shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-12-22 15:36:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

♻️ migrate postgresql to truenas jail + minio https

Browse Source
This commit is contained in:
auricom
2024-01-13 17:47:18 +01:00
parent badd042d50
commit 7fd3c78db8
111 changed files with 785 additions and 266 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ansible/ansible.cfg
View File

@@ -18,6 +18,7 @@ fact_caching_connection = ~/.ansible/facts_cache
remote_port = 22
timeout = 60
host_key_checking = False
privatekeyfile = ~/.ssh/id_ed25519
# Plugin settings
vars_plugins_enabled = host_group_vars,community.sops.sops

8
ansible/inventory/group_vars/all/all.sops.yml
View File

@@ -1,5 +1,9 @@
kind: Secret
secret_domain: ENC[AES256_GCM,data:SjdnR9pDjveodvo=,iv:GKvdD7c3bmaQN+CAYoKwAy78em9vYljGyl6VfGmJk9E=,tag:hz92J7d1NokEeyB6vxr3Uw==,type:str]
public_ssh_keys:
- ENC[AES256_GCM,data:/J9ejzvJHV5wdz9Dj0jUmAaVtIkgVpEoIRJocNGhszY2bmu5mruwWSz6E+XkcAGE0zQMo/9N8imIZoXfq0UQSyfCCitrA09x1z0Hf0s3iSA=,iv:jzA3bIQw+pL4tjNASNMwMcdHW+vSxgVo4Czo/ja0AO8=,tag:iTEDjARfH96oXATQu8VR8Q==,type:str]
- ENC[AES256_GCM,data:c105qLvE6iHoBQl4X0qEFDPXOsiA+YGUVK4gl7O0pqHZ6IIs3m1Z28PKl84GuaPL1pV7I55KccQdAnqjQw0XSZ/lWI+IC2BXj3dJ6paLZNU=,iv:lQod/AwDquA22zJLmvpiuQvaPXo1JFSOV+9yybVjMZc=,tag:Z2eArvfrP8YN3irG45wMRw==,type:str]
- ENC[AES256_GCM,data:pMYg+hNpYCl5fwvNbz0bjm0KaEuIGMeBXXblTGpbur17Nxulnn5DQ5H3k8Wash1F9BJeBfQOTGXDx1XEfp2CDlymuLHdjP6xU7+daD0/JbA=,iv:49Mh9zGN5AJgTXGb8lF38jyme46nd7RqKil3PI13ww8=,tag:2c6jSEZImNEWvM3Asc2jhw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -15,8 +19,8 @@ sops:
c3JkOFZzYnpINjQ5QnNkaE9IYUdXL3MKsBelDv/z5nTYC6/1Zm8kmzqEoLBVPnhy
v0v/6n1GksmzslbNdKhy+xtxHYrqouhc2P4hNi0R8p8u76RXERN5fg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-11T15:03:36Z"
mac: ENC[AES256_GCM,data:PYjJ/WxF8UXZPnccFdjtwsS+W2N1TQmNFtTIHazFLFiSxC4b6li7TcOEpQL2HClWeXwJXkUnWGUfH9YLEPVxlAqBygaDBdghPN0uTrKaV4ZaiAQ1EhtKfGDkIGvb+aDpbRuNH77nXzDv4ws3ObSdTCsHp2LOepi4NVSuEw6MlOY=,iv:Bk+VTEsAyeRQkf9wbcBpANeXvIvGn6JzOuHRM0ilF/s=,tag:6MT3xUDX/o3e1zu8WrGm/A==,type:str]
lastmodified: "2024-01-13T09:43:41Z"
mac: ENC[AES256_GCM,data:R7gzINLxiaqSh4JgP9jhMTG1GaM5WnUA24Uv5OMVB3cHIjgE65o3ybjbmPGpAejpfQ+lKSKKXxeWRpissn9h6DVr1RLi5jnXlngMt5REDiNSsxRI7j3aktTvd2wJQUcGObrhngp+lhFPsufZuOg7hFdvcgCP3SM7sDwrxBaOjgk=,iv:XqaEQtFhBkm1qV7khzhftE2Sxy5xUH/I4/CBqKW9R+w=,tag:FRbncSBOFqVrFTEXmZf+uw==,type:str]
pgp: []
unencrypted_regex: ^(kind)$
version: 3.8.1

23
ansible/inventory/host_vars/minio.sops.yaml
View File

@@ -1,23 +0,0 @@
kind: Secret
minio_access_key: ENC[AES256_GCM,data:4MC50gc06VvP9BViitovlw==,iv:Bu8c986MyeHrMioPYlBG/zSzFv4EOytxTHkXZzI6Iow=,tag:EbRlKgdx63M8CDNa/8RrWQ==,type:str]
minio_secret_key: ENC[AES256_GCM,data:zd7bC1c3pam4xqcsaZOf3A==,iv:8K8x9dcsByZ60pytIPl9ESUbZeu+7S8Z+faQEewDZB8=,tag:3/5b8ZzAIqrVtf37eziwjg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo
bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv
UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl
ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-09T13:25:29Z"
mac: ENC[AES256_GCM,data:ro+P8PAr0YDuer3CBf7XBIBz+YlnHGCDGIkKFw1TRvEeJNgNFF6mv+voPyiTFIHRh/541MNlzEyRpc0As1PHU/7O2SLBqKA3GnzaLM4s/5Euu7pXTFl3jtIXtTe1DMGTWmyvyqSNXEoEhPmjFn0bMXKhrINuVWxYkDspZxnnOe4=,iv:MZjiTvWIPacX55RZfVh8qUmVsNPMJaZcJIc8JmxuUag=,tag:Q6MnDbByAno9pwH0xWTKMA==,type:str]
pgp: []
unencrypted_regex: ^(kind)$
version: 3.8.1

1
ansible/inventory/host_vars/postgresql_v15.yml Normal file
View File

@@ -0,0 +1 @@
postgresql_version: 15

1
ansible/inventory/host_vars/postgresql_v16.yml Normal file
View File

@@ -0,0 +1 @@
postgresql_version: 16

1
ansible/inventory/host_vars/truenas-remote.yaml
View File

@@ -1,4 +1,3 @@
main_nas: false
pool_name: vol1
snapshots_interval: "daily:14,weekly:12,monthly:12,yearly:3"
uptime_kuma_id_truenas_cert: Oxu1GVb5tl

9
ansible/inventory/host_vars/truenas.sops.yaml
View File

@@ -2,6 +2,9 @@ kind: Secret
root_api_key: ENC[AES256_GCM,data:Fhj1MGeHxe/A6O7uVjMrCEu7J4rsiWrhbXgbAenb5CunoRPu0XLV/227WAFc4wFkboFNnt3bjzugvdvM5w/0JSry,iv:7uuHkrSKGShhIso8RgIJsOSYOxBiyyM/D5Dg+IGDh1Y=,tag:dP4gfIIUAEBUm91h5IHSug==,type:str]
ansible_password: ENC[AES256_GCM,data:zRaOy+b26VWMCVIPKLU=,iv:S+BX0fqVizWTZZr0A4MaXkw/4XhE2Pb+RGPjvnWuUpk=,tag:TUcGk8Hp9Zv17L/pmX4E7g==,type:str]
ansible_become_pass: ENC[AES256_GCM,data:xGVU7dW/MMI9bV6Vz+M=,iv:6/ikVQfHxjdCy5KKT+Yksj/OFws2WRcy8oDI2Oay7Eo=,tag:JOLmvpOAIjIHJ/K7Eaoxjw==,type:str]
minio_access_key: ENC[AES256_GCM,data:S4jElnraMiUip89QcF9VjQ==,iv:gSgUnDPTgIyXvmXt/ocIB3v6Dcq+c8ADrmQXVwgXVAM=,tag:ykHGBcHbZ431gvkxp6q+iA==,type:str]
minio_secret_key: ENC[AES256_GCM,data:kfeIRjsEGFAsQmVw9QsyoA==,iv:milmhE0Y2mdW6Yx910IsRRwNO7JxsYhUL5wBDTOUBLU=,tag:Ghy68+5i4m/0+IIve23YJQ==,type:str]
postgresql_password: ENC[AES256_GCM,data:Fm/TW9zb36GzPOstV2kt96WJPAJ/0ylsSKDzzJdLmmsUQINSsXag5g==,iv:KkdOsbTN8i6taJXpavBTXCcJhRyMzmwf3gjh/nubu5M=,tag:0wWqT3ij2mudjT/vZT9OjA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -17,8 +20,8 @@ sops:
aG5zWW1XclBOS2cxMkwzZ3c1R1psNGsKzeSHHV7AYXCUNiiXJlBRFVWMZtfK3naj
VRtF22+DYfjumQuwam2ZzhdLQ//1ciHnkJc58dKeTbYUHzC+fWpaZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-21T19:48:18Z"
mac: ENC[AES256_GCM,data:nBonR9Ab5aY+F7w0HE+TRLScRtF5cQNxh3Uvc7jewiLnieolRQtfNiGzKk4YRgqFV8zRTbwS0jvpiqynhxl/ctIKWl2odVDrNkZljidn3jbSz5HUp+f6zxP3DCRXzsBFpunDT8CSdHBhdUWv+82WtFwg2pLH+nTtY11QkH4rQQk=,iv:ILeqDNEEPnb0serEObPMA2LC16ddScH1NwOiZ0M0EHo=,tag:puyv0jvBkCm/X/za6u3oVA==,type:str]
lastmodified: "2024-01-14T10:19:17Z"
mac: ENC[AES256_GCM,data:51zO9hPDmKOQN3ui9+/4tHVg+xYIoNw0y/BQ/f0QSW968ZhotHftQqLS7i9h14871zWPI8/J7m7hWb4X8LIS4Hn8Bf6PsBt6efm0QSsNvvaiUUwisn/WgbQXp7fF6NyN3f1beHJAm5a/qmVbuCYwySwDlZfAbrHnyY3ogq3dKjs=,iv:V2F4Dc7VxodM6d6ioD8tROjwPcU671a8IZzm8GWpihc=,tag:5JU0/QzcGjn2xJLbSB/tJA==,type:str]
pgp: []
unencrypted_regex: ^(kind)$
version: 3.7.3
version: 3.8.1

5
ansible/inventory/host_vars/truenas.yaml
View File

@@ -1,5 +1,6 @@
main_nas: true
pool_name: storage
service_s3: true
iocage_pool_name: apps
postgresql_pool_name: apps
minio_pool_name: storage
snapshots_interval: "daily:14,weekly:12,monthly:3"
uptime_kuma_id_truenas_cert: f8nAZOHoQb

12
ansible/inventory/hosts.yml
View File

@@ -1,21 +1,21 @@
---
all:
hosts:
localhost:
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
coreelec:
ansible_host: coreelec.{{ secret_domain }}
ansible_user: root
minio:
ansible_host: 192.168.9.14
ansible_user: minio
children:
truenas-instances:
hosts:
truenas:
ansible_host: truenas.{{ secret_domain }}
truenas-remote:
ansible_host: truenas-remote.{{ secret_domain }}
ansible_port: 35875
vars:
ansible_user: homelab
truenas-jails:
hosts:
minio_v2:
postgresql_v15:
postgresql_v16:

7
ansible/roles/truenas/handlers/main.yml
View File

@@ -1,7 +0,0 @@
---
- name: restart postgresql
ansible.builtin.service:
name: postgresql
state: restarted
delegate_to: "{{ postgres_jail_ip.stdout }}"
remote_user: root

32
ansible/roles/truenas/tasks/jails/init.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- block:
- name: jail-init | {{ outside_item.item }} | start jail
ansible.builtin.shell:
cmd: iocage list | grep -q '^.*\s{{ outside_item.item }}\s.*\sdown\s.*$' && iocage start {{ outside_item.item }}
failed_when: false
- name: jail-init | {{ outside_item.item }} | create .ssh directory
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
- name: jail-init | {{ outside_item.item }} | deploy ssh keys
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'echo "{{ item }}" >> /root/.ssh/authorized_keys'
loop: "{{ public_ssh_keys }}"
- name: jail-init | {{ outside_item.item }} | activate sshd
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'sysrc sshd_enable="YES"'
- name: jail-init | {{ outside_item.item }} | sshd permit root login
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config'
- name: jail-init | {{ outside_item.item }} | start sshd
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'service sshd start'
- name: jail-init | {{ outside_item.item }} | install packages
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} 'pkg install -y python39 bash sudo; ln -s /usr/local/bin/bash /bin/bash'
become: true

42
ansible/roles/truenas/tasks/jails/main.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: jails | check if jail exist
ansible.builtin.shell:
cmd: iocage list --header | awk '{print $2}' | grep --word-regexp {{ item }}
loop: "{{ groups['truenas-jails'] }}"
register: jails_check
changed_when: false
failed_when: jails_check.rc != 0 and jails_check.rc != 1
- name: jails | is iocage fetch required
ansible.builtin.set_fact:
jail_missing: true
loop: "{{ jails_check.results }}"
when: item.rc == 1
- block:
- name: jails | get current FreeBSD release
ansible.builtin.shell:
cmd: freebsd-version | cut -d '-' -f 1-2
register: release
failed_when: release.rc != 0
- name: jails | fetch iocage template {{ release.stdout }}
ansible.builtin.shell:
cmd: iocage fetch -r {{ release.stdout }}
become: true
- name: jails | create jail
ansible.builtin.shell:
cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on boot=on
loop: "{{ jails_check.results }}"
when: item.rc == 1
become: true
- name: jails | init jails
ansible.builtin.include_tasks: init.yml
loop: "{{ jails_check.results }}"
loop_control:
loop_var: outside_item
when: outside_item.rc == 1
when: jail_missing

70
ansible/roles/truenas/tasks/jails/minio-conf.yml Normal file
View File

@@ -0,0 +1,70 @@
---
- name: jail-minio | get jail ip
ansible.builtin.shell:
cmd: iocage exec minio_v2 ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
changed_when: false
register: minio_jail_ip
become: true
- name: jail-minio_v2 | copy letsencrypt certificate
ansible.builtin.copy:
src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
remote_src: true
dest: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs/{{ item.dest }}
owner: 1002
group: 1002
mode: 0600
loop:
- { src: "fullchain.pem", dest: "public.crt" }
- { src: "key.pem", dest: "private.key" }
register: certificates
become: true
- block:
- name: jail-minio | install minio
ansible.builtin.pkgng:
name:
- minio
- curl
state: present
register: installation
- name: jail-minio | create minio configuration in /etc/rc.conf
ansible.builtin.blockinfile:
path: /etc/rc.conf
state: present
block: |
# MINIO
minio_enable="YES"
minio_address=":9000"
minio_console_address=":9001"
minio_disks="/mnt/data"
minio_certs="/home/minio/certs"
minio_env="MINIO_ACCESS_KEY={{ minio_access_key }} MINIO_SECRET_KEY={{ minio_secret_key }}"
no_log: false
register: configuration
- name: jail-minio | restart minio service
ansible.builtin.service:
name: minio
state: restarted
enabled: true
when: configuration.changed == true or installation.changed == true or certificates.changed == true
- name: jail-minio | wait for 5 seconds
ansible.builtin.pause:
seconds: 5
- name: jail-minio | check minio service
ansible.builtin.command: curl -s localhost:9000/minio/health/live
register: curl_result
ignore_errors: true
changed_when: false
- name: jail-minio | fail if curl command failed
ansible.builtin.fail:
msg: 'Curl command failed'
when: curl_result.rc != 0
delegate_to: "{{ minio_jail_ip.stdout }}"
remote_user: root

32
ansible/roles/truenas/tasks/jails/minio-init.yml Normal file
View File

@@ -0,0 +1,32 @@
---
- block:
- name: jail-minio_v2_v2 | create zfs pools
community.general.zfs:
name: "{{ minio_pool_name }}/minio_v2"
state: present
extra_zfs_properties:
atime: off
setuid: off
- name: jail-minio_v2 | create empty data dir
ansible.builtin.shell:
cmd: iocage exec minio_v2 mkdir -p /mnt/data
- name: jail-minio_v2 | mount data
ansible.builtin.shell:
cmd: iocage fstab -a minio /mnt/{{ minio_pool_name }}/minio /mnt/data nullfs rw 0 0
- name: jail-minio_v2 | change create minio user
ansible.builtin.shell:
cmd: iocage exec minio_v2 'pw useradd minio -u 1002 -g 1002 -d /home/minio -m'
- name: jail-minio_v2 | change owner on data dir
ansible.builtin.shell:
cmd: iocage exec minio_v2 'chown 1002:1002 /mnt/data'
- name: jail-minio_v2 | create certificates folder
ansible.builtin.file:
path: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs
owner: 1002
group: 1002
become: true

64
ansible/roles/truenas/tasks/jails/postgresql-conf.yml Normal file
View File

@@ -0,0 +1,64 @@
---
- name: jail-{{ outside_item.item }} | get jail ip
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
changed_when: false
register: postgresql_jail_ip
become: true
- name: jail-{{ outside_item.item }} | copy letsencrypt certificate
ansible.builtin.copy:
src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }}
remote_src: true
dest: /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item.dest }}
owner: 770
group: 770
mode: 0600
loop:
- { src: "fullchain.pem", dest: "server.crt" }
- { src: "key.pem", dest: "server.key" }
register: certificates
become: true
tags:
- certificates
- block:
- name: jail-{{ outside_item.item }} | configure pg_hba
ansible.builtin.template:
src: postgresql/pg_hba.conf
dest: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_hba.conf
owner: postgres
group: postgres
register: pg_hba
- name: jail-{{ outside_item.item }} | postgresql configuration
community.postgresql.postgresql_set:
name: "{{ item.name }}"
value: "{{ item.value }}"
loop:
# listen to all addresses
- { name: 'listen_addresses', value: '*' }
# disable full page writes because of ZFS
- { name: 'full_page_writes', value: 'off' }
# SSL configuration
- { name: 'ssl', value: 'on' }
- { name: 'ssl_cert_file', value: 'server.crt' }
- { name: 'ssl_key_file', value: 'server.key' }
- { name: 'ssl_prefer_server_ciphers', value: 'on' }
loop_control:
loop_var: item
become: true
vars:
ansible_become_user: postgres
register: pg_conf
- name: restart postgresql
ansible.builtin.service:
name: postgresql
state: reloaded
when: certificates.changed or pg_hba.changed or pg_conf.changed
tags:
- certificates
delegate_to: "{{ postgresql_jail_ip.stdout }}"
remote_user: root

134
ansible/roles/truenas/tasks/jails/postgresql-init.yml Normal file
View File

@@ -0,0 +1,134 @@
---
- name: jail-{{ outside_item.item }} | get jail ip
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
changed_when: false
register: postgresql_jail_ip
become: true
- block:
- name: jail-{{ outside_item.item }} | create zfs pools
community.general.zfs:
name: "{{ item }}"
state: present
loop:
- "{{ postgresql_pool_name }}/postgresql"
- "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}"
- name: jail-{{ outside_item.item }} | configure zfs pool postgresql
community.general.zfs:
name: "{{ postgresql_pool_name }}/postgresql"
state: present
extra_zfs_properties:
atime: off
setuid: off
- name: jail-{{ outside_item.item }} | create empty data{{ hostvars[outside_item.item]['postgresql_version'] }} dir
ansible.builtin.shell:
cmd: iocage exec {{ outside_item.item }} mkdir -p /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}
- name: jail-{{ outside_item.item }} | mount data{{ hostvars[outside_item.item]['postgresql_version'] }}
ansible.builtin.shell:
cmd: iocage fstab -a {{ outside_item.item }} /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} nullfs rw 0 0
become: true
- block:
- name: jail-{{ outside_item.item }} | packages
community.general.pkgng:
name:
- postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-server
- postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-contrib
- postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-client
- py39-pip
state: present
- name: jail-{{ outside_item.item }} | pip packages
ansible.builtin.pip:
name: psycopg2
state: present
- name: jail-{{ outside_item.item }} | change postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} mod
ansible.builtin.file:
path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}
owner: postgres
group: postgres
- name: jail-{{ outside_item.item }} | initdb
ansible.builtin.shell:
cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}'
- name: jail-{{ outside_item.item }} | move base and pg_wal
ansible.builtin.shell:
cmd: su -m postgres -c 'mv /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0'
loop:
- base
- pg_wal
- name: jail-{{ outside_item.item }} | create base and pg_wal empty dirs
ansible.builtin.file:
path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}
state: directory
owner: postgres
group: postgres
loop:
- base
- pg_wal
delegate_to: "{{ postgresql_jail_ip.stdout }}"
remote_user: root
- block:
- name: jail-{{ outside_item.item }} | create missing zfs pools
community.general.zfs:
name: "{{ item }}"
state: present
loop:
- "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/base"
- "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_wal"
- name: jail-{{ outside_item.item }} | mount base
ansible.builtin.shell:
cmd: iocage fstab -a {{ outside_item.item }} /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} nullfs rw 0 0
loop:
- base
- pg_wal
become: true
- block:
- name: jail-{{ outside_item.item }} | move base and pg_wal content to mounts
ansible.builtin.shell:
cmd: mv /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0/* /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}/; rmdir /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0
loop:
- base
- pg_wal
- name: jail-{{ outside_item.item }} | change mod
ansible.builtin.file:
path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}
state: directory
owner: postgres
group: postgres
recurse: true
loop:
- base
- pg_wal
- name: jail-{{ outside_item.item }} | enable postgresql service
community.general.sysrc:
name: postgresql_enable
state: present
value: "YES"
- name: jail-{{ outside_item.item }} | start postgresql service
ansible.builtin.service:
name: postgresql
state: started
- name: jail-{{ outside_item.item }} | change postgresql password
postgresql_query:
login_user: postgres
query: ALTER USER postgres PASSWORD '{{ postgresql_password }}'
delegate_to: "{{ postgresql_jail_ip.stdout }}"
remote_user: root

40
ansible/roles/truenas/tasks/main.yml
View File

@@ -7,3 +7,43 @@
- ansible.builtin.include_tasks: wireguard.yml
when: "main_nas == false"
- ansible.builtin.include_tasks: jails/main.yml
when: "main_nas"
- block:
- ansible.builtin.shell:
cmd: test -f /mnt/{{ minio_pool_name }}/minio_v2/.minio.sys/config/config.json/xl.meta
register: minio_data_exists
become: true
changed_when: false
failed_when: minio_data_exists.rc != 0 and minio_data_exists.rc != 1
- ansible.builtin.include_tasks: jails/minio-init.yml
when: minio_data_exists.rc == 1
- ansible.builtin.include_tasks: jails/minio-conf.yml
tags:
- certificates
- ansible.builtin.shell:
cmd: test -f /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[item]['postgresql_version'] }}/postgresql.conf
loop: "{{ groups['truenas-jails'] | select('search', 'postgresql') | list }}"
register: postgresql_data_exists
become: true
changed_when: false
failed_when: postgresql_data_exists.rc != 0 and postgresql_data_exists.rc != 1
- ansible.builtin.include_tasks: jails/postgresql-init.yml
loop: "{{ postgresql_data_exists.results }}"
loop_control:
loop_var: outside_item
when: outside_item.rc == 1
- ansible.builtin.include_tasks: jails/postgresql-conf.yml
loop: "{{ postgresql_data_exists.results }}"
loop_control:
loop_var: outside_item
tags:
- certificates
when: "main_nas"

0
ansible/roles/truenas/templates/postgres/pg_hba.conf → ansible/roles/truenas/templates/postgresql/pg_hba.conf
View File

3
ansible/roles/truenas/templates/scripts/snapshots_prune.sh
View File

@@ -11,6 +11,7 @@ POOL_NAME="{{ pool_name }}"
# Prune
${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals ${INTERVAL} ${POOL_NAME}
${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:14 ${POOL_NAME}{% if not main_nas %}/replication/storage{% endif %}/minio
${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:14 ${POOL_NAME}{% if not main_nas %}/replication/storage{% endif %}/minio_v2
{% if main_nas %}${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:7 ${POOL_NAME}/video{% endif %}
${SCRIPT_PATH}/snapshots_clearempty.py --recursive ${POOL_NAME}

1
ansible/shell.nix
View File

@@ -3,5 +3,6 @@ with pkgs;
mkShell {
buildInputs = [
ansible
sshpass
];
}

6
kubernetes/apps/default/atuin/app/externalsecret.yaml
View File

@@ -15,10 +15,10 @@ spec:
engineVersion: v2
data:
# App
ATUIN_DB_URI: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/atuin"
ATUIN_DB_URI: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/atuin"
# Postgres Init
INIT_POSTGRES_DBNAME: atuin
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
@@ -26,4 +26,4 @@ spec:
- extract:
key: atuin
- extract:
key: cloudnative-pg
key: generic

5
kubernetes/apps/default/atuin/app/helmrelease.yaml
View File

@@ -33,9 +33,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: atuin-secret

1
kubernetes/apps/default/atuin/ks.yaml
View File

@@ -7,7 +7,6 @@ metadata:
namespace: flux-system
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
path: ./kubernetes/apps/default/atuin/app
prune: true

9
kubernetes/apps/default/authelia/app/externalsecret.yaml
View File

@@ -22,12 +22,13 @@ spec:
AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}"
AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}"
AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia
AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}"
AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}"
MINIFLUX_OAUTH_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}"
WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}"
GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}"
# Postgres Init
@@ -39,7 +40,7 @@ spec:
dataFrom:
- extract:
key: authelia
- extract:
key: cloudnative-pg
- extract:
key: lldap
- extract:
key: generic

8
kubernetes/apps/default/authelia/app/helmrelease.yaml
View File

@@ -51,10 +51,10 @@ spec:
reloader.stakater.com/auto: "true"
initContainers:
init-db:
order: 1
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: authelia-secret
@@ -94,8 +94,6 @@ spec:
AUTHELIA_SESSION_NAME: authelia-home-ops
AUTHELIA_SESSION_REDIS_HOST: authelia-redis.default.svc.cluster.local.
AUTHELIA_SESSION_REDIS_PORT: 6379
AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
AUTHELIA_STORAGE_POSTGRES_HOST: ${POSTGRES_HOST}
AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
AUTHELIA_THEME: dark

1
kubernetes/apps/default/authelia/ks.yaml
View File

@@ -8,7 +8,6 @@ metadata:
spec:
dependsOn:
- name: cluster-apps-authelia-redis
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
path: ./kubernetes/apps/default/authelia/app
prune: true

4
kubernetes/apps/default/babybuddy/app/externalsecret.yaml
View File

@@ -16,7 +16,7 @@ spec:
data:
# App
DB_NAME: &dbName babybuddy
DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
DB_USER: &dbUser "{{ .POSTGRES_USER }}"
DB_PASS: &dbPass "{{ .POSTGRES_PASS }}"
SECRET_KEY: "{{ .BABYBUDDY_SECRET_KEY }}"
@@ -32,4 +32,4 @@ spec:
- extract:
key: babybuddy
- extract:
key: cloudnative-pg
key: generic

27
kubernetes/apps/default/babybuddy/app/helmrelease.yaml
View File

@@ -33,15 +33,16 @@ spec:
reloader.stakater.com/auto: "true"
type: statefulset
initContainers:
01-init-db:
init-db:
order: 1
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: babybuddy-secret
02-migrations:
migrations:
order: 2
image:
repository: ghcr.io/auricom/babybuddy
tag: 2.1.2@sha256:c5529ddb13b5e704ba997c3f555f5e4dcf9f83080370bbb00eef22a10b2c2915
@@ -74,14 +75,14 @@ spec:
requests:
cpu: 100m
memory: 256Mi
statefulset:
volumeClaimTemplates:
- name: config
accessMode: ReadWriteOnce
size: 1Gi
storageClass: rook-ceph-block
globalMounts:
- path: /config
# statefulset:
# volumeClaimTemplates:
# - name: config
# accessMode: ReadWriteOnce
# size: 1Gi
# storageClass: rook-ceph-block
# globalMounts:
# - path: /config
service:
main:
ports:

3
kubernetes/apps/default/babybuddy/ks.yaml
View File

@@ -12,9 +12,8 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app
# - name: cluster-apps-volsync-app
interval: 30m
retryInterval: 1m
timeout: 3m

4
kubernetes/apps/default/bazarr/app/externalsecret.yaml
View File

@@ -17,7 +17,7 @@ spec:
# App
POSTGRES_ENABLED: "true"
POSTGRES_DATABASE: &dbName bazarr
POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
POSTGRES_USERNAME: &dbUser "{{ .POSTGRES_USER }}"
POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
POSTGRES_PORT: "5432"
@@ -31,4 +31,4 @@ spec:
- extract:
key: bazarr
- extract:
key: cloudnative-pg
key: generic

6
kubernetes/apps/default/bazarr/app/helmrelease.yaml
View File

@@ -45,10 +45,10 @@ spec:
reloader.stakater.com/auto: "true"
initContainers:
init-db:
order: 1
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: atuin-secret

1
kubernetes/apps/default/bazarr/ks.yaml
View File

@@ -7,7 +7,6 @@ metadata:
namespace: flux-system
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/bazarr/app

2
kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml
View File

@@ -39,7 +39,7 @@ spec:
# - name: postgres-v6
# barmanObjectStore:
# destinationPath: s3://postgresql/
# endpointURL: http://minio.${SECRET_DOMAIN}:9000
# endpointURL: https://minio.${SECRET_DOMAIN}:9000
# s3Credentials:
# accessKeyId:
# name: postgres-minio

4
kubernetes/apps/default/freshrss/app/externalsecret.yaml
View File

@@ -16,12 +16,12 @@ spec:
data:
# Postgres Init
INIT_POSTGRES_DBNAME: freshrss
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: freshrss

6
kubernetes/apps/default/freshrss/app/helmrelease.yaml
View File

@@ -34,10 +34,10 @@ spec:
reloader.stakater.com/auto: "true"
initContainers:
init-db:
order: 1
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: freshrss-secret

1
kubernetes/apps/default/freshrss/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app
interval: 30m

6
kubernetes/apps/default/ghostfolio/app/externalsecret.yaml
View File

@@ -16,16 +16,16 @@ spec:
data:
# App
ACCESS_TOKEN_SALT: "{{ .GHOSTFOLIO_ACCESS_TOKEN_SALT }}"
DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres-rw.default.svc.cluster.local:5432/ghostfolio
DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres.${SECRET_DOMAIN}:5432/ghostfolio
JWT_SECRET_KEY: "{{ .GHOSTFOLIO_JWT_SECRET_KEY }}"
# Postgres Init
INIT_POSTGRES_DBNAME: ghostfolio
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: ghostfolio

5
kubernetes/apps/default/ghostfolio/app/helmrelease.yaml
View File

@@ -37,9 +37,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: ghostfolio-secret

1
kubernetes/apps/default/ghostfolio/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-ghostfolio-redis
interval: 30m

2
kubernetes/apps/default/hajimari/app/helmrelease.yaml
View File

@@ -67,7 +67,7 @@ spec:
url: "https://truenas-remote.${SECRET_DOMAIN}"
- name: minio
icon: mdi:aws
url: "http://minio.${SECRET_DOMAIN}:9000"
url: "https://minio.${SECRET_DOMAIN}:9000"
- name: pikvm
icon: mdi:ip-network
url: "https://pikvm.${SECRET_DOMAIN}"

6
kubernetes/apps/default/home-assistant/app/externalsecret.yaml
View File

@@ -18,17 +18,17 @@ spec:
HASS_SECRET_ELEVATION: "{{ .HASS_ELEVATION }}"
HASS_SECRET_LATITUDE: "{{ .HASS_LATITUDE }}"
HASS_SECRET_LONGITUDE: "{{ .HASS_LONGITUDE }}"
HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/home_assistant"
HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/home_assistant"
HASS_SECRET_URL: "{{ .HASS_URL }}"
PROMETHEUS_TOKEN: "{{ .PROMETHEUS_TOKEN }}"
# Postgres Init
INIT_POSTGRES_DBNAME: home_assistant
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: home-assistant

5
kubernetes/apps/default/home-assistant/app/helmrelease.yaml
View File

@@ -43,9 +43,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: home-assistant-secret

1
kubernetes/apps/default/home-assistant/ks.yaml
View File

@@ -7,7 +7,6 @@ metadata:
namespace: flux-system
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-app
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/home-assistant/app

6
kubernetes/apps/default/homelab/ks.yaml
View File

@@ -3,7 +3,7 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-homnelab-minio
name: cluster-apps-homelab-minio
namespace: flux-system
spec:
path: ./kubernetes/apps/default/homelab/minio
@@ -21,7 +21,7 @@ spec:
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-homnelab-opnsense
name: cluster-apps-homelab-opnsense
namespace: flux-system
spec:
path: ./kubernetes/apps/default/homelab/opnsense
@@ -39,7 +39,7 @@ spec:
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-homnelab-truenas
name: cluster-apps-homelab-truenas
namespace: flux-system
spec:
path: ./kubernetes/apps/default/homelab/truenas

2
kubernetes/apps/default/homelab/minio/backup/rclone.conf
View File

@@ -3,7 +3,7 @@ type = s3
provider = Minio
access_key_id = __RCLONE_ACCESS_ID__
secret_access_key = __RCLONE_SECRET_KEY__
endpoint = http://minio.${SECRET_DOMAIN}:9000
endpoint = https://minio.${SECRET_DOMAIN}:9000
acl = private
[gdrive-homelab-backups]

2
kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml
View File

@@ -41,7 +41,7 @@ spec:
command: ["/bin/bash", "/app/opnsense-backup.sh"]
env:
OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}"
S3_URL: "http://minio.${SECRET_DOMAIN}:9000"
S3_URL: "https://minio.${SECRET_DOMAIN}:9000"
envFrom:
- secretRef:
name: homelab-opnsense-secret

2
kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh
View File

@@ -44,7 +44,7 @@ curl -fsSL \
-H "Date: ${http_request_date}" \
-H "Content-Type: ${http_content_type}" \
-H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \
"http://minio.${SECRET_DOMAIN}:9000/${http_filepath}"
"https://minio.${SECRET_DOMAIN}:9000/${http_filepath}"
rm /tmp/backup-*.tar

6
kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml
View File

@@ -42,7 +42,8 @@ spec:
env:
HOSTNAME: truenas
TRUENAS_HOME: /mnt/storage/home/homelab
CERTS_DEPLOY_S3_ENABLED: "True"
CERTS_DEPLOY_MINIO_ENABLED: "True"
CERTS_DEPLOY_POSTGRESQL_ENABLED: "True"
envFrom: &envFrom
- secretRef:
name: &secret homelab-truenas-secret
@@ -54,7 +55,8 @@ spec:
env:
HOSTNAME: truenas-remote
TRUENAS_HOME: /mnt/vol1/home/homelab
CERTS_DEPLOY_S3_ENABLED: "False"
CERTS_DEPLOY_MINIO_ENABLED: "False"
CERTS_DEPLOY_POSTGRESQL_ENABLED: "False"
envFrom: *envFrom
service:
main:

41
kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.sh
View File

@@ -12,21 +12,22 @@ if [ "${HOSTNAME}" == "truenas" ]; then
elif [ "${HOSTNAME}" == "truenas-remote" ]; then
printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY"
fi
printf -v cert_deploy_s3_enabled_str %q "$CERTS_DEPLOY_S3_ENABLED"
printf -v cert_deploy_minio_enabled_str %q "$CERTS_DEPLOY_MINIO_ENABLED"
printf -v cert_deploy_postgresql_enabled_str %q "$CERTS_DEPLOY_POSTGRESQL_ENABLED"
printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN"
printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY"
printf -v secret_domain_str %q "$SECRET_DOMAIN"
scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py
ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF'
ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_minio_enabled_str $cert_deploy_postgresql_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF'
set -o nounset
set -o errexit
PUSHOVER_API_TOKEN=$3
PUSHOVER_USER_KEY=$4
SECRET_DOMAIN=$5
PUSHOVER_API_TOKEN=$4
PUSHOVER_USER_KEY=$5
SECRET_DOMAIN=$6
# Variables
TARGET=$(hostname)
@@ -38,8 +39,13 @@ export CERTS_DEPLOY_API_KEY=$1
export CERTS_DEPLOY_PRIVATE_KEY_PATH=${CERTIFICATE_PATH}/key.pem
export CERTS_DEPLOY_FULLCHAIN_PATH=${CERTIFICATE_PATH}/fullchain.pem
if [ "$2" == "True" ]; then
export CERTS_DEPLOY_S3_ENABLED=$2
export CERTS_DEPLOY_MINIO_ENABLED=$2
fi
CERTS_DEPLOY_MINIO_CERT_PATH=/mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs
if [ "$3" == "True" ]; then
export CERTS_DEPLOY_POSTGRESQL_ENABLED=$3
fi
CERTS_DEPLOY_POSTGRESQL_PATH=/mnt/{{ postgresql_pool_name }}/postgresql
# Check if cert is older than 69 days
result=$(find ${CERTS_DEPLOY_PRIVATE_KEY_PATH} -mtime +69)
@@ -60,8 +66,29 @@ else
set -o errexit
echo "INFO - Certificate expires in less than $DAYS days"
echo "INFO - Deploying new certificate"
# Deploy certificate (truenas UI & minio)
# Deploy certificate (truenas UI)
python ${SCRIPT_PATH}/certificates_deploy.py
# Copy certificates (minio)
if [ "CERTS_DEPLOY_MINIO_ENABLED" == "True" ]; then
cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/private.key
cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/public.crt
iocage exec minio_v2 'service minio restart'
fi
# Copy certificates (postgresql)
if [ "CERTS_DEPLOY_POSTGRESQL_ENABLED" == "True" ]; then
pg_data_dirs=$(find /mnt/{{ postgresql_pool_name }}/postgresql -type d -maxdepth 1 -name '*data*' -exec basename {} \;)
for i in $pg_data_dirs; do
cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.key
cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.crt
iocage exec postgresql_v${i: -2} 'service postgresql reload'
done
fi
curl -s \
--form-string "token=${PUSHOVER_API_TOKEN}" \
--form-string "user=${PUSHOVER_USER_KEY}" \
--form-string "message=New Let's Encrypt certificate deployed on $TARGET." \
https://api.pushover.net/1/messages.json
else
echo "INFO - Certificate expires in more than $DAYS"
fi

1
kubernetes/apps/default/homelab/truenas/kustomization.yaml
View File

@@ -7,3 +7,4 @@ resources:
- ./backup
- ./certs-deploy
- ./externalsecret.yaml
- ./pgdump

25
kubernetes/apps/default/homelab/truenas/pgdump/externalsecret.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: homelab-truenas-pgdump
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: homelab-truenas-pgdump-secret
template:
engineVersion: v2
data:
# App
POSTGRES_HOST: postgres.${SECRET_DOMAIN}
POSTGRES_USER: "{{ .POSTGRES_SUPER_USER }}"
POSTGRES_PASSWORD: "{{ .POSTGRES_SUPER_PASS }}"
POSTGRES_PORT: "5432"
dataFrom:
- extract:
key: generic

104
kubernetes/apps/default/homelab/truenas/pgdump/helmrelease.yaml Normal file
View File

@@ -0,0 +1,104 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: homelab-truenas-pgdump
namespace: default
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 2.4.0
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controllers:
main:
type: cronjob
cronjob:
concurrencyPolicy: Forbid
schedule: "@daily"
initContainers:
init-db:
image:
repository: ghcr.io/onedr0p/postgres-init
tag: 16
env:
EXCLUDE_DBS: "home_assistant radarr_log sonarr_log prowlarr_log postgres template0 template1"
envFrom: &envFrom
- secretRef:
name: homelab-truenas-pgdump-secret
command:
- "/bin/bash"
- "-c"
- |
#!/bin/bash
set -o nounset
set -o errexit
# File to store the list of databases
OUTPUT_FILE="/config/db_list"
# Export PG password to avoid password prompt
export PGPASSWORD=$POSTGRES_PASSWORD
# Generate a regex pattern for exclusion
EXCLUDE_PATTERN=$(echo $EXCLUDE_DBS | sed 's/ /\\|/g')
# List all databases, exclude the ones in EXCLUDE_DBS, and write to the file
psql -h $POSTGRES_HOST -p $POSTGRES_PORT -U $POSTGRES_USER -lqt | \
cut -d \| -f 1 | \
grep -Ev "^\s*($EXCLUDE_PATTERN)\s*$" > "$OUTPUT_FILE"
# Unset PG password
unset PGPASSWORD
echo "Database list saved to $OUTPUT_FILE"
cat $OUTPUT_FILE
containers:
main:
image:
repository: prodrigestivill/postgres-backup-local
tag: 16-alpine
command: ["/backup.sh"]
env:
POSTGRES_DB_FILE: /config/db_list
POSTGRES_EXTRA_OPTS: "-Z9 --schema=public --blobs"
BACKUP_KEEP_DAYS: "7"
BACKUP_KEEP_WEEKS: "4"
BACKUP_KEEP_MONTHS: "3"
HEALTHCHECK_PORT: "8080"
envFrom: *envFrom
service:
main:
enabled: false
persistence:
config:
enabled: true
type: emptyDir
globalMounts:
- path: /config
backups:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups/postgresql
globalMounts:
- path: /backups

8
kubernetes/apps/default/homelab/truenas/pgdump/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml

4
kubernetes/apps/default/immich/app/externalsecret.yaml
View File

@@ -16,7 +16,7 @@ spec:
data:
# App
DB_DATABASE_NAME: &dbName immich
DB_HOSTNAME: &dbHost postgres-rw.default.svc.cluster.local
DB_HOSTNAME: &dbHost postgres.${SECRET_DOMAIN}
DB_USERNAME: &dbUser "{{ .POSTGRES_USER }}"
DB_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}"
DB_PORT: "5432"
@@ -30,6 +30,6 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: immich

5
kubernetes/apps/default/immich/app/server/helmrelease.yaml
View File

@@ -55,9 +55,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- configMapRef:
name: *configMap

1
kubernetes/apps/default/immich/ks.yaml
View File

@@ -7,7 +7,6 @@ metadata:
namespace: flux-system
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
path: ./kubernetes/apps/default/immich/app
prune: true

6
kubernetes/apps/default/invidious/app/externalsecret.yaml
View File

@@ -16,7 +16,7 @@ spec:
data:
# App
INVIDIOUS_CONFIG: |
database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local.:5432/invidious
database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}.:5432/invidious
check_tables: true
port: 3000
domain: invidious.${SECRET_CLUSTER_DOMAIN}
@@ -24,12 +24,12 @@ spec:
hmac_key: {{ .HMAC_KEY }}
# Postgres Init
INIT_POSTGRES_DBNAME: invidious
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: invidious

5
kubernetes/apps/default/invidious/app/helmrelease.yaml
View File

@@ -35,9 +35,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: invidious-secret

1
kubernetes/apps/default/invidious/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
interval: 30m
retryInterval: 1m

4
kubernetes/apps/default/joplin/app/externalsecret.yaml
View File

@@ -16,7 +16,7 @@ spec:
data:
# App
POSTGRES_DATABASE: &dbName joplin
POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local.
POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}.
POSTGRES_PORT: "5432"
POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}"
POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
@@ -28,6 +28,6 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: joplin

5
kubernetes/apps/default/joplin/app/helmrelease.yaml
View File

@@ -35,9 +35,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: joplin-secret

1
kubernetes/apps/default/joplin/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
interval: 30m
retryInterval: 1m

4
kubernetes/apps/default/kresus/app/externalsecret.yaml
View File

@@ -15,7 +15,7 @@ spec:
engineVersion: v2
data:
# App
KRESUS_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
KRESUS_DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
KRESUS_DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
KRESUS_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
KRESUS_DB_NAME: &dbName kresus
@@ -29,6 +29,6 @@ spec:
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: kresus

5
kubernetes/apps/default/kresus/app/helmrelease.yaml
View File

@@ -41,9 +41,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: kresus-secret

1
kubernetes/apps/default/kresus/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-volsync-app
interval: 30m

1
kubernetes/apps/default/libmedium/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
interval: 30m
retryInterval: 1m

4
kubernetes/apps/default/linkding/app/externalsecret.yaml
View File

@@ -18,7 +18,7 @@ spec:
LD_DB_ENGINE: "postgres"
LD_DB_USER: &dbUser "{{ .POSTGRES_USERNAME }}"
LD_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
LD_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
LD_DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
LD_DB_DATABASE: &dbName linkding
LD_SUPERUSER_NAME: "{{ .username }}"
LD_SUPERUSER_PASSWORD: "{{ .password }}"
@@ -30,6 +30,6 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: linkding

5
kubernetes/apps/default/linkding/app/helmrelease.yaml
View File

@@ -35,9 +35,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: linkding-secret

1
kubernetes/apps/default/linkding/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
interval: 30m
retryInterval: 1m

6
kubernetes/apps/default/lldap/app/externalsecret.yaml
View File

@@ -20,10 +20,10 @@ spec:
LLDAP_USER_DN: "{{ .username }}"
LLDAP_LDAP_USER_EMAIL: "{{ .LLDAP_LDAP_USER_EMAIL }}"
LLDAP_SERVER_KEY_SEED: "{{ .LLDAP_SERVER_KEY_SEED }}"
LLDAP_DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/lldap"
LLDAP_DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/lldap"
# Postgres Init
INIT_POSTGRES_DBNAME: lldap
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
@@ -31,4 +31,4 @@ spec:
- extract:
key: lldap
- extract:
key: cloudnative-pg
key: generic

2
kubernetes/apps/default/lldap/ks.yaml
View File

@@ -6,8 +6,6 @@ metadata:
name: cluster-apps-lldap
namespace: flux-system
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
path: ./kubernetes/apps/default/lldap/app
prune: true
sourceRef:

4
kubernetes/apps/default/lychee/app/externalsecret.yaml
View File

@@ -15,7 +15,7 @@ spec:
engineVersion: v2
data:
# App
DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
DB_HOST: &dbHost postgres.${SECRET_DOMAIN}
DB_PORT: "5432"
DB_DATABASE: &dbName lychee
DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
@@ -28,6 +28,6 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: lychee

7
kubernetes/apps/default/lychee/app/helmrelease.yaml
View File

@@ -35,11 +35,10 @@ spec:
reloader.stakater.com/auto: "true"
type: statefulset
initContainers:
01-init-db:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: lychee-secret

1
kubernetes/apps/default/lychee/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-lychee-redis
- name: cluster-apps-rook-ceph-cluster

7
kubernetes/apps/default/outline/app/externalsecret.yaml
View File

@@ -19,15 +19,16 @@ spec:
AWS_SECRET_ACCESS_KEY: "{{ .OUTLINE_AWS_SECRET_ACCESS_KEY }}"
SECRET_KEY: "{{ .OUTLINE_SECRET_KEY }}"
UTILS_SECRET: "{{ .OUTLINE_UTILS_SECRET }}"
DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local:5432/outline
DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}:5432/outline
PGSSLMODE: require
# Postgres Init
INIT_POSTGRES_DBNAME: outline
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: outline

23
kubernetes/apps/default/outline/app/helmrelease.yaml
View File

@@ -31,30 +31,30 @@ spec:
values:
controllers:
main:
type: statefulset
annotations:
reloader.stakater.com/auto: "true"
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: outline-secret
# init-db:
# image:
# repository: ghcr.io/onedr0p/postgres-init
# tag: 16
# envFrom: &envFrom
# - secretRef:
# name: outline-secret
containers:
main:
image:
repository: docker.io/outlinewiki/outline
tag: 0.74.0
envFrom: *envFrom
envFrom:
- secretRef:
name: outline-secret
env:
AWS_REGION: us-east-1
AWS_S3_ACL: private
AWS_S3_FORCE_PATH_STYLE: "true"
AWS_S3_UPLOAD_BUCKET_NAME: outline
AWS_S3_UPLOAD_BUCKET_URL: "http://minio.${SECRET_DOMAIN}:9000"
AWS_S3_UPLOAD_BUCKET_URL: "https://minio.${SECRET_DOMAIN}:9000"
ENABLE_UPDATES: "false"
FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400"
OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
@@ -65,7 +65,6 @@ spec:
OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
OIDC_USERINFO_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
OIDC_USERNAME_CLAIM: email
PGSSLMODE: disable
PORT: 8080
REDIS_URL: redis://outline-redis.default.svc.cluster.local.:6379
SMTP_HOST: smtp-relay.default.svc.cluster.local.

1
kubernetes/apps/default/outline/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-outline-redis
interval: 30m

4
kubernetes/apps/default/paperless/app/externalsecret.yaml
View File

@@ -20,7 +20,7 @@ spec:
PAPERLESS_SECRET_KEY: "{{ .PAPERLESS_SECRET_KEY }}"
PAPERLESS_DBUSER: &dbUser "{{ .POSTGRES_USER }}"
PAPERLESS_DBPASS: &dbPass "{{ .POSTGRES_PASS }}"
PAPERLESS_DBHOST: &dbHost postgres-rw.default.svc.cluster.local
PAPERLESS_DBHOST: &dbHost postgres.${SECRET_DOMAIN}
PAPERLESS_DBPORT: "5432"
# Postgres Init
@@ -31,6 +31,6 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: paperless

5
kubernetes/apps/default/paperless/app/helmrelease.yaml
View File

@@ -37,9 +37,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: paperless-secret

1
kubernetes/apps/default/paperless/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-paperless-redis
interval: 30m

2
kubernetes/apps/default/prowlarr/app/externalsecret.yaml
View File

@@ -15,7 +15,7 @@ spec:
data:
# App
PROWLARR__API_KEY: "{{ .PROWLARR__API_KEY }}"
PROWLARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
PROWLARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
PROWLARR__POSTGRES_PORT: "5432"
PROWLARR__POSTGRES_USER: &dbUser "{{ .PROWLARR__POSTGRES_USER }}"
PROWLARR__POSTGRES_PASSWORD: &dbPass "{{ .PROWLARR__POSTGRES_PASSWORD }}"

5
kubernetes/apps/default/prowlarr/app/helmrelease.yaml
View File

@@ -34,9 +34,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: prowlarr-secret

4
kubernetes/apps/default/pushover-notifier/app/externalsecret.yaml
View File

@@ -16,7 +16,7 @@ spec:
data:
# App
POSTGRES_DB: &dbName pushover-notifier
POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}"
POSTGRES_PASS: &dbPass "{{ .POSTGRES_PASS }}"
PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
@@ -29,7 +29,7 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: pushover-notifier
- extract:

5
kubernetes/apps/default/pushover-notifier/app/github-releases/helmrelease.yaml
View File

@@ -36,9 +36,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: pushover-notifier-secret

1
kubernetes/apps/default/pushover-notifier/ks.yaml
View File

@@ -7,7 +7,6 @@ metadata:
namespace: flux-system
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
path: ./kubernetes/apps/default/pushover-notifier/app
prune: true

4
kubernetes/apps/default/radarr/app/externalsecret.yaml
View File

@@ -15,7 +15,7 @@ spec:
data:
# App
RADARR__API_KEY: "{{ .RADARR__API_KEY }}"
RADARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
RADARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
RADARR__POSTGRES_PORT: "5432"
RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}"
RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}"
@@ -31,7 +31,7 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: pushover
- extract:

5
kubernetes/apps/default/radarr/app/helmrelease.yaml
View File

@@ -42,9 +42,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: radarr-secret

1
kubernetes/apps/default/radarr/ks.yaml
View File

@@ -7,7 +7,6 @@ metadata:
namespace: flux-system
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app

4
kubernetes/apps/default/sharry/app/config/sharry.conf
View File

@@ -14,7 +14,7 @@ sharry.restserver {
fixed.enabled = false
}
jdbc {
url = "jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/sharry"
url = "jdbc:postgresql://postgres.${SECRET_DOMAIN}:5432/sharry?ssl=true&sslmode=require"
user = "${SECRET_SHARRY_DB_USERNAME}"
password = "${SECRET_SHARRY_DB_PASSWORD}"
}
@@ -33,7 +33,7 @@ sharry.restserver {
minio =
{ enabled = true
type = "s3"
endpoint = "http://minio.${SECRET_DOMAIN}:9000"
endpoint = "https://minio.${SECRET_DOMAIN}:9000"
access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}"
secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}"
bucket = "sharry"

8
kubernetes/apps/default/sharry/app/externalsecret.yaml
View File

@@ -16,12 +16,12 @@ spec:
data:
# Postgres Init
INIT_POSTGRES_DBNAME: sharry
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}"
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: sharry

5
kubernetes/apps/default/sharry/app/helmrelease.yaml
View File

@@ -34,9 +34,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: sharry-secret

2
kubernetes/apps/default/sharry/ks.yaml
View File

@@ -11,8 +11,6 @@ spec:
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
interval: 30m
retryInterval: 1m
timeout: 3m

4
kubernetes/apps/default/sonarr/app/externalsecret.yaml
View File

@@ -15,7 +15,7 @@ spec:
data:
# App
SONARR__API_KEY: "{{ .SONARR__API_KEY }}"
SONARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
SONARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
SONARR__POSTGRES_PORT: "5432"
SONARR__POSTGRES_USER: &dbUser "{{ .SONARR__POSTGRES_USER }}"
SONARR__POSTGRES_PASSWORD: &dbPass "{{ .SONARR__POSTGRES_PASSWORD }}"
@@ -31,7 +31,7 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: pushover
- extract:

5
kubernetes/apps/default/sonarr/app/helmrelease.yaml
View File

@@ -41,9 +41,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: sonarr-secret

4
kubernetes/apps/default/tandoor/app/externalsecret.yaml
View File

@@ -16,7 +16,7 @@ spec:
# App
DB_ENGINE: django.db.backends.postgresql_psycopg2
SECRET_KEY: "{{ .TANDOOR_SECRET_KEY }}"
POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}
POSTGRES_PORT: "5432"
POSTGRES_DB: &dbName tandoor
POSTGRES_USER: &dbUser "{{ .TANDOOR_POSTGRES_USER }}"
@@ -29,6 +29,6 @@ spec:
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: tandoor

11
kubernetes/apps/default/tandoor/app/helmrelease.yaml
View File

@@ -38,15 +38,16 @@ spec:
annotations:
reloader.stakater.com/auto: "true"
initContainers:
01-init-db:
init-db:
order: 1
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: tandoor-secret
02-init-migrate:
migrations:
order: 2
image:
repository: vabene1111/recipes
tag: 1.5.10

1
kubernetes/apps/default/tandoor/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app

6
kubernetes/apps/default/vaultwarden/app/externalsecret.yaml
View File

@@ -15,16 +15,16 @@ spec:
engineVersion: v2
data:
# App
DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local.:5432/vaultwarden
DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}.:5432/vaultwarden
ADMIN_TOKEN: "{{ .VAULTWARDEN_ADMIN_TOKEN }}"
# Postgres Init
INIT_POSTGRES_DBNAME: vaultwarden
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
key: generic
- extract:
key: vaultwarden

21
kubernetes/apps/default/vaultwarden/app/helmrelease.yaml
View File

@@ -35,9 +35,8 @@ spec:
initContainers:
init-db:
image:
repository: ghcr.io/auricom/postgres-init
tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0
pullPolicy: IfNotPresent
repository: ghcr.io/onedr0p/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: vaultwarden-secret
@@ -68,14 +67,14 @@ spec:
memory: 100Mi
limits:
memory: 2Gi
statefulset:
volumeClaimTemplates:
- name: config
accessMode: ReadWriteOnce
size: 10Gi
storageClass: rook-ceph-block
globalMounts:
- path: /data
# statefulset:
# volumeClaimTemplates:
# - name: config
# accessMode: ReadWriteOnce
# size: 10Gi
# storageClass: rook-ceph-block
# globalMounts:
# - path: /data
service:
main:
ports:

1
kubernetes/apps/default/vaultwarden/ks.yaml
View File

@@ -12,7 +12,6 @@ spec:
kind: GitRepository
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app

Some files were not shown because too many files have changed in this diff Show More