",
"webui" :
{
"listen" : "0.0.0.0:8888",
"allow_empty_password" : false,
"dir_whitelist" : [ "/sync" ]
}
}

104
cluster/apps/storage/resilio-sync-claude/helm-release.yaml Normal file
View File

@@ -0,0 +1,104 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app resilio-sync-claude
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 0.2.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: ghcr.io/auricom/resilio-sync
tag: v2.7.3.1381-1@sha256:0dd28dcf8c6e4854fe1d6321ae4c9168d2ffd5d80b9fac90da54056eeb8d9510
env:
- name: TZ
value: "${TIMEZONE}"
service:
main:
ports:
http:
port: 8888
com:
port: 55555
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
existingClaim: resilio-sync-claude-config
sync-conf:
enabled: true
type: configMap
configMap:
name: resilio-sync-claude-sync-conf
mountPath: /config/sync.conf
subPath: sync.conf
backups:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups
mountPath: /sync/backup
home-claude:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/home/claude
mountPath: /sync/home/claude
music-transcoded:
enabled: true
type: nfs
server: "${LOCAL_LAN_OPENMEDIAVAULT}"
path: /export/music_transcoded
mountPath: /sync/music_transcoded
photo:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/photo
mountPath: /sync/photo
shared-documents:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/shared-documents
mountPath: /sync/shared-documents
video:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/video
mountPath: /sync/video
podSecurityContext:
runAsUser: 0
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
memory: 2Gi

13
cluster/apps/storage/resilio-sync-claude/kustomization.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- volume.yaml
- helm-release.yaml
configMapGenerator:
- name: resilio-sync-claude-sync-conf
namespace: default
files:
- config/sync.conf
generatorOptions:
disableNameSuffixHash: true

6
cluster/apps/data/tandoor/volume.yaml → cluster/apps/storage/resilio-sync-claude/volume.yaml
View File

@@ -2,9 +2,11 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: recipes-files name: resilio-sync-claude-config
namespace: data namespace: default
labels: labels:
app.kubernetes.io/name: &name resilio-sync-claude
app.kubernetes.io/instance: *name
kasten-io/backup: "true" kasten-io/backup: "true"
spec: spec:
accessModes: accessModes:

15
cluster/apps/storage/resilio-sync-helene/config/sync.conf Normal file
View File

@@ -0,0 +1,15 @@
{
"listening_port" : 55556,
"storage_path" : "/config",
"vendor" : "docker",
"display_new_version": false,
"directory_root_policy" : "belowroot",
"directory_root" : "/sync/",
"webui" :
{
"listen" : "0.0.0.0:8889",
"allow_empty_password" : false,
"dir_whitelist" : [ "/sync" ]
}
}

81
cluster/apps/storage/resilio-sync-helene/helm-release.yaml Normal file
View File

@@ -0,0 +1,81 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app resilio-sync-helene
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 0.2.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: ghcr.io/auricom/resilio-sync
tag: v2.7.3.1381-1@sha256:0dd28dcf8c6e4854fe1d6321ae4c9168d2ffd5d80b9fac90da54056eeb8d9510
env:
- name: TZ
value: "${TIMEZONE}"
service:
main:
ports:
http:
port: 8889
com:
port: 55556
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
existingClaim: resilio-sync-helene-config
sync-conf:
enabled: true
type: configMap
configMap:
name: resilio-sync-helene-sync-conf
mountPath: /config/sync.conf
subPath: sync.conf
backups:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups
mountPath: /sync/backup
home-helene:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/home/helene
mountPath: /sync/home
podSecurityContext:
runAsUser: 0
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
memory: 2Gi

13
cluster/apps/storage/resilio-sync-helene/kustomization.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- volume.yaml
- helm-release.yaml
configMapGenerator:
- name: resilio-sync-helene-sync-conf
namespace: default
files:
- config/sync.conf
generatorOptions:
disableNameSuffixHash: true

17
cluster/apps/storage/resilio-sync-helene/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: resilio-sync-helene-config
namespace: default
labels:
app.kubernetes.io/name: &name resilio-sync-helene
app.kubernetes.io/instance: *name
kasten-io/backup: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

30
cluster/apps/data/truecommand/helm-release.yaml → cluster/apps/storage/truecommand/helm-release.yaml
View File

@@ -3,18 +3,17 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease kind: HelmRelease
metadata: metadata:
name: &app truecommand name: &app truecommand
namespace: data namespace: default
spec: spec:
interval: 15m interval: 15m
chart: chart:
spec: spec:
chart: kah-common-chart chart: app-template
version: 1.2.2 version: 0.2.1
sourceRef: sourceRef:
kind: HelmRepository kind: HelmRepository
name: k8s-at-home-charts name: bjw-s-charts
namespace: flux-system namespace: flux-system
interval: 15m
install: install:
createNamespace: true createNamespace: true
remediation: remediation:
@@ -23,29 +22,20 @@ spec:
remediation: remediation:
retries: 5 retries: 5
values: values:
global:
nameOverride: *app
image: image:
repository: docker.io/ixsystems/truecommand repository: docker.io/ixsystems/truecommand
tag: "2.2" tag: "2.2"
service: service:
main: main:
ports: ports:
http: http:
port: 80 port: 80
persistence:
config:
enabled: true
existingClaim: truecommand-config
mountPath: /data
ingress: ingress:
main: main:
enabled: true enabled: true
ingressClassName: "nginx" ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
hosts: hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}" - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths: paths:
@@ -54,8 +44,14 @@ spec:
tls: tls:
- hosts: - hosts:
- *host - *host
persistence:
config:
enabled: true
existingClaim: truecommand-config
mountPath: /data
resources: resources:
requests: requests:
cpu: 50m cpu: 50m
memory: 256Mi memory: 256Mi
limits:
memory: 500Mi

0
cluster/apps/data/homer/kustomization.yaml → cluster/apps/storage/truecommand/kustomization.yaml
View File

6
cluster/apps/data/truecommand/volume.yaml → cluster/apps/storage/truecommand/volume.yaml
View File

@@ -3,13 +3,15 @@ apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: truecommand-config name: truecommand-config
namespace: data namespace: default
labels: labels:
app.kubernetes.io/name: &name truecommand
app.kubernetes.io/instance: *name
kasten-io/backup: "true" kasten-io/backup: "true"
spec: spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
storageClassName: rook-ceph-block
resources: resources:
requests: requests:
storage: 1Gi storage: 1Gi
storageClassName: rook-ceph-block

85
cluster/apps/web-tools/homer-code/helm-release.yaml Normal file
View File

@@ -0,0 +1,85 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app homer-code
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 0.2.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: homer
namespace: default
values:
image:
repository: ghcr.io/coder/code-server
tag: 4.7.0
env:
TZ: "${TIMEZONE}"
args:
- --auth
- "none"
- --user-data-dir
- "/config/.vscode"
- --extensions-dir
- "/config/.vscode"
- --port
- "80"
- "/config"
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "homer-code.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podSecurityContext:
runAsUser: 0
runAsGroup: 0
fsGroup: 0
persistence:
config:
enabled: true
existingClaim: homer-config
affinity:
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: ["home-assistant"]
- key: app.kubernetes.io/instance
operator: In
values: ["home-assistant"]
topologyKey: kubernetes.io/hostname
resources:
requests:
cpu: 10m
memory: 100Mi
limits:
memory: 500Mi

2
cluster/apps/data/tandoor/kustomization.yaml → cluster/apps/web-tools/homer-code/kustomization.yaml
View File

@@ -1,5 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- helm-release.yaml - helm-release.yaml
- volume.yaml

57
cluster/apps/web-tools/homer/helm-release.yaml Normal file
View File

@@ -0,0 +1,57 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app homer
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 0.2.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: b4bz/homer
tag: v22.08.1
env:
TZ: "${TIMEZONE}"
service:
main:
ports:
http:
port: 8080
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
mountPath: /www/assets
existingClaim: homer-config
resources:
requests:
cpu: 50m
memory: 256Mi
limits:
memory: 512Mi

2
cluster/apps/data/truecommand/kustomization.yaml → cluster/apps/web-tools/homer/kustomization.yaml
View File

@@ -1,5 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- helm-release.yaml - helm-release.yaml
- volume.yaml

2
cluster/apps/data/homer/volume.yaml → cluster/apps/web-tools/homer/volume.yaml
View File

@@ -5,6 +5,8 @@ metadata:
name: homer-config name: homer-config
namespace: data namespace: data
labels: labels:
app.kubernetes.io/name: &name homer
app.kubernetes.io/instance: *name
kasten-io/backup: "true" kasten-io/backup: "true"
spec: spec:
accessModes: accessModes:

3
cluster/apps/web-tools/kustomization.yaml
View File

@@ -4,9 +4,12 @@ kind: Kustomization
namespace: default namespace: default
resources: resources:
- freshrss - freshrss
- homer
- homer-code
- joplin - joplin
- music-transcode - music-transcode
- sharry - sharry
- tandoor
- theme-park - theme-park
- vaultwarden - vaultwarden
- vikunja - vikunja

25
cluster/apps/web-tools/tandoor/config/nginx-config Normal file
View File

@@ -0,0 +1,25 @@
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
server {
listen 80;
server_name _;
client_max_body_size 128M;
# serve media files
location /media/ {
alias /media/;
}
# serve static files
location /static/ {
alias /static/;
}
# pass requests for dynamic content to gunicorn
location / {
proxy_set_header Host $host;
proxy_set_header REMOTE-USER $http_x_authentik_username;
proxy_pass http://localhost:8080;
}
}
}

103
cluster/apps/web-tools/tandoor/helm-release.yaml Normal file
View File

@@ -0,0 +1,103 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app tandoor
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 0.2.1
sourceRef:
kind: HelmRepository
name: bjw-s-charts
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres
namespace: default
values:
image:
repository: vabene1111/recipes
tag: "1.3.3"
envFrom:
- secretRef:
name: *app
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
- host: &host2 "recipes.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
- *host2
persistence:
files:
enabled: true
existingClaim: recipes-files
mountPath: /opt/recipes/mediafiles
nginx-config:
enabled: "true"
mountPath: /etc/nginx/nginx.conf
subPath: nginx-config
type: "custom"
volumeSpec:
configMap:
name: *app
static:
enabled: true
mountPath: /opt/recipes/staticfiles
type: emptyDir
podSecurityContext:
runAsUser: 0
podAnnotations:
configMap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
securityContext:
runAsUser: 65534
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
memory: 512Mi
additionalContainers:
nginx:
name: nginx
image: nginx:1.23.1
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
volumeMounts:
- name: nginx-config
readOnly: true
mountPath: /etc/nginx/nginx.conf
subPath: nginx-config
- name: files
mountPath: /media
- name: static
mountPath: /static

17
cluster/apps/web-tools/tandoor/kustomization.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- secret.sops.yaml
- helm-release.yaml
- volume.yaml
patchesStrategicMerge:
- patches/env.yaml
- patches/postgres.yaml
configMapGenerator:
- name: tandoor
files:
- config/nginx-config
generatorOptions:
disableNameSuffixHash: true

21
cluster/apps/web-tools/tandoor/patches/env.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tandoor
namespace: default
spec:
values:
env:
DEBUG: "0"
ALLOWED_HOSTS: "*"
DB_ENGINE: django.db.backends.postgresql_psycopg2
POSTGRES_HOST: postgres-rw.default.svc.cluster.local.
POSTGRES_PORT: 5432
POSTGRES_DB: recipes
GUNICORN_MEDIA: "0"
TIMEZONE: ${TIMEZONE}
TANDOOR_PORT: 8080
FRACTION_PREF_DEFAULT: "0"
COMMENT_PREF_DEFAULT: "1"
SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"

31
cluster/apps/web-tools/tandoor/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tandoor
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: recipes
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor
key: POSTGRES_USER
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: tandoor
key: POSTGRES_PASSWORD

31
cluster/apps/web-tools/tandoor/secret.sops.yaml Normal file
View File

@@ -0,0 +1,31 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: tandoor
namespace: default
type: Opaque
stringData:
SECRET_KEY: ENC[AES256_GCM,data:Em/RAzEFrQ0vSHrTUAe2CfWii49IVRZkZQt9czp41j0=,iv:cF+q2+E9gtF5LKP974Y5o/MOrdxcvfe8VXUqHhP46Mc=,tag:RlY7ciWvKsZl5S/ljUc9GA==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:2l2CmdToJg==,iv:lP3yvRedxN3L8sheO71sI5BNOBIEAnQ+QoAm5j4pyyc=,tag:b0yimiebuxKE/PIjhpWr6g==,type:str]
POSTGRES_PASSWORD: ENC[AES256_GCM,data:eGkJzNO6i0vARiw3XXK87g==,iv:iVwOOiTuwI3aK+zdDIZotgLCvbyvYC7sl8vuhyMSyUg=,tag:Vix0RHru20p0fj0a5LH9Sw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-17T09:12:23Z"
mac: ENC[AES256_GCM,data:aftbkgTFye4mvKE2cT8ygQ76Ybx8Lt5dd9moHJgdMqRzQZBeOctMlaMD2Jm7EY0psuAUkGz4+OS5pv7HJ2/1/rVYNqMsLSpoIYs236te0F58BS1yjHHi1YPNsfhdskPBs6e7xONQTrwQ9Swp/jynosNvuchDCBufxDVk5WG8auo=,iv:JjmbM44EKp6Suw/B2VLLcBZmsfxNuA6OZPaUoWQDvVo=,tag:X1Cuo0XvgmyOWiOQxIZiKg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

4
cluster/apps/data/resilio-sync/volume.yaml → cluster/apps/web-tools/tandoor/volume.yaml
View File

@@ -2,9 +2,11 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: resilio-sync-config name: tandoor-files
namespace: data namespace: data
labels: labels:
app.kubernetes.io/name: &name tandoor
app.kubernetes.io/instance: *name
kasten-io/backup: "true" kasten-io/backup: "true"
spec: spec:
accessModes: accessModes:

2
cluster/apps/web-tools/vikunja/volume.yaml
View File

@@ -5,6 +5,8 @@ metadata:
name: vikunja-files name: vikunja-files
namespace: data namespace: data
labels: labels:
app.kubernetes.io/name: &name vikunja
app.kubernetes.io/instance: *name
kasten-io/backup: "true" kasten-io/backup: "true"
spec: spec:
accessModes: accessModes:

10
cluster/charts/influxdata-charts.yaml
View File

@@ -1,10 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: influxdata-charts
namespace: flux-system
spec:
interval: 1h
url: https://helm.influxdata.com/
timeout: 3m

2
cluster/charts/kustomization.yaml
View File

@@ -12,7 +12,6 @@ resources:
- fairwinds-charts.yaml - fairwinds-charts.yaml
- gitea-charts.yaml - gitea-charts.yaml
- grafana-charts.yaml - grafana-charts.yaml
- influxdata-charts.yaml
- ingress-nginx-charts.yaml - ingress-nginx-charts.yaml
- jetstack-charts.yaml - jetstack-charts.yaml
- k8s-at-home.yaml - k8s-at-home.yaml
@@ -24,7 +23,6 @@ resources:
- project-calico-charts.yaml - project-calico-charts.yaml
- prometheus-community-charts.yaml - prometheus-community-charts.yaml
- rook-ceph-charts.yaml - rook-ceph-charts.yaml
- runix-charts.yaml
- stakater-charts.yaml - stakater-charts.yaml
- vector-charts.yaml - vector-charts.yaml
- weaveworks-kured-charts.yaml - weaveworks-kured-charts.yaml

10
cluster/charts/runix-charts.yaml
View File

@@ -1,10 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: runix-charts
namespace: flux-system
spec:
interval: 1h
url: https://helm.runix.net
timeout: 3m

14
cluster/configuration/cluster-secrets.sops.yaml
View File

@@ -21,25 +21,15 @@ stringData:
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str] SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str] SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
SECRET_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:cv4//sg=,iv:dx1hciCvVBFcKXbAqoArkTjc/YLyKUp1sXPGuPoX7lw=,tag:+AYVkGKVWXR06h+TwTO9ZQ==,type:str]
SECRET_MINIO_SECRET_KEY: ENC[AES256_GCM,data:qcV/b9q12949ZYExzDP3Yy2nAOY=,iv:7qg5IGEWBF1idgZxObcbWyxeNDAXbuwuf4BqwqC67Qo=,tag:wx44bn38jTel2TocUkCghA==,type:str]
SECRET_MINIO_ENDPOINT: ENC[AES256_GCM,data:2/+oaWr84857KBx8yXrR7JK+EFIGw7ed,iv:iyfCkYl7yIgwDn0fR95rjcLj5Tsrho17ubGW1KDfym8=,tag:o2VTxHOjKrbX94wbRKHRRA==,type:str]
SECRET_MQTT_USER: ENC[AES256_GCM,data:Ggn82GysDHM2b/uNhQ==,iv:f5NXCE5/nfTqq1zdtBNH6Lu8ndf5YZKHgEWc9O0fB0I=,tag:z1OUzEeVgm+a9QRBxo9BEg==,type:str] SECRET_MQTT_USER: ENC[AES256_GCM,data:Ggn82GysDHM2b/uNhQ==,iv:f5NXCE5/nfTqq1zdtBNH6Lu8ndf5YZKHgEWc9O0fB0I=,tag:z1OUzEeVgm+a9QRBxo9BEg==,type:str]
SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:WBqLezPi1sbzyzfubG71KfR+tg==,iv:gKDgjpPwZ+fEWs+zn3aHiiKglsEl/kue/vx2FaSAtsA=,tag:jXECLxyekqmejJfi11DKsQ==,type:str] SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:WBqLezPi1sbzyzfubG71KfR+tg==,iv:gKDgjpPwZ+fEWs+zn3aHiiKglsEl/kue/vx2FaSAtsA=,tag:jXECLxyekqmejJfi11DKsQ==,type:str]
SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
SECRET_PGADMIN_EMAIL: ENC[AES256_GCM,data:Cqvgf0l1A3V8C43YJ20RkCToOGQrxA==,iv:6TsLUzW0yMnx+pGK9MLD/1pm7TGcoVz/Ibn4wYGWZ3k=,tag:YBHhIJl28Cnnncz+fPbPNw==,type:str]
SECRET_PGADMIN_PASSWORD: ENC[AES256_GCM,data:1TDN5XLr4ZGQC4qjF9A=,iv:ydluXBbIfFYNEfhgNKxtVOOdqsY2SX+40CjyN4nOsvQ=,tag:hPmQpDYQR3X67AEIOa6sog==,type:str]
SECRET_POSTGRESQL_POSTGRES_PASSWORD: ENC[AES256_GCM,data:AVc452aMFD0v7yemNC/KdA==,iv:fkCQPJJXP/PSyOjvvi3USHfpodT0DY6LDubbr7sITo4=,tag:8Fp5aTnnhg0ojGUN1DP6Xg==,type:str]
SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str] SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str]
SECRET_RECIPES_DB_PASSWORD: ENC[AES256_GCM,data:p48hux/huJTkYPJaciglPQ==,iv:5rOHaqYSPZbVvh2anmNEtkMNk2OlsPqCRCasV4EPpUM=,tag:Ot5BDGTKfnEPKCriGaTEbA==,type:str]
SECRET_RECIPES_SECRET_KEY: ENC[AES256_GCM,data:qW6IeclLI1PeLkuRcLyTtA==,iv:6aJoRDjNS1Mtf6IC+R8ubcEO/dIc6GU36GZE1IJgqsw=,tag:LdKVsoA4AtYpvrROY30OAg==,type:str]
SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str] SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str]
SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str] SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str]
SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str] SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str]
SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:KsgAP5n1w8Y38bF0F5tSiNRuvG4=,iv:i8DtlG3qlwl/RGz8xbthCuFMTlKA3/G1eHxeYCC7GBQ=,tag:GZvYnEmDiDPUm5LyWxORCA==,type:str] SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:KsgAP5n1w8Y38bF0F5tSiNRuvG4=,iv:i8DtlG3qlwl/RGz8xbthCuFMTlKA3/G1eHxeYCC7GBQ=,tag:GZvYnEmDiDPUm5LyWxORCA==,type:str]
SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:CjOaczbEjtyjSkjFJjYFXBmqtkL7vFK1p13qbpVi1vWbUXSh00fFKw==,iv:NnNt6g1pLE1ieu/xjUhzgbIg1KbpsRhtcdQfUlhPEjo=,tag:ezrGRDHDJJ/A5foabeZw6A==,type:str] SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:CjOaczbEjtyjSkjFJjYFXBmqtkL7vFK1p13qbpVi1vWbUXSh00fFKw==,iv:NnNt6g1pLE1ieu/xjUhzgbIg1KbpsRhtcdQfUlhPEjo=,tag:ezrGRDHDJJ/A5foabeZw6A==,type:str]
SECRET_VIKUNJA_JWT_SECRET: ENC[AES256_GCM,data:8axiOB5PPhjEwBoYB3NtT0ewlNWNK92EAIEAi+NR1J4=,iv:uNBL/FfhamQwBzfKbZTPBeGUgbOfKKQM4SdDCGMv+HU=,tag:YpK+cW/ISWj9jGCeWBeJSg==,type:str]
SECRET_VIKUNJA_PASSWORD: ENC[AES256_GCM,data:m3pGmQGYvqPO0ubxhaDGNg==,iv:hIzZP5JMnG9W3QWr50YeZ9FDRNRh1qOWFliRIDHV6+I=,tag:6/ymdGs4Q2cla+bN8r9KGw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -55,8 +45,8 @@ sops:
WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-16T21:48:32Z" lastmodified: "2022-09-17T08:21:38Z"
mac: ENC[AES256_GCM,data:FrE2y1B7Wq784Ey2OHF4K00M6VUYKSwHzFW1RoW9vJ1AZYCuc1N27bs4fGtAAlTARl9MENFEhLx02a+Vyo0zxx9fy3X+lOqH4XEh4AgTcRUDOKuHuGLeHkcKIHhLUQBQh6FDdSrMlai+feCq4QPW2BCVNisrKf65AowO2Tmg9PE=,iv:lznSLR602Mqngy7X8kYG6rVe46wBQZHZczMj9FtGxQc=,tag:KcMp5a/j2AU+ZGsLocGgQA==,type:str] mac: ENC[AES256_GCM,data:sMAsNdWMRUP0SF3VPpwsRiKKf2+iXicuf02jFtPATqriU/Aa9VhmS7c6ERfysvtEmMD/sZQq4XjM7+mxBNt6JsQEHed/dFJ+mHlQo9jTROqo7lwfH2Av4iMyX+x4nsZWsZ6EPqSGdifQhg70vGRteM3hEAofGHTY6bBx+PM8kSY=,iv:7PveSfpQTZJdBzQit5ZNU4UrlBcyqcOPz+o5BZQpHvw=,tag:hAPLANvwhVNRylJOgHWDVw==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.7.3 version: 3.7.3

3
cluster/configuration/cluster-settings.yaml
View File

@@ -11,11 +11,12 @@ data:
CLUSTER_LB_UNIFI: 192.168.169.103 CLUSTER_LB_UNIFI: 192.168.169.103
CLUSTER_LB_GITEA: 192.168.169.104 CLUSTER_LB_GITEA: 192.168.169.104
CLUSTER_LB_QBITTORRENT: 192.168.169.105 CLUSTER_LB_QBITTORRENT: 192.168.169.105
CLUSTER_LB_RESILIOSYNC: 192.168.169.106 CLUSTER_LB_RESILIOSYNC_CLAUDE: 192.168.169.106
CLUSTER_LB_HASS: 192.168.169.107 CLUSTER_LB_HASS: 192.168.169.107
CLUSTER_LB_SYSLOG: 192.168.169.108 CLUSTER_LB_SYSLOG: 192.168.169.108
CLUSTER_LB_EMQX: 192.168.169.109 CLUSTER_LB_EMQX: 192.168.169.109
CLUSTER_LB_JELLYFIN: 192.168.169.110 CLUSTER_LB_JELLYFIN: 192.168.169.110
CLUSTER_LB_RESILIOSYNC_HELENE: 192.168.169.111
LOCAL_LAN: 192.168.8.0/22 LOCAL_LAN: 192.168.8.0/22
LOCAL_LAN_OPNSENSE: 192.168.8.1 LOCAL_LAN_OPNSENSE: 192.168.8.1
LOCAL_LAN_TRUENAS: 192.168.9.10 LOCAL_LAN_TRUENAS: 192.168.9.10