shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixup! ♻️ migration externalsecrets

Browse Source
This commit is contained in:
auricom
2023-07-13 18:33:28 +02:00
parent 4021dac4df
commit eacff455da
125 changed files with 1061 additions and 1474 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kubernetes/apps/default/firefly-iii/app/externalsecret.yaml
View File

@@ -18,7 +18,7 @@ spec:
# App
APP_KEY: "{{ .FIREFLY_APP_KEY }}"
DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}"
DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}"
DB_PASSWORD: &dbPass "{{ .POSTGRES_USER }}"
FIREFLY_III_ACCESS_TOKEN: "{{ .FIREFLY_ACCESS_TOKEN }}"
# Postgres Init
INIT_POSTGRES_DBNAME: firefly-iii

3
kubernetes/apps/default/pgadmin/app/helmrelease.yaml
View File

@@ -27,6 +27,9 @@ spec:
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: dpage/pgadmin4
tag: "7.4"

3
kubernetes/apps/default/prowlarr/app/helmrelease.yaml
View File

@@ -27,6 +27,9 @@ spec:
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/onedr0p/prowlarr-nightly
tag: 1.7.2.3700@sha256:4c74dbd28e86519c683cfd8f2b87d5e8f72cc5c5c8f9d4112185f769c612c4a6

25
kubernetes/apps/default/radarr/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: radarr
namespace: default
spec:
sourcePVC: radarr-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: radarr-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/radarr/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: radarr-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:Mwfqvvc/7p7ih8sPZY1uFswPCwDPB3Uw8u0IStIxsje5YS6pZpCH+POaxpMNifr8OIQBEP0xq7k=,iv:ibk8gAjTqDB3F0WAAEfqg+vHSOfg8OgFxR1IlF/gzXc=,tag:+a0WDJxsIWarDR81vWRvSQ==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T15:40:20Z"
mac: ENC[AES256_GCM,data:J9bpaDGW5zzW0OrW78rbXUNwRpGh0QviME4Lg1uQuVjosOepWxopG+QNyI0BHddIF7NnDfuSZy6LnclMEFl2vcpZXZTi6kSJEYPPbcLzAQG0FbkK4nSnW2JlL5cy83P81plYzqggXoqvgZWpRikg7iI2KJy6dXDKV5ZtVEy0myA=,iv:cmtmvn96UQvbJbrtVx+GGVEDFGB4QpndTMyYikwQ1BI=,tag:zvhhBHOLjYZy6Z6S/dR9QQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

39
kubernetes/apps/default/radarr/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,39 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: radarr
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: radarr-secret
creationPolicy: Owner
template:
data:
# App
RADARR__API_KEY: "{{ .RADARR__API_KEY }}"
# RADARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
# RADARR__POSTGRES_PORT: "5432"
# RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}"
# RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}"
# RADARR__POSTGRES_MAIN_DB: radarr_main
# RADARR__POSTGRES_LOG_DB: radarr_log
PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
# Postgres Init
INIT_POSTGRES_DBNAME: radarr_main radarr_log
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: "{{ .RADARR__POSTGRES_USER }}"
INIT_POSTGRES_PASS: "{{ .RADARR__POSTGRES_PASSWORD }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: pushover
- extract:
key: radarr

20
kubernetes/apps/default/radarr/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app radarr
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -27,6 +27,17 @@ spec:
uninstall:
keepHistory: false
values:
initContainers:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: &secret radarr-secret
controller:
annotations:
configmap.reloader.stakater.com/reload: radarr-pushover
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/onedr0p/radarr-develop
tag: 4.7.0.7588@sha256:2cd821b4ecf67a69ae16e49cc3321e867c274efdd42096d1fef3bd92dfcf2f46
@@ -40,7 +51,7 @@ spec:
RADARR__LOG_LEVEL: info
envFrom:
- secretRef:
name: *app
name: radarr-secret
service:
main:
ports:
@@ -97,9 +108,6 @@ spec:
mountPath: /scripts/pushover-notify.sh
defaultMode: 0775
readOnly: true
podAnnotations:
configmap.reloader.stakater.com/reload: radarr-pushover
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 500m

4
kubernetes/apps/default/radarr/app/kustomization.yaml
View File

@@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./backups
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
- ./volsync.yaml
- ./volume.yaml
configMapGenerator:
- name: radarr-pushover

6
kubernetes/apps/default/radarr/app/scripts/pushover-notify.sh
View File

@@ -4,7 +4,7 @@ PUSHOVER_DEBUG="${PUSHOVER_DEBUG:-"true"}"
# kubectl port-forward service/radarr -n default 7878:7878
# export PUSHOVER_STARR_INSTANCE_NAME=Radarr;
# export PUSHOVER_APP_URL="";
# export PUSHOVER_TOKEN="";
# export PUSHOVER_API_TOKEN="";
# export PUSHOVER_USER_KEY="";
# export radarr_eventtype=Download;
# ./notify.sh
@@ -26,7 +26,7 @@ PUSHOVER_STARR_INSTANCE_NAME="$(xmlstarlet sel -t -v "//InstanceName" -nl ${CONF
# Required
PUSHOVER_APP_URL="${PUSHOVER_APP_URL:-}" && [[ -z "${PUSHOVER_APP_URL}" ]] && ERRORS+=("PUSHOVER_APP_URL not defined")
PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-}" && [[ -z "${PUSHOVER_USER_KEY}" ]] && ERRORS+=("PUSHOVER_USER_KEY not defined")
PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-}" && [[ -z "${PUSHOVER_TOKEN}" ]] && ERRORS+=("PUSHOVER_TOKEN not defined")
PUSHOVER_API_TOKEN="${PUSHOVER_API_TOKEN:-}" && [[ -z "${PUSHOVER_API_TOKEN}" ]] && ERRORS+=("PUSHOVER_API_TOKEN not defined")
# Optional
PUSHOVER_DEVICE="${PUSHOVER_DEVICE:-}"
PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
@@ -76,7 +76,7 @@ if [[ "${radarr_eventtype:-}" == "Download" ]]; then
fi
notification=$(jq -n \
--arg token "${PUSHOVER_TOKEN}" \
--arg token "${PUSHOVER_API_TOKEN}" \
--arg user "${PUSHOVER_USER_KEY}" \
--arg title "${PUSHOVER_TITLE}" \
--arg message "${PUSHOVER_MESSAGE:-"Unable to obtain plot summary"}" \

31
kubernetes/apps/default/radarr/app/secret.sops.yaml
View File

@@ -1,31 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: radarr
namespace: default
type: Opaque
stringData:
PUSHOVER_TOKEN: ENC[AES256_GCM,data:StcjXKnJz7NbKuMtzWd/FXE1pqY0TSLO8o8AioYe,iv:Cw6dA2Fr3le6d70+TSGmBCjEX6mHFk21ck9IQqKx71o=,tag:4ANhz87eqkbvSNy5Yp6Edw==,type:str]
PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3UbR7hAnBAAjw/tdB8TSMZw3inuJJhJx9AiIN4tZ,iv:GuB8Kf/pAOp32SiVhpSLFisIeoEg1VxdYm2Raw2stRM=,tag:A8nDFwYPcZ7fOPG/UPYYzQ==,type:str]
RADARR__API_KEY: ENC[AES256_GCM,data:G9ik2e/t2hwFFDvt3LJRdvo8v1T86RvXwTgjWyCW9Lc=,iv:oTPUMOXB8ZvHBChMhmm9CmpSOSQNEnvkrwGa0rTwXUI=,tag:wFJkxS/pNuExTn2UywghYA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T15:40:44Z"
mac: ENC[AES256_GCM,data:P3hPFflDuXXnshmEDOIZ+yfmcdJsckZshmacp3MP+cQM2Vvb8j6u+w4CQU+Mlpdd04O+x+XWXKC4BvNGXLryvFsjrezP8hrVIQuHX4kTNMOzHNFhzdMab2LpWYOCzT8WfPvLY+RTqf8hj8/ppouJh/R+tzBvQZfvGGRkAqGfj0M=,iv:4GmbEkfLOp2yzvOLlBKRdMZl7mKURBCIovuj5ZKIvbE=,tag:chGlnHNB+kCM/hcyNDeg7Q==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/radarr/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: radarr-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: radarr-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/radarr'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: radarr
namespace: default
spec:
sourcePVC: radarr-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: radarr-restic-secret
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

2
kubernetes/apps/default/radarr/ks.yaml
View File

@@ -9,6 +9,8 @@ metadata:
substitution.flux.home.arpa/enabled: "true"
spec:
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/radarr/app

7
kubernetes/apps/default/readarr/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/readarr/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: readarr
namespace: default
spec:
sourcePVC: readarr-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: readarr-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/readarr/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: readarr-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:9NP9PR2gAtRF6m2Nla934qz/p7uETdIM8Ifx4WWwd/SLqKaR/vklmwF3N4pd1hAsVLjbg3KQzcKp,iv:yTSY9TmEYn7niuDqAYr0uGflq9K5CgQTss1k+wnUNB0=,tag:jj+vrqoKE7DldNycnQ/eag==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T15:44:52Z"
mac: ENC[AES256_GCM,data:Jxa7Xz8ZPnAbBhU3gr92KMfnqDi4BSaywtykVFQ+S9FHsl0Qsk796SHz0pxfvO95o894a0/sTwFTyzulrs+aIojbZn771PX1LbluJeC7zqjXEqbyKclK7luHIo+B2CqvVP4H3WvSgFD+pOFUQzOfo0Mk6pSvWTra+A0fzveNPrM=,iv:4uObp+QoXWSR+Q+bsmwiDzJG+8G6+8bCKnE9lA2UKpE=,tag:1UR7FJOBxRsXsbn3R5ktBA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

25
kubernetes/apps/default/readarr/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: readarr
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: readarr-secret
creationPolicy: Owner
template:
data:
# App
READARR__API_KEY: "{{ .READARR__API_KEY }}"
PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
dataFrom:
- extract:
key: pushover
- extract:
key: readarr

9
kubernetes/apps/default/readarr/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app readarr
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -27,6 +27,9 @@ spec:
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/onedr0p/readarr-nightly
tag: 0.2.3.1948@sha256:c042ba9164015fd00ea1eacf93ea5ba1c39b0a101666dc52150d4dc1517e4198
@@ -37,7 +40,7 @@ spec:
READARR__LOG_LEVEL: info
envFrom:
- secretRef:
name: *app
name: readarr-secret
service:
main:
ports:

4
kubernetes/apps/default/readarr/app/kustomization.yaml
View File

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./backups
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
- ./volsync.yaml
- ./volume.yaml

29
kubernetes/apps/default/readarr/app/secret.sops.yaml
View File

@@ -1,29 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: readarr
namespace: default
type: Opaque
stringData:
READARR__API_KEY: ENC[AES256_GCM,data:x/TOFsYuY8sOvAyJPqkZbmOJuhtxeIQKau6PiO+p18Q=,iv:GHnX9rSOWjOVNZpUWxDzt95JrzK9sj+tcPv38SPY7UU=,tag:APu6Ux2bdZV6HXG0IUTq2A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T15:45:04Z"
mac: ENC[AES256_GCM,data:KFi15cAw/4EkyfTd9fydTbhMXlhOyxPGYvy08dWk6PRXhG7VgV7UC/VnLIzuNkWFKT593fmwg9RBwrcR/v1oS0Zq4IB0vHLHqd4QhwSYTm+ChxeOOWoxkTY5DRMU0g6KGQGktDVm54E3jY9S1/NQJkVRJkpBAsTvFLfIWOOnjM4=,iv:NhJWTB7T+MkuDCicu9GAxS97T2Ql0kRVMkTy781OE/k=,tag:GZo4b5gku+lDuinvVGjhtQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/readarr/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: readarr-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: readarr-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/readarr'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: readarr
namespace: default
spec:
sourcePVC: readarr-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: readarr-restic-secret
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

1
kubernetes/apps/default/readarr/ks.yaml
View File

@@ -9,6 +9,7 @@ metadata:
substitution.flux.home.arpa/enabled: "true"
spec:
dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/readarr/app

8
kubernetes/apps/default/recyclarr/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: recyclarr
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -40,9 +40,9 @@ spec:
args: ["sync"]
envFrom:
- secretRef:
name: radarr
name: radarr-secret
- secretRef:
name: sonarr
name: sonarr-secret
service:
main:
enabled: false

4
kubernetes/apps/default/redis/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app redis
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: redis
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bitnami
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:

1
kubernetes/apps/default/redis/app/kustomization.yaml
View File

@@ -4,5 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./secret.sops.yaml
- ./helmrelease.yaml

29
kubernetes/apps/default/redis/app/secret.sops.yaml
View File

@@ -1,29 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: redis
namespace: default
type: Opaque
stringData:
redis-password: ENC[AES256_GCM,data:jDOKfnXB3U1z/aV86U5euK27edk=,iv:9a946UDG5b8CdjVFqcIG5Hfyz/L62gxN4SEhj3Uzo8Q=,tag:/2ZfSSzXnjEcqXhEV/aHFg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWZVaFFvMVJRRWR1eUU3
QzI5cjNscE83czk0TG9Ra1JvVmExa0hWbWt3Ck1YY1htcXhDamwxY1pVcE0wS2U3
WWNQbTJFK1dFdEhkMk8vbG9pQlJzN1kKLS0tIDBUTUZhMUF2VVJhbFNpQ1FTNWZC
ZUZsSDdUYXFVb3JROEFnaC8yRU1zZ0UK1klzjeo3oaS6n1Apy0nY746ax2Uxxddg
Mn61QDtkPf8FLNBC3tFTe3pWzhWseD/89WaW3f3GScJxy34SFUZxLQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-12T21:08:53Z"
mac: ENC[AES256_GCM,data:vTtJo+nCb8eK9f4jUJHbq2zUXb8kZf5P91qPsfOfBV1wgMbM3YtlkKQFYsg/eAac/JBoRvUGhzsyFc/MEX3mCGVsU8BQ5cPuM54EVGAkrOAHzm3dXVqf1FDVwfeSXuMZ4iHsfKSyTPLcoZfJq5WQ9p/hIA3PSVsVQrmElS4S8/E=,iv:AxOjOctewK7bUrrSH+kfravg7UKBawUD1q/QBdpPDVw=,tag:j5/wMeAh+FdG/RDOpBt4jw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

7
kubernetes/apps/default/resilio-sync/claude/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/resilio-sync/claude/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: resilio-claude
namespace: default
spec:
sourcePVC: resilio-claude-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: resilio-claude-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/resilio-sync/claude/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: resilio-claude-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:tle03NzNTqaJ5cJAdT1sjg52Ntx0u9EN9bINzjeUN/CbFKQe4AWiYgZ8GknlmTyMZOvNlCtRG33Qms+11cEn2Q==,iv:pvyfxAfK/7LUYU+jRQAhXy0huhgTA1YWSvz5UXukDk8=,tag:/owfcCbcyJP33pv4KXT7uA==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T06:43:50Z"
mac: ENC[AES256_GCM,data:Zo2GQtU7ZqaviBO13/EWHSBgU11KTTCNaudRt7H1TO6VSl8xhtJNb+H+4WZSrf5TY4vtsbYqi46l2DybdtyWKd5z1gk/g7AKw2CPK7Nb8ARsH8F9VTcPr/5AMvHHM7kR0xL2jQsAh7iM+edGBFRaNcNQRxLFArfpgRgUslYMJB4=,iv:JddLCxRb7LYYZzIe/l8dHLNa0tp+LNi9/OtFEbi7Z4c=,tag:AmJlpTk775FaRzxyrKR/9A==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

9
kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app resilio-claude
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -27,6 +27,9 @@ spec:
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/auricom/resilio-sync
tag: 2.7.3.1381-1@sha256:4f9dab7d50a4046b503686b766da6adbb627ff62f63587617cd46a468c810b11
@@ -62,7 +65,7 @@ spec:
enabled: true
type: configMap
configMap:
name: resilio-claude-sync-conf
name: resilio-claude-configmap
mountPath: /config/sync.conf
subPath: sync.conf
backups:

4
kubernetes/apps/default/resilio-sync/claude/kustomization.yaml
View File

@@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- backups
- ./helmrelease.yaml
- ./volsync.yaml
- ./volume.yaml
configMapGenerator:
- name: resilio-claude-sync-conf
- name: resilio-claude-configmap
files:
- ./config/sync.conf
generatorOptions:

49
kubernetes/apps/default/resilio-sync/claude/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: resilio-claude-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: resilio-claude-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/resilio-claude'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: resilio-claude
namespace: default
spec:
sourcePVC: resilio-claude-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: resilio-claude-restic-secret
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

7
kubernetes/apps/default/resilio-sync/helene/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/resilio-sync/helene/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: resilio-helene
namespace: default
spec:
sourcePVC: resilio-helene-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: resilio-helene-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/resilio-sync/helene/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: resilio-helene-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:gGcefoNg68nJNdN4bBgvPlN8LtIp57igeI0w+51XbxvE61oudJm4H5ePqqIom+c4YA+r2MPyRtDcU3zZZZkJGQ==,iv:ujh8jWNTLBpN2YhtjjCPFkq4I3JVBQRdQsTiKeLTuMI=,tag:Bor468jY1eb2k1P4EJRsVg==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T06:38:55Z"
mac: ENC[AES256_GCM,data:q9w22A6MR1+1SYCuwEcXlNqf02paU/dLuU0VbL3RJ5zTu5Se4Z+aiA6bTFffhBjusdDQFtfOU4YfFO/OGEyYyA68vjugG8n8OrF7BsSBB9ZjX2C+jwxH+vDHTf+X1FxjhipzX+PuNlTKfHLHe5vvLlKAPeftHy2wpzFb31zU69s=,iv:fBKgliHL7/dEEXL/E/snkX0J3e79gZ3KVtoH/MCkZ6c=,tag:bnd3E1CB8rtOCyZMFnQR5g==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

9
kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app resilio-helene
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -27,6 +27,9 @@ spec:
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/auricom/resilio-sync
tag: 2.7.3.1381-1@sha256:4f9dab7d50a4046b503686b766da6adbb627ff62f63587617cd46a468c810b11
@@ -62,7 +65,7 @@ spec:
enabled: true
type: configMap
configMap:
name: resilio-helene-sync-conf
name: resilio-helene-configmap
mountPath: /config/sync.conf
subPath: sync.conf
backups:

4
kubernetes/apps/default/resilio-sync/helene/kustomization.yaml
View File

@@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- backups
- ./helmrelease.yaml
- ./volsync.yaml
- ./volume.yaml
configMapGenerator:
- name: resilio-helene-sync-conf
- name: resilio-helene-configmap
files:
- ./config/sync.conf
generatorOptions:

49
kubernetes/apps/default/resilio-sync/helene/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: resilio-helene-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: resilio-helene-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/resilio-helene'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: resilio-helene
namespace: default
spec:
sourcePVC: resilio-helene-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: resilio-helene-restic-secret
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

7
kubernetes/apps/default/sabnzbd/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/sabnzbd/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: sabnzbd
namespace: default
spec:
sourcePVC: sabnzbd-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: sabnzbd-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/sabnzbd/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: sabnzbd-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:1MHDHUB4FpcpVcG2S76kldKBBRyDkt5RojedKnueMfqVB54XZgtQ+eUjjoLAlxedC0YdIb52q7li,iv:BSebPLGLm1DQV5ehrHq9rG2eUtqWdqGshX5/aBJDgz8=,tag:pZLHq8OuMXnj9phtLeLMuw==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T08:26:24Z"
mac: ENC[AES256_GCM,data:oilRwF4uQM17O8OIGqduE1UBuQ9xFZE0KGNGJ0gvlEuDxhsA72mIfhXc2sDnPlab+Z8EZY7w0OjCgKI9jUOXW/1W19PhhvF2UbbqK+FR7dTNo0ZtZ+tlu9+dfAylyQwLcWCvc6wbatx5igi4v9R8E4d8/ul7A/jrGPEAsDqNflg=,iv:UI/MdEx2O3JC8nd9nmiCbkJeEhe2TefRB7jpvQCAJc4=,tag:Nmbw7j/cvhKnGFP+XORGEA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

18
kubernetes/apps/default/sabnzbd/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: sabnzbd
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: sabnzbd-secret
creationPolicy: Owner
dataFrom:
- extract:
# SABNZBD__API_KEY, SABNZBD__NZB_KEY
key: sabnzbd

9
kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app sabnzbd
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -27,6 +27,9 @@ spec:
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
image:
repository: ghcr.io/onedr0p/sabnzbd
tag: 4.0.3@sha256:aff676e3c234f7a4493c75813e296c347c02b6e5374acd1858f8244ea44f2b4a
@@ -42,7 +45,7 @@ spec:
sabnzbd.${SECRET_CLUSTER_DOMAIN}
envFrom:
- secretRef:
name: *app
name: sabnzbd-secret
service:
main:
ports:

4
kubernetes/apps/default/sabnzbd/app/kustomization.yaml
View File

@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./backups
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
- ./volsync.yaml
- ./volume.yaml

30
kubernetes/apps/default/sabnzbd/app/secret.sops.yaml
View File

@@ -1,30 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: sabnzbd
namespace: default
type: Opaque
stringData:
SABNZBD__API_KEY: ENC[AES256_GCM,data:6VgnjcgBVwvaKqWPNisOfct6smrVostiIR/yuoYqjco=,iv:WW1b7LJgG4CWEEm7ETwwXlfu3fG345YAvqi1dlsS8cg=,tag:nZSAbcWxwyXjKnwyVYt/Ug==,type:str]
SABNZBD__NZB_KEY: ENC[AES256_GCM,data:RoNUH0En29584v+m85gqlwIrLJ3aP5al0161FTnXGko=,iv:3u/uzWLe1f84WquDjrxXXdArcL1BeF6cNplImjP1yoE=,tag:xoPmImdecg/2twtVRzJh/g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T08:25:52Z"
mac: ENC[AES256_GCM,data:xCWHBq+s8wEUYhPYxE8XlJXJNeGf9w3MaNI7qrDucupXYxl3gnIiixjArRSk3oc2NuqUiNJF5pFlECHaj24/qvLQNftkWlulT3CxFHZ90/L+mK33h7dtOHmjNkqUtCmQgjylpPyT0MLWuYGC7WpcdCyficKk6OUc3F9BXbovbnM=,iv:Gii2DWFNLyy8yBCXwQqaUb9ewVtbkHDEhOz7p379YLA=,tag:HnfsqBeBu6B70eM+GDYXZg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/sabnzbd/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: sabnzbd-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: sabnzbd-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/sabnzbd'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: sabnzbd
namespace: default
spec:
sourcePVC: sabnzbd-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: sabnzbd-restic-secret
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

1
kubernetes/apps/default/sabnzbd/ks.yaml
View File

@@ -9,6 +9,7 @@ metadata:
substitution.flux.home.arpa/enabled: "true"
spec:
dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/sabnzbd/app

37
kubernetes/apps/default/semaphore/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: semaphore
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: semaphore-secret
creationPolicy: Owner
template:
data:
# Ansible Semaphore
SEMAPHORE_DB_USER: &dbUser "{{ .POSTGRES_USER }}"
SEMAPHORE_DB_PASS: &dbPass "{{ .POSTGRES_PASS }}"
SEMAPHORE_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local
SEMAPHORE_DB_PORT: "5432"
SEMAPHORE_DB: &dbName semaphore
SEMAPHORE_ADMIN_PASSWORD: "{{ .SEMAPHORE_ADMIN_PASSWORD }}"
SEMAPHORE_ADMIN_NAME: "{{ .SEMAPHORE_ADMIN_NAME }}"
SEMAPHORE_ADMIN: "{{ .SEMAPHORE_ADMIN }}"
SEMAPHORE_ACCESS_KEY_ENCRYPTION: "{{ .SEMAPHORE_ACCESS_KEY_ENCRYPTION }}"
# Postgres Init
INIT_POSTGRES_DBNAME: *dbName
INIT_POSTGRES_HOST: *dbHost
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: semaphore

18
kubernetes/apps/default/semaphore/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: semaphore
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -28,11 +28,12 @@ spec:
keepHistory: false
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.8
envFrom:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: semaphore-secret
name: &secret semaphore-secret
controller:
annotations:
reloader.stakater.com/auto: "true"
@@ -40,12 +41,11 @@ spec:
repository: docker.io/semaphoreui/semaphore
tag: v2.8.91
env:
SEMAPHORE_DB_DIALECT: postgres
SEMAPHORE_LDAP_ACTIVATED: "no"
SEMAPHORE_PLAYBOOK_PATH: /tmp/semaphore/
SEMAPHORE_ADMIN_EMAIL: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
envFrom:
- secretRef:
name: semaphore-secret
envFrom: *envFrom
service:
main:
ports:

2
kubernetes/apps/default/semaphore/app/kustomization.yaml
View File

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml

45
kubernetes/apps/default/semaphore/app/secret.sops.yaml
View File

@@ -1,45 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: semaphore-secret
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:sgvfTo/EWQFqeQ2xZ/iLCPov,iv:SF3b5MYuNOSlK+o4hLGHOk9e1vSpN7kSQUSrhTIA2tc=,tag:dpKEfawky8MPqniHVZ52Sw==,type:comment]
SEMAPHORE_DB_DIALECT: ENC[AES256_GCM,data:nyDaS8zCV4o=,iv:YCQiaTeAxm4bGCeNx6kJI8u/hOlQ36C97Fuef5FenNs=,tag:75QZEHB0cF92NaPjbd44KA==,type:str]
SEMAPHORE_DB_USER: ENC[AES256_GCM,data:FOFePOCsxamf,iv:556TKMhCRhHWEyPwLvFPFMwmo9RKiz1pW9OJJUsSwgk=,tag:6rPAfthdf73N1X83S+UynQ==,type:str]
SEMAPHORE_DB_PASS: ENC[AES256_GCM,data:Nl66upZmTE4xykvseIqtsS2w5G4=,iv:QkW7oGqDyY9G5yi1yMAhw3y48RmPGWqoKNL9tlUm5MU=,tag:Wu5fPPywslQOC8dGBea0bw==,type:str]
SEMAPHORE_DB_HOST: ENC[AES256_GCM,data:SlxTav3/SdtmeLD+NdB6oo8rb58FMYeM3odW4gey2OWGIwmzvw==,iv:Udz0Nu9zIk/h+8vur9wfC92iK5RjSpAoyV1Z4pb/5sY=,tag:zJPys79V5yz04nvj0VlcKg==,type:str]
SEMAPHORE_DB_PORT: ENC[AES256_GCM,data:qvnfig==,iv:jBXljtUMN7IM1JZHBa35FpwVdiKdOXKDJYJGeH1wTQU=,tag:PbwIlXX2CMRWxUnmKoDsSQ==,type:str]
SEMAPHORE_DB: ENC[AES256_GCM,data:v1dS1uIC8tGz,iv:nUz0Q88R/CnDmKuc//YqaAq3Mkbi+6miWkf9W0xmMbE=,tag:YopXWX3B70HHxq1Gc8NqUQ==,type:str]
SEMAPHORE_ADMIN_PASSWORD: ENC[AES256_GCM,data:yLiUSF9VyLN5YNfvAafUaV0KyaA=,iv:4BV3mxZMso0u2c/5jCAaEHbqijZiaLvATM6kJmcCvKY=,tag:tmHatfh3jHUX4MAzcUM7XQ==,type:str]
SEMAPHORE_ADMIN_NAME: ENC[AES256_GCM,data:zXt5NHSg,iv:NN/j6bFE03XbljhzQiTTkRRHqx/YU0nWHpGzjTKdC5Y=,tag:dteln0PGY4+b4hzaa7/mWw==,type:str]
SEMAPHORE_ADMIN: ENC[AES256_GCM,data:FMxAjLY=,iv:Oj9N3OBgAHBO+FAaqbMy70/F8hloUHWx8lXpUuaY6m0=,tag:xCw/C2s15dMSbD5z8wPhVA==,type:str]
SEMAPHORE_ACCESS_KEY_ENCRYPTION: ENC[AES256_GCM,data:ct9BMd7uE0DcD2kHsNkqD5vnfpAwLKLHImJu1ih56CHmhV03d3OrYDjHQ1g=,iv:MFCc4EvM40Q+1+xK5zTYXhFGkfEvkLmZuIbkOZI/0U4=,tag:sOkZUUNlikdeUp6Ax+Og4w==,type:str]
#ENC[AES256_GCM,data:G9yw2//y27PlVIHYhgA=,iv:qJ+cx+HixCnkGSARdo5fFYDJQT3jHearN00HeO0EwMk=,tag:yPer6XrUnfpKwrdsBlSkRA==,type:comment]
POSTGRES_DB: ENC[AES256_GCM,data:tsx2YRZtnx9u,iv:8zVFcdkLjSmbFgHXafyTBeXNmzTvvo9b5WPNRbtLHAM=,tag:yXOIDOp8Hm0dQuKfs5k1ig==,type:str]
POSTGRES_HOST: ENC[AES256_GCM,data:J7athqTJ9IEmr754JHpXxX7OepWTfuwxRCVUhy9cs/C+60nFNw==,iv:7q7sjl2SlIeDxRMtmf6ojU7hQ7wfH4dS/lheSz8TstI=,tag:SC/84LbwWT+ZxBflXvaHpw==,type:str]
POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:vihjmp4ehKUnXu4G3fxz/g==,iv:JGU0/W49NuacVNK5FE4Y8xviVT9nKhcJxuoZYj1UYDA=,tag:XIb324L6UHD/eu5omlRLEw==,type:str]
POSTGRES_PASS: ENC[AES256_GCM,data:qgKq9wFrS11Ts3brLGV7xJfbkE0=,iv:Jy3leaCr7MljBCpKzVDiyroBQw37W1/GIw9itA/Pb7o=,tag:0JnelzWhN2oXCsMRlRW2Cw==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:oNBXe1ln8LlO,iv:tgGEQyNy8aS2Gjm8yZR0rVzWN1FEcCKanjUKGAlbrkg=,tag:jeA4HSoK3kSFqvJTFyWGMw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-20T21:37:28Z"
mac: ENC[AES256_GCM,data:dagIu0cei3FxxV9iiLhHWimUpO///hZ2e/GaZ99go9XgVuMuJ5Nu3xLrgV/49qs4gQDsqA6XEoTeOpWK+6geO2k/dFxYQZixj3SH3CpWyrGl6lc+yFDLuCHLklh0OpKG9x7R9BlUkWt1M27Tmr1mdV6NZXqOZazJp4bT/ucETIE=,iv:LVi/RYrruDCk0C9LcyxSW1kO3zRKKJh1LLl5FYq325w=,tag:ng6MhZofV1t2XSghYC8u/Q==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

1
kubernetes/apps/default/semaphore/ks.yaml
View File

@@ -9,6 +9,7 @@ metadata:
substitution.flux.home.arpa/enabled: "true"
spec:
dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-cloudnative-pg-app
path: ./kubernetes/apps/default/semaphore/app
prune: true

28
kubernetes/apps/default/sharry/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,28 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: sharry
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: sharry-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
# Postgres Init
INIT_POSTGRES_DBNAME: sharry
INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local
INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}"
INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}"
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: sharry

20
kubernetes/apps/default/sharry/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app sharry
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -27,9 +27,16 @@ spec:
uninstall:
keepHistory: false
values:
initContainers:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: &envFrom
- secretRef:
name: &secret sharry-secret
controller:
replicas: 1
strategy: Recreate
annotations:
reloader.stakater.com/auto: "true"
image:
repository: eikek0/sharry
tag: v1.12.1
@@ -56,9 +63,6 @@ spec:
tls:
- hosts:
- *host
podAnnotations:
configMap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 50m
@@ -69,6 +73,6 @@ spec:
config:
enabled: true
type: configMap
name: sharry
name: sharry-configmap
mountPath: /opt/sharry.conf
subPath: sharry.conf

5
kubernetes/apps/default/sharry/app/kustomization.yaml
View File

@@ -4,11 +4,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
patchesStrategicMerge:
- ./patches/postgres.yaml
configMapGenerator:
- name: sharry
- name: sharry-configmap
files:
- ./config/sharry.conf
generatorOptions:

26
kubernetes/apps/default/sharry/app/patches/postgres.yaml
View File

@@ -1,26 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: sharry
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.8
env:
- name: POSTGRES_HOST
value: ${POSTGRES_HOST}
- name: POSTGRES_DB
value: sharry
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
value: ${SECRET_SHARRY_DB_USERNAME}
- name: POSTGRES_PASS
value: ${SECRET_SHARRY_DB_PASSWORD}

18
kubernetes/apps/default/smtp-relay/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: smtp-relay
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: smtp-relay-secret
creationPolicy: Owner
dataFrom:
- extract:
# SMTP_DOMAIN, SMTP_EMAIL_SMTP_USERNAME, SMTP_PASSWORD
key: smtp-relay

5
kubernetes/apps/default/smtp-relay/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app smtp-relay
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -28,7 +28,6 @@ spec:
keepHistory: false
values:
controller:
replicas: 1
strategy: RollingUpdate
annotations:
reloader.stakater.com/auto: "true"

2
kubernetes/apps/default/smtp-relay/app/kustomization.yaml
View File

@@ -4,8 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
configMapGenerator:
- name: smtp-relay-configmap
files:

29
kubernetes/apps/default/smtp-relay/app/secret.sops.yaml
View File

@@ -1,29 +0,0 @@
# yamllint disable
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: smtp-relay-secret
namespace: default
stringData:
SMTP_PASSWORD: ENC[AES256_GCM,data:Yf/FCPWceNJadwSaTvNXug==,iv:eErTrc6gWkClzoMmLgkz6xgaUA/W7cZoxhgGeCuHPyk=,tag:HYWJN3imrt/Umv4NREuQpg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSGowVER2SFNrYTVxOUc4
S1lDV295S2tnTlE1TkFuWnFYdXZoZ2ZlYkVrCmdRaXpGNTZTbDBjbkxPTkhaSkU1
ZTZEakZwV1prTXpGalc2L0MrQ3BlVlEKLS0tIDdIdTdKTzBybHc5NjJaU0Z4dFg1
U003SkswTXRYaUdWYzVRL2oxb2RGdEEKQojCy0af9JFKnKSYQhT2C1sXIBjfKjEz
b7/1MAC99t37PRSsyh+ALf6DctqxysHKpG6Ku/RAchPqd2MwtIjWlQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-01T22:33:34Z"
mac: ENC[AES256_GCM,data:guldqBejtXp67NO2A/B0kPCLlJmpE7OAp04IRnv8iaMyvo/TxBkgvC8PQ/oQesxf2KNlJ671ewlIU9IdDres8qAC6ytV+iWVZGusOQfXKZKO5EWygckXokvs7jIfxWI7TdztLCMXlzaVDyH4fnrg2x4luxc3PNrctDfzu/vEP3s=,iv:Z9XHDirjaOs5UU5hWakGWDAvzvadIbJvBp4QbXCiw24=,tag:9WLfHq0SIQRvJqUmNWrSXA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

2
kubernetes/apps/default/smtp-relay/ks.yaml
View File

@@ -10,6 +10,8 @@ metadata:
spec:
path: ./kubernetes/apps/default/smtp-relay/app
prune: true
dependsOn:
- name: cluster-apps-external-secrets-stores
sourceRef:
kind: GitRepository
name: home-ops-kubernetes

7
kubernetes/apps/default/sonarr/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/sonarr/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: sonarr
namespace: default
spec:
sourcePVC: sonarr-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: sonarr-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/sonarr/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: sonarr-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:E7B+rjyyZrHxiLBh/xnUl1b88ERSnGxUGHzZH+087fbXJOlbySnFuKRv+jPHMCoa//0r8RsC5mM=,iv:evk0OG92emADqogInteT7NSOsd+aGXEF8xMVLIVB63M=,tag:9YuM5VMkLpAA316dkjr5HA==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T15:35:19Z"
mac: ENC[AES256_GCM,data:VRBAxTHYtA4MWbi5qylhkRP2OlCAu8lOodgxVHlPicLY/AFxa70NhZcVMAD1iewVpr98ul0BQb/VdtRxlRdq4LjecdNK6o/FJUcvMVRjOBmMMyvqGnGmlif7MLMRt6H+FAknTC6nCJ1uSGu6KihvAA1f7jIeCOxzApGYqIsHp5M=,iv:yCrKaT5zu9ROQH5c8etRrYSlKRIKVeiNngbsOiX2a1g=,tag:4AINfTcGTA07MvMq7g4WXw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

25
kubernetes/apps/default/sonarr/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: sonarr
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: sonarr-secret
creationPolicy: Owner
template:
data:
# App
SONARR__API_KEY: "{{ .SONARR__API_KEY }}"
PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}"
PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
dataFrom:
- extract:
key: pushover
- extract:
key: sonarr

13
kubernetes/apps/default/sonarr/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app sonarr
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -27,6 +27,10 @@ spec:
uninstall:
keepHistory: false
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
configmap.reloader.stakater.com/reload: sonarr-pushover
image:
repository: ghcr.io/onedr0p/sonarr-develop
tag: 4.0.0.559@sha256:62cc0157d673e68691c83c27a13011d416f28734134431bf27cf9b557cb7c2c5
@@ -40,7 +44,7 @@ spec:
SONARR__LOG_LEVEL: info
envFrom:
- secretRef:
name: *app
name: sonarr-secret
service:
main:
ports:
@@ -97,9 +101,6 @@ spec:
mountPath: /scripts/pushover-notify.sh
defaultMode: 0775
readOnly: true
podAnnotations:
configmap.reloader.stakater.com/reload: sonarr-pushover
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 500m

4
kubernetes/apps/default/sonarr/app/kustomization.yaml
View File

@@ -4,9 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./backups
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
- ./volsync.yaml
- ./volume.yaml
configMapGenerator:
- name: sonarr-pushover

31
kubernetes/apps/default/sonarr/app/secret.sops.yaml
View File

@@ -1,31 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: sonarr
namespace: default
type: Opaque
stringData:
PUSHOVER_TOKEN: ENC[AES256_GCM,data:VbPcH4St6p1+rdYkXgXnmWJw9wH1eeFe0KM0TxH9,iv:WLxuFr8DscUhYrgglmAPctrrY2QsItfwQ5ZnKD2P7xE=,tag:tfLhrhos9ZFKhuMdCnHDEA==,type:str]
PUSHOVER_USER_KEY: ENC[AES256_GCM,data:3UbR7hAnBAAjw/tdB8TSMZw3inuJJhJx9AiIN4tZ,iv:GuB8Kf/pAOp32SiVhpSLFisIeoEg1VxdYm2Raw2stRM=,tag:A8nDFwYPcZ7fOPG/UPYYzQ==,type:str]
SONARR__API_KEY: ENC[AES256_GCM,data:2byvnqPCT5MWJBnSmQrzXDnmfCvokUrr2PIR27iC+Y8=,iv:ejJtd3eXWlw0MyA6eXWVPChyVNgHK+FVpSYg2guOvZ8=,tag:QR0/X0cbJXFvzXhItglnCQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T15:35:43Z"
mac: ENC[AES256_GCM,data:W28v1mhf0LE/Wx/wz5YebMTvEAUY1/g8/aZmJKJNzioyT909NTlixyyMScZ9cUj/tKchkiv9DG9zKHNWiZSWHV8eEIsrzth4ENR0Puj0ZXzAFQAblzQh50DPMIVURt6FXcIh9Uw05fXcJwu2AN/lkWplsG7sDMo7n5y95ZomVHM=,iv:WSvs/o2Jep7DnoHBz2O/5t6aGjfYTNwRclGyf4npbOs=,tag:2OqXhjFhAnnxAK16o8TuOQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/sonarr/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: sonarr-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: sonarr-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/sonarr'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: sonarr
namespace: default
spec:
sourcePVC: sonarr-config
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: sonarr-restic-secret
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

1
kubernetes/apps/default/sonarr/ks.yaml
View File

@@ -9,6 +9,7 @@ metadata:
substitution.flux.home.arpa/enabled: "true"
spec:
dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app
path: ./kubernetes/apps/default/sonarr/app

7
kubernetes/apps/default/tandoor/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/tandoor/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: tandoor
namespace: default
spec:
sourcePVC: tandoor-files
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: tandoor-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 10
within: 3d

35
kubernetes/apps/default/tandoor/app/backups/restic.sops.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: tandoor-restic
namespace: default
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:doNM45RgucJso4t85IZREhHclpvKXYy+GFomdGSokK7kjl7Jn25CJuG/u5t7GnjC0M2uYo8nhyMQ,iv:eNummV+QSSAkFFaZC0WPAMV/G+j70b0X6pN1MgUYx7s=,tag:gR260etgdx6Lwt9GXpDWew==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T06:24:08Z"
mac: ENC[AES256_GCM,data:udFHC/EM7a4g1pOvhU8HJRiSSSnBDvzva3rrZdmjidfcjrt90dStpNL+AHCLXjqj0DsPJHP8bvyXsrrOQg+WXi47OnugUu0YnqaoS6n5nklCfhcqWU5PM5eG+zmuDkfnXT9EbwAyKXvnmzhIr4Rr2+LxsZNJpVqY6AfNM4IFRtc=,iv:lqVOyMN1c/9pxU/CRuEjcPd6890uNq3xgqwF8RKkFEo=,tag:YMrnTGCruKCbTq0r24SEyw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

34
kubernetes/apps/default/tandoor/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tandoor
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: tandoor-secret
creationPolicy: Owner
template:
data:
# App
SECRET_KEY: "{{ .TANDOOR_SECRET_KEY }}"
POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local
POSTGRES_PORT: "5432"
POSTGRES_DB: &dbName tandoor
POSTGRES_USER: &dbUser "{{ .TANDOOR_POSTGRES_USER }}"
POSTGRES_PASSWORD: &dbPass "{{ .TANDOOR_POSTGRES_PASS }}"
# Postgres Init
INIT_POSTGRES_DBNAME: *dbName
INIT_POSTGRES_HOST: *dbHost
INIT_POSTGRES_USER: *dbUser
INIT_POSTGRES_PASS: *dbPass
INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
dataFrom:
- extract:
key: cloudnative-pg
- extract:
key: tandoor

30
kubernetes/apps/default/tandoor/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app tandoor
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -33,9 +33,19 @@ spec:
image:
repository: vabene1111/recipes
tag: 1.5.4
envFrom:
envFrom: &envFrom
- secretRef:
name: tandoor-secret
env:
DEBUG: "0"
ALLOWED_HOSTS: "*"
DB_ENGINE: django.db.backends.postgresql_psycopg2
GUNICORN_MEDIA: "0"
TIMEZONE: ${TIMEZONE}
TANDOOR_PORT: 8888
FRACTION_PREF_DEFAULT: "0"
COMMENT_PREF_DEFAULT: "1"
SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"
command:
- /opt/recipes/venv/bin/gunicorn
- -b
@@ -88,7 +98,7 @@ spec:
type: "custom"
volumeSpec:
configMap:
name: *app
name: tandoor-configmap
django-js-reverse:
enabled: true
type: emptyDir
@@ -106,9 +116,6 @@ spec:
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
podAnnotations:
configMap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 100m
@@ -116,7 +123,11 @@ spec:
limits:
memory: 512Mi
initContainers:
init-migrate:
01-init-db:
image: ghcr.io/onedr0p/postgres-init:14.8
imagePullPolicy: IfNotPresent
envFrom: *envFrom
02-init-migrate:
image: vabene1111/recipes:1.5.4
env:
- name: DB_ENGINE
@@ -145,9 +156,8 @@ spec:
mountPath: /opt/recipes/cookbook/static/django_js_reverse
- name: static
mountPath: /opt/recipes/staticfiles
additionalContainers:
sidecars:
nginx:
name: nginx
image: nginxinc/nginx-unprivileged:1.25.1-alpine
imagePullPolicy: IfNotPresent
ports:

9
kubernetes/apps/default/tandoor/app/kustomization.yaml
View File

@@ -4,15 +4,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./backups
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
- ./volsync.yaml
- ./volume.yaml
patchesStrategicMerge:
- ./patches/env.yaml
- ./patches/postgres.yaml
configMapGenerator:
- name: tandoor
- name: tandoor-configmap
files:
- ./config/nginx-config
generatorOptions:

22
kubernetes/apps/default/tandoor/app/patches/env.yaml
View File

@@ -1,22 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tandoor
namespace: default
spec:
values:
env:
DEBUG: "0"
ALLOWED_HOSTS: "*"
DB_ENGINE: django.db.backends.postgresql_psycopg2
POSTGRES_HOST: ${POSTGRES_HOST}
POSTGRES_PORT: ${POSTGRES_PORT}
POSTGRES_DB: tandoor
GUNICORN_MEDIA: "0"
TIMEZONE: ${TIMEZONE}
TANDOOR_PORT: 8888
FRACTION_PREF_DEFAULT: "0"
COMMENT_PREF_DEFAULT: "1"
SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"

32
kubernetes/apps/default/tandoor/app/patches/postgres.yaml
View File

@@ -1,32 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: tandoor
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.8
env:
- name: POSTGRES_HOST
value: ${POSTGRES_HOST}
- name: POSTGRES_DB
value: tandoor
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor-secret
key: POSTGRES_USER
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: tandoor-secret
key: POSTGRES_PASSWORD

31
kubernetes/apps/default/tandoor/app/secret.sops.yaml
View File

@@ -1,31 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: tandoor-secret
namespace: default
type: Opaque
stringData:
SECRET_KEY: ENC[AES256_GCM,data:Q6F1yVx9o5l+NGOYDe+m6DH/v1MxJQCSKT89IVwjqYI=,iv:KAkiYOyzD+i4ybTb19cIUaZlLq9/Hkda9c9ksf+FQrg=,tag:5nEYJe8JnrwScW2a8+dekw==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:FYYcjxl00w==,iv:Qhyu+2pCDrLynJVKb88olLiG1S9mmSVJgdsWuBu2iPQ=,tag:XngsCKqqnv/eZUN715cY5A==,type:str]
POSTGRES_PASSWORD: ENC[AES256_GCM,data:7nRBJj4SN//W6kcD4RwDOw==,iv:uTlW+I/H72vTlUIH7m9AVqRKSA+XMAQoJLGcu5cFFFM=,tag:tkeMqZVP8NHgyH4aOWSlFw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TlpyT0RXNHdBVHBKVkJo
dGhPZDgvTHlOVHJ5d3JDeEZhd2NmQUxVdURrCkZKTWVPK2Y0L3NWVDJCbHRUYVQ2
MGVuRXdSMHZzSFFpOHFNa2laNEF5T1EKLS0tIGcvVDBRWTJPeVJzVTg2ZzNRdTFJ
VjJ5ZzIyNE9OMGVVcFBiOWRjazFGYkUK8wW2HI/BuiFMAyOV/BABZkE+L6qLVAuE
LM+b1l2q79np70ostH7Jmox9KP4QsMLYxDhjse/ygS5e8oQRbb1oTg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-11T21:32:22Z"
mac: ENC[AES256_GCM,data:y+O9Ry6ybIm1hmfZspcyiJPzjGDa89e2Qa+oMj+qsye6T6Y3k0JRn/POGkrxHCsw05exKMa3+8ldQQgHewdiiv1TOJ3Xwap377AtYlId+hBfwyfPG1VtnBNu4pHDe919f6q7DNRJbaQscmZgFuZYRMyIeI+rBNT7slGuvAWwAjc=,iv:4DFc9cJ9BaDwv/E3ZVBFwf82879ePff6BoOryRBn0Oo=,tag:n870pnOy32XnELnZzyukvQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

49
kubernetes/apps/default/tandoor/app/volsync.yaml Normal file
View File

@@ -0,0 +1,49 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tandoor-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: tandoor-restic-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/tandoor'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: tandoor
namespace: default
spec:
sourcePVC: tandoor-files
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: tandoor-restic-secret
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
retain:
daily: 7
within: 3d

1
kubernetes/apps/default/tandoor/ks.yaml
View File

@@ -15,6 +15,7 @@ spec:
name: home-ops-kubernetes
dependsOn:
- name: cluster-apps-cloudnative-pg-cluster
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-rook-ceph-cluster
- name: cluster-apps-volsync-app
healthChecks:

4
kubernetes/apps/default/theme-park/app/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: &app theme-park
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:

20
kubernetes/apps/default/truenas/backup/helmrelease.yaml → kubernetes/apps/default/truenas/app/backup/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: truenas-backup
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -39,11 +39,9 @@ spec:
command: ["/bin/bash", "/app/truenas-backup.sh"]
env:
HOSTNAME: truenas
SECRET_DOMAIN: ${SECRET_DOMAIN}
SECRET_CLUSTER_DOMAIN: ${SECRET_CLUSTER_DOMAIN}
envFrom:
- secretRef:
name: truenas-backup-secret
name: truenas-secret
service:
main:
enabled: false
@@ -59,8 +57,8 @@ spec:
ssh:
enabled: true
type: secret
name: truenas-backup-secret
subPath: SSH_KEY
name: truenas-secret
subPath: TRUENAS_SSH_KEY
mountPath: /opt/id_rsa
defaultMode: 0775
readOnly: true
@@ -72,13 +70,9 @@ spec:
env:
- name: HOSTNAME
value: truenas-remote
- name: SECRET_DOMAIN
value: ${SECRET_DOMAIN}
- name: SECRET_CLUSTER_DOMAIN
value: ${SECRET_CLUSTER_DOMAIN}
envFrom:
- secretRef:
name: truenas-backup-secret
name: truenas-secret
volumeMounts:
- name: config
readOnly: true
@@ -87,4 +81,4 @@ spec:
- name: ssh
readOnly: true
mountPath: /opt/id_rsa
subPath: SSH_KEY
subPath: TRUENAS_SSH_KEY

1
kubernetes/apps/default/truenas/backup/kustomization.yaml → kubernetes/apps/default/truenas/app/backup/kustomization.yaml
View File

@@ -5,7 +5,6 @@ kind: Kustomization
namespace: default
resources:
- ./helmrelease.yaml
- ./secret.sops.yaml
configMapGenerator:
- name: truenas-backup-configmap
files:

4
kubernetes/apps/default/truenas/backup/truenas-backup.sh → kubernetes/apps/default/truenas/app/backup/truenas-backup.sh
View File

@@ -7,8 +7,8 @@ mkdir -p ~/.ssh
cp /opt/id_rsa ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
printf -v aws_access_key_id_str %q "$AWS_ACCESS_KEY_ID"
printf -v aws_secret_access_key_str %q "$AWS_SECRET_ACCESS_KEY"
printf -v aws_access_key_id_str %q "$TRUENAS_AWS_ACCESS_KEY_ID"
printf -v aws_secret_access_key_str %q "$TRUENAS_AWS_SECRET_ACCESS_KEY"
printf -v secret_domain_str %q "$SECRET_DOMAIN"

20
kubernetes/apps/default/truenas/certs-deploy/helmrelease.yaml → kubernetes/apps/default/truenas/app/certs-deploy/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: truenas-certs-deploy
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -40,11 +40,10 @@ spec:
env:
HOSTNAME: truenas
TRUENAS_HOME: /mnt/storage/home/homelab
SECRET_DOMAIN: ${SECRET_DOMAIN}
CERTS_DEPLOY_S3_ENABLED: "True"
envFrom:
- secretRef:
name: truenas-certs-deploy-secret
name: truenas-secret
service:
main:
enabled: false
@@ -68,14 +67,13 @@ spec:
ssh:
enabled: true
type: secret
name: truenas-certs-deploy-secret
subPath: SSH_KEY
name: truenas-secret
subPath: TRUENAS_SSH_KEY
mountPath: /opt/id_rsa
defaultMode: 0775
readOnly: true
additionalContainers:
sidecars:
truenas-remote-certs-deploy:
name: truenas-remote-certs-deploy
image: ghcr.io/auricom/kubectl:1.27.3@sha256:402cbd1a404bdae3db854252054e4160b5746067e6f462d4a48236c46f6ad28a
command: ["/bin/bash", "/app/truenas-certs-deploy.sh"]
env:
@@ -83,13 +81,11 @@ spec:
value: truenas-remote
- name: TRUENAS_HOME
value: /mnt/vol1/home/homelab
- name: SECRET_DOMAIN
value: ${SECRET_DOMAIN}
- name: CERTS_DEPLOY_S3_ENABLED
value: "False"
envFrom:
- secretRef:
name: truenas-certs-deploy-secret
name: truenas-secret
volumeMounts:
- name: config
readOnly: true
@@ -102,4 +98,4 @@ spec:
- name: ssh
readOnly: true
mountPath: /opt/id_rsa
subPath: SSH_KEY
subPath: TRUENAS_SSH_KEY

1
kubernetes/apps/default/truenas/certs-deploy/kustomization.yaml → kubernetes/apps/default/truenas/app/certs-deploy/kustomization.yaml
View File

@@ -5,7 +5,6 @@ kind: Kustomization
namespace: default
resources:
- ./helmrelease.yaml
- ./secret.sops.yaml
configMapGenerator:
- name: truenas-certs-deploy-configmap
files:

0
kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.py → kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.py
View File

8
kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.sh → kubernetes/apps/default/truenas/app/certs-deploy/truenas-certs-deploy.sh
View File

@@ -13,18 +13,18 @@ elif [ "${HOSTNAME}" == "truenas-remote" ]; then
printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY"
fi
printf -v cert_deploy_s3_enabled_str %q "$CERTS_DEPLOY_S3_ENABLED"
printf -v pushover_api_key_str %q "$PUSHOVER_API_KEY"
printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN"
printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY"
printf -v secret_domain_str %q "$SECRET_DOMAIN"
scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py
ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_key_str $pushover_user_key_str $secret_domain_str" << 'EOF'
ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF'
set -o nounset
set -o errexit
PUSHOVER_API_KEY=$3
PUSHOVER_API_TOKEN=$3
PUSHOVER_USER_KEY=$4
SECRET_DOMAIN=$5
@@ -48,7 +48,7 @@ if [[ "$result" == "${CERTS_DEPLOY_PRIVATE_KEY_PATH}" ]]; then
echo "ERROR - Certificate is older than 69 days"
echo "ERROR - Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed"
curl -s \
--form-string "token=${PUSHOVER_API_KEY}" \
--form-string "token=${PUSHOVER_API_TOKEN}" \
--form-string "user=${PUSHOVER_USER_KEY}" \
--form-string "message=Certificate on $TARGET is older than 69 days. Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" \
https://api.pushover.net/1/messages.json

36
kubernetes/apps/default/truenas/app/externalsecret.yaml Normal file
View File

@@ -0,0 +1,36 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: truenas
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: truenas-secret
creationPolicy: Owner
template:
data:
# App
PUSHOVER_API_TOKEN: "{{ .TRUENAS_PUSHOVER_API_TOKEN }}"
PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}"
TRUENAS_AWS_ACCESS_KEY_ID: "{{ .TRUENAS_AWS_ACCESS_KEY_ID }}"
TRUENAS_AWS_SECRET_ACCESS_KEY: "{{ .TRUENAS_AWS_SECRET_ACCESS_KEY }}"
TRUENAS_SSH_KEY: "{{ .TRUENAS_SSH_KEY }}"
TRUENAS_API_KEY: "{{ .TRUENAS_API_KEY }}"
TRUENAS_REMOTE_API_KEY: "{{ .TRUENAS_REMOTE_API_KEY }}"
SECRET_DOMAIN: "{{ .SECRET_DOMAIN }}"
SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
SOPS_AGE_KEY: "{{ .SOPS_AGE_KEY }}"
dataFrom:
- extract:
key: generic
- extract:
key: pushover
- extract:
key: sops
- extract:
key: truenas

7
kubernetes/apps/default/radarr/app/backups/kustomization.yaml → kubernetes/apps/default/truenas/app/kustomization.yaml
View File

@@ -2,6 +2,9 @@
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml
- ./backup
- ./certs-deploy
- ./externalsecret.yaml
- ./minio-rclone

8
kubernetes/apps/default/truenas/minio-rclone/helmrelease.yaml → kubernetes/apps/default/truenas/app/minio-rclone/helmrelease.yaml
View File

@@ -6,7 +6,7 @@ metadata:
name: truenas-minio-rclone
namespace: default
spec:
interval: 15m
interval: 30m
chart:
spec:
chart: app-template
@@ -15,7 +15,7 @@ spec:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
maxHistory: 2
install:
createNamespace: true
remediation:
@@ -52,7 +52,7 @@ spec:
age:
enabled: true
type: secret
name: truenas-minio-rclone-secret
subPath: AGE_KEY
name: truenas-secret
subPath: SOPS_AGE_KEY
mountPath: /app/age_key
readOnly: true

1
kubernetes/apps/default/truenas/minio-rclone/kustomization.yaml → kubernetes/apps/default/truenas/app/minio-rclone/kustomization.yaml
View File

@@ -5,7 +5,6 @@ kind: Kustomization
namespace: default
resources:
- ./helmrelease.yaml
- ./secret.sops.yaml
configMapGenerator:
- name: truenas-minio-rclone-configmap
files:

0
kubernetes/apps/default/truenas/minio-rclone/minio-rclone.sh → kubernetes/apps/default/truenas/app/minio-rclone/minio-rclone.sh
View File

30
kubernetes/apps/default/truenas/backup/secret.sops.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: truenas-backup-secret
namespace: default
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:4Waq8U9rY/IsdzKInsJQGoXD1Q4=,iv:N05MKTKyY4LatzfPZS6Vke1dyZmYs0tOhU/O51K8mwQ=,tag:bQHdjgc5Xqg//PBOVuUccg==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:JN6f87JOBaZVC5ue4aArSDrQ/NVe73vZZgmbXYeGAVcl4urzUbO4qA==,iv:i0RP/gidkJG7pccRVIT6FUd3IHm7Z5y2hnjSBqVwHLA=,tag:L688v2TfeIMnX7BNmA5kmA==,type:str]
SSH_KEY: ENC[AES256_GCM,data:bGIefWSzJHPFL98GrIjMz1ojanyrwf2qOVkfFHscBO3GAgjdBlkXk7JKWc5ykpPdMGbNd7G6XIjxw4fx2nj87RqiavRPRKwJu3VouzzBee75aGDqKrWRmZUhwOwliv/RS8Ipma8qTMDBNTfpHcAFHOW7kYYAe1gCYlWKum8KDjJ3G4YW0eApjSczyWsQ5ApzbiqAbOswCRvwa4dBzFw8rWVjUVpbqCA9iiql8x4agApY/tO2lrSsnnpv5URcoOD+qiXDOb+bkMDg/CKxyLCvcoQF1MtodjOazTgo1yFefGqD5Y4q3KFS70wLKkU6NK1WbfWz/s0hGt2M6RnUvxWKXmeX4AeSN/716/Kju9kZ07ddGq5A2okrMxqVOiVlOc/lMJICe3pANdfLE1/TNLQwSf5L5R18ulJ3Wj/wiB8FkFvqHeA28Hqtb+L2kiDa8nGbxr6qeOrOr8EuRdwogCKy56cU4w8Tjo6UVwfxyWFD+MuXlzYjxg90O5CRV44KfTV+tya2JyCIDY0K9/vmLYEDFtIWpIYLLEwBj6ZvomZbIFMJYK0BYo+G5E6xEi4IZzb00DIy6p/UUkDs1dLhMTdPigKMXrt0chX30Txw245rCQ5V/tzNBAvpsmglIsOyn7KihE+HUGJBTGfLgBDXkgplvz3wckq+axGWRDv8Z5/HN76xkucVE1ikTN5qRKY/xqi99fdmAXc6EhGbfQX4WvSyJFvtI1QUFy1Acdl55tQG9QsrFJ7Xd3ruhIkYNx6+IqvgvOZMOWRt5rvQ0b8VBZCMquNxETTRXNEg1ltCbgQ+mXKlX34gFBJWBzsfVdfosOSh9RKEBgrqSZ+wdH2pkjV4Ka8KO+NcDhap2VmDQWcA34LkX1825c53HjQScSfkgLR2Lty9cEwIqA78eI6gwx2Zw+TmFc6Jj1vktiNOudrzlwQphhh8ggNl9MagJbi8maiRIyb4xGsIIJdcp6kfHV/FBoYrb1SrDzmLSG/c01rrEr1/oL35EFncF+hn8MdBOXNcJSxdKVdLoF3/rjL/Lgz/U1gxgbCJekc5UwjlEsDmM1Mlwd0dXWJ94+djOXWRLyu/FhlJrMtA5YdCecm/x9d3wLS61zkYH5HU8HTKhkZgreRvcGEmT2SEgesA4MVLkY4cFeGaYNgSX2oneacl9eHyv0CBfXE/nTxDFZA/tzSSVs94TDe6o3tBcmANB9C4AcmBp+lVYfUdZf9ynRK6E4NAsJklpIWVLYxyWDNy83X/yctGQEXBVVwLK2Eq7Y/jbXKlWR9vBf4ZHaCDUO+eEtCWz/JoQrxv2zu0g42HSrwn9yD6WAM1CMOhGhR+5X6VfYZ6mIInOHB8cO2UXkRkzJRqkvK4FhEOswtVHlCWRUCEtxqYFCjuYiSun+EvdzCeP84MHjI64lPB1QhS0KXR+A9MgQiWFbvGTCasORvrlRRs+J30W1UI5UbhyNh07LIdH68EQmdq8TGCr6n7v9mEOIAbrrLLv6Wi/pJB5irsVQxO2p63xtj+lb33wYj+/2HLhq2z/1ElXbFbqkibWSz+Hp2ZYswlcthmSyCa7YSwacVVFYGoUyepvom9PcizeDcD+QEx68rXnlKo+ilWNFpJUybRVtoEkpKLAyJ7VA8SUmhVhAPCEz5IMvXPsCd5KkA0u2XGOc/McBjcOMGgCH8NvRAer3HBHjLq3aex41J4hQAAmmZUMAnomDj2V9kZsxzD5FnsH7+f026GUtVaN393dcS1zxCN8PI57dEVIBkUn+HcgbJ8rq+8A5kPBKAO+CX8HHDZ0zRoero7PT7nXxKhPWQ7VxNm/FYdhGP+N4FbbQkBwmK2nUT2MWwW/nFgHX95rCO+qA6uq9uW0zhW7ML4NHbIXXFcxHfa28A/CUSValk60cFsjf/TYk2n5aETVby9sLnYkvPDOJle52JVvtWrpnvpka0sh1/Ve3L92upX19pXv/0925F+4EdrCe1OPScAibMhNt90EiNAuyaWkAtycmdvlazfEUEcrkYA/KqQx+KXXyQcYDxvd7rbRScTv4GorlKLOc90kOd6eRgC+GW0g//XZCkHEdHL2WbY8mDuMSC+5O6ig8pqxwzT3efIlaS0asJ27Hnz0w9pzrktAJyz523SaLIujJKsQX7o8yQ89LDYeqtTZCGA1jOQybQGsGhGuOQOCkEzwRVeqpY/MbNwkAL2TOcbxpEDaVSMPw64ECTLYITJGd2/2WAUkdEjAegURamjvuYDliXQwuyOF4LriM+A0AdJm/BgbTR0sS8f6TKAqiDmEEWrG885V07i+TvxKT4K60bjqX/FzO10u+3LaV8tAvGbNR0VP/euxnt+mmNIQ2qEYdMiLGQP4Dc8wPb2vegMPDmSSTFIJ64zwe2MiWX55O/5IRNxPLEoi4m9FS7ArZgzELEX2N6ufrVScgLD+moYDEQfGO6XXUqNsCpiqf2IGzwiZDicjrp43Spwu4CyKdeZnlf89F+SY4jkYb9l0K7OwvVvYGpuPBQsI+O3t/Xt79l6VaaYwVaf5pOwxFPjmwmoYqdvl4CDv5XVnyIz+sz9ySvMtdrKN0Jv/TJ2Qh2MQaZqVDPIOnHuz8c+uIhn2qjPpKejnJ8RQv/421ZRfu/3K3INRBq7qI3vTA/3JyqxTWQ2MpwAZJzjw4qzeLfALqXv+WIrN/tbZJHw1luOPEW/E31Ipypri2ITRKJruyEbfASK/VmrTOYcV/dSgpyaxmGdWwQ6zQeEHgypPHIU1W/5WPg8QAPNF0uu7cy5TQHFVtdTwCeDQ4BPdMB5faCcaKoDxZ4dIEU7srGKi5hi0TyUw/5HSmry3H+e6VEXHhTw7TRrSImfwASuol1lavkZcEnGv4Moj7mIZ+/PqBwJvH+eP9d2Q0f+z2lWQ/kCl9R1IOsP4H8f51j2TUc302U/8Px/TrywCAn4L8qspyHJiC9xQvkRevqI/MjeA1em0a9bUrtO4z1FsJeWiSShDK0pQuXBmw3iGzHsye3iKsxDtT/4FGKc2BfhnzYd+58MEpZih1MaOLmaC6+s8HbwaH7awHnK4/wKx57IZsDQ4vl9jShZ2WqeDdFFGOuAE8tUmyficHPJZ9u/RcJXwm1AK3p7fX8Ekf133de7qWSsNMHPgQnGCG1NlPTccdpVX6qUB+EyZCS11NYuJk8834hOH2yT7UMzRKMquCtWor1fAH/q6RDTntMkuUH+M5R55EVdKuWBqhlx0Umd2B2p7n6izvi91X7OeRvwl3C1EBoKaDynf3hJTjKQ3ZrU4teOePAIrPy/Xk1qzIo48ELIDz7ZEz/ffIPalTc/wNSW+/h0Pogftm6YvCoVPWCyvwA4o6twJ9YKjXm8A5fizGwOfGua25gkZvn8HpVL1ZJyA7LJWKR4IUOi6989Q5/zJR15/X8piMGkItq0MKc7gcdiuqkjJilegn7c5uYmcRyRIFgEx37Ty6KMX2ljEGdOfbIi4xLETtjZ2DTr,iv:NkbvqlEf99WrgjBKF1vyl0kWxbsUcPzJmfTiiAsMUfI=,tag:3Okc7Dkh9bATeff8i2LQjw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr
WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN
cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C
YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp
zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-02T20:30:20Z"
mac: ENC[AES256_GCM,data:O3rYI2l6/VbuxOD+uigagizpMzY6SIMXlu8sT2nWIDDp/7q1OLd8xilAKtTD85jYGbqFk5bluhyMiFdjq4sA9RZAPXoYY/l9RqMSBeR/gptUPAqK5qkYL9XX1AXbWuxziXIAtJYvyQuyTYeWPMsMNkmHNb1APxDWc0quUTfphjA=,iv:Tdvt08Qm6yD22YM9p0pQ/Gxfc4RAM9m9J0mBShAJ0X4=,tag:FgQxh1qBlVsfDRDCnmyyPA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

32
kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: truenas-certs-deploy-secret
namespace: default
type: Opaque
stringData:
TRUENAS_API_KEY: ENC[AES256_GCM,data:0B0eF5hqqwDuv61BFxirXqxrIEtABYCRnHv97XiiyIEEKM2+DH/L0VknFczxEZIbdhERip30is4irI8mUhJOT9S2,iv:JlHKJhRd/UPJh354GyUftnrFBHLZLhIRGSfYbxKriCs=,tag:njMr8GG+YCjKpZvK3pFWsQ==,type:str]
TRUENAS_REMOTE_API_KEY: ENC[AES256_GCM,data:hHsW9mHIVj9JQqJb/xdTwC0I9ro7OqVT5owjVS00VDplhl81f3zjSN7B+HL3YOVYg2VrjoJ/1Gukk7F413CXcqI7,iv:b2SAPCAmbcvfam9Kt6ess5musA7jawiQPVwxMKwJpmE=,tag:ILIgoNmSFXPGs6zRHi/u7Q==,type:str]
PUSHOVER_API_KEY: ENC[AES256_GCM,data:cyk9BKRm/sSP9/y58+P1T6KMog+FqD/088NFgJ9E,iv:4d9NorzBh+XpvV0oAk6eC+d5adcDkoqwpg/iX1tI6J0=,tag:PAWmAMz6p6wXjTtMSBeJwQ==,type:str]
PUSHOVER_USER_KEY: ENC[AES256_GCM,data:TDSEIhc63jIoquDRBAeU987nfDHIhrmie41m5iA/,iv:3pHGEh9tJgeBr0B6DIT0sKtfedEZSXkAsFd+7oaIb2U=,tag:6SMb0MQzXfQNNlGsVbr3AA==,type:str]
SSH_KEY: ENC[AES256_GCM,data:/u/tzgpNhYeTfO3Y1V5DsXXWHcnpGCpmSQmcHmhtiQHeuWJJyCy9cObf6Hm8BQjmYPSnUwCGMC1GQM8rjHBiWDXVMK5IXiQlpd5gFxxH8LK8DjfMy8hiNLEe40dkYB044mfGJbyfBEK3AaGURVHlgfzGQiXMWbqSL9BGGr3hhvfuWyrpFxJSDC8CmJ0Swu9Fw8J6LliTwMG1LQAJUNd8ZJkV5qFpbHG0LDlYYI2ebjQspS8tsQuwsE4ewPrVeD2YDY81klcFnshHLD1fR7HHCNtEpMUfV9lstDVqm12JAFWGN0wFoxDR5C+JBZLgEtFwjq2hE6OZ858D5h+jwCYEVmrW3hWVK7aTYjoSmPxDaiZ5Ro7YcXSilMuSSi3IacS3iWQP6VXFfKDZTD4C527ZlJRgMQFKAvGb6FcJj2NhpcmMM9fDLsSF4VFsEYBkkp/GM+TZHqeIp+kOFvNcDwZwgqwgfu8VCB0ogwpvyTr8rpdoS8phH6P8hFO5Nzxx3HEV3cHIbiXFOrDFO2xzM1YdaAJs2sOvVm5+uTl/XJqg6kXLCzoe1LZAoK4MIVFCk2U2rItGN05wLPUTMopJuEUvHxrCg79AQToIZCD2v9Xl7HucyXR386yuL9VrS341Euc8bPELDwPNgJLxnsGRDp8xUN1CsvZWxcVxpw4k+jdXHZKd110WMKcfUMaYcKPxupdu/qDqvR6DhpywpBxPhgJL1/f8V7T09t2KCdUa81rwTsPVuK9B1H3Q/YYc8h99nBUZaYrIQk+WQtbgKYvzz204I7lev+lliPkie7H6umDWw3NADoOQqvF84kxAfO4jUbvTIeLeFSik6p0RNN3CdTnK5hNEdtpbk4+KuHSw6WBB9aTFcm3JkHGZsEuYVXWNoEgbIEjL17JLXm2FV0kNJil+vbQ5qcan5H7aKm1vcHgXylDGmKPU2QzSpXSSSwTMxOeAKGrPVIusT+gpqw22+YHa/kS2trz0XrPt/rXY4SDAXcjSNSzS5WcnvVX5v7DioGHo8/emYY9XEjML2iig1mxxyaP71GuWvzmITPWQHM3iJvXPywwgki1UiZqN+3WsZUi2zFrGJP/VXuL+8lCKvwZmRg0ACK+TeAenZsSSr3AdiKKbpriGHeqjjnSUvMmx6DUNIYdrxc9gNXBQ4tnNMN+pYBDj2jeiSIx2pb2derhOMGKyBCn3vfFylp2ljp7xJ39+N8fTlB7oTDQRCXmW/CR6bHd41/DeP9Hli8D0iYq0toM2oxby/eXPr/+I7wOZU23CKi/kQssxdn5XnlAGV0j7moF3ys3q7qFWesRQw1iYsS+dIvSr714u1NJXvE0nU6v5Vv64s22g+AC1FrWlsOdSo3CDLc1KctIuuFclyxI4mIekQk3iOKl/4a6XK/suOhmyzWHEKlq3LhbHZEA/maMOsKU//tX0uA+asOBLQJPtixwuQ9ZE0vpr4uL0LRJjpnYk09ktuE2YerQu6pGkMBt7uQnpWSzAlO2+3jPducXUdft9MXYM2jaK+PoUuCLUNegeqcpzF3KnGT9zDfbR15abg9nrY1Gv4cHlNN94JFxD2Z9qYBnNHBmG+Pdkq5xYDOcSmC3AV1IF+OAY+IYbb2BAUVy2JvqJal2mvGnlgOSVxtaA51VOkov8Bd0XwMUC/QDaj+CxMS/uDIDUsg6qbuw4dg+HjDVYhlnc6YElwET6LBoLkS5SIX+8W8XoVDAoTapOlrSXDo/elRW/WY4TJ4MEdW0xasjDuCxNDCpdmzbGsNUbpXQqDSz3sJvEggri0Q5ShGBJ57XCNEbXO/ZjlzBE1eN1bVjKkAbNrdj89NHpwFJiUUwiqhJmMFt1lbCdA9ihpKsuUyF7jBwnOdVnSLqvcL+U2WG6xWfJHTyoMpRFlaJJfchc3Nv3upOajk1rPFCdEK0vztAYinN8ldieKOz1bSJL8/RomSyjWJ3CeyyQYAODZn8KNf8E8YqapENbHA4Mj687NvaMxXl+sRxp+uprbZ/KDY609vEuub/46q0S5yddd3VAUrXX1x+leeRusGqXR0I9iwyaYSXpZO7fyUm1762o71fQHYgXcvco2NmDCH8AeFO0/Dc6bm8n//2g5XUg0ej+o1YZQaQ+plDjM9pHX33/BOvXDOJ7MoQMGIHadv9tS+USaLKNI45Z4tklIKGzkNh5q6JCrIGnja76ncaLGGOJpxG2tuQh7CATdSCWtDOJTLYDa84kWLH1lkXJeLkYGdTrKDpjNZnUQkggVyKisK9cSlnsUNsW+xwl2fKvuoNjm0wrBXN4MkUdLbbGBFt5CbZbyzz3f4et8twQ77TT6KJ5hORj/D3FFfM8LCDS/WQYQ9mHEZjWhtIfIRphSt192I/6hHuhHb7nl+ZO/SKoqfKN7Z32OUIR/gc6tcD+CYC02EpNgqZw9Lacq+zIAvY2m5KUbjaX/ddjI6OE7WyrBSArjtr/o1Vrto8xBZ5eHbbauFTFHN/QuadfU/VHDLUM2KQoWw1luYMTQBpyhK/ZCnOcU6hhJfWyMBY7lHBZBc44iu1ntyc+BPXL5kg9RoA832vNJAqt+1TGllnT1l6rd29+evfW7LIVLwQKVfCcR7DNX9NJYF8LDz2TCL7633udmoJC4bDCIW4mt1D5ITItat3AHSLruYyFPrUx4GwWGL4SKZTQxqpVxvj8mQC77h8WbkfH2csU6hFr7yCjVMpg7RSax942GHUPZzJnHmjgbgyNnats/ZgKjWxlVi/D7bUDxcYGOAHwjodyidGZbCiQckxkwF8brcfLM4VcgYfZ4Xe2tcMFLQML4id8WTgpnCv+jnSmOxn0IJog4SQ1qxPScKCAQL78SKCCeG67GTmcMbBPXhKTf7AQTpCIAUPSeAiR5rvNv5TZjIXzWYu6SP0Cw8+NxkENaS5RZsXtjVJTGnL3UJjVEQw9BC5qjXta2n8R8X1ELDB6qwjdDy3U5hbrdwEyjV8h5TJRe3xcYcMrKicmLfG6bhdcx1SpiCiI9M3hpc32S2Dn8FCoYFlP4tsuzT4b2VcaOZAlkLahchNbTTIMlehzJnGkXX1HwCh+c+fSD/apiONh49VPbVOAvV/rsSjn15AemL25MrP76evzIZwfrYdsZkGyq+sT2UyO8sGhu9U08bJkdC+1saQzSam75AWvV2dS7/HLefsMoezSLurhkr1jGjVsxaRXM9UCWxRYP2a4HHT6fHXdUGP9dHyEv8E/B5RpvD/HzNr8udxHdq7SgXhoEHMqWOKPtNVkXlqttlAWbcoWDnJaOBH1/50+DZYuZ9bmF+X5qk/TM2jyhQIyekLSw1quOdnfx5OM8K9ZmgUEqyJ2LibXW9yZWoth/Pjq7sFIkC8YSneWiFRk7uOFZjcfnoItHrjghW5tK7diluj97+O3p2FqtV9pqB2UhyPAeIRSmWFxhPj5dornJVIQL/Zr2Jv911HICP2G7wQnsKv54Fnp4t+9ZjhJzkTh4IFK,iv:vF3GSh82JgjFVTTkTJrxu142JQGIF1/1r9b1yfcDXGE=,tag:rf0/VoDl2vKwL9gwepX4rg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr
WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN
cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C
YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp
zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-17T00:23:02Z"
mac: ENC[AES256_GCM,data:pIJwVCQaP73DElbqqxbA9jadVekYkvcHxnlanOtUdjHiNAYRwjXpJTssPEJC3TL+r4zBWZUlstDG4R9kgaY1Kz/dnhO7MuH/1FN6ShTWsDwgVJfJTtn8hfYiq9H7mHNwvscK7PbirQQYPCXMFFMDfK2CfKBIYkKmlzOMQvVRvlc=,iv:yexA2IKrIGFg8phkJhLkd211MDxBidfVdGL+PVzkAJ0=,tag:XnQdY6Md8PcWgyubtX3Ekw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

42
kubernetes/apps/default/truenas/ks.yaml
View File

@@ -3,12 +3,12 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-truenas-backup
name: cluster-apps-truenas
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
path: ./kubernetes/apps/default/truenas/backup
path: ./kubernetes/apps/default/truenas
prune: true
sourceRef:
kind: GitRepository
@@ -18,48 +18,10 @@ spec:
kind: HelmRelease
name: truenas-backup
namespace: default
interval: 30m
retryInterval: 1m
timeout: 3m
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-truenas-certs-deploy
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
path: ./kubernetes/apps/default/truenas/certs-deploy
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: truenas-certs-deploy
namespace: default
interval: 30m
retryInterval: 1m
timeout: 3m
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-truenas-minio-rclone
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
path: ./kubernetes/apps/default/truenas/minio-rclone
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
name: truenas-minio-rclone

28
kubernetes/apps/default/truenas/minio-rclone/secret.sops.yaml
View File

@@ -1,28 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: truenas-minio-rclone-secret
namespace: default
type: Opaque
stringData:
AGE_KEY: ENC[AES256_GCM,data:4xNBIadPDtcizBd02RW/JN1KiOIwkED4NtXAvuI6hxaOOzpfWh8hC2jrn8MLej0e+yXEcODe0KCUsx4p+GQEARSqOvrFWJ96XgoC1batFUmzGk8/WGdbaGt+zXxwsAPpJeEIYElPqy/XLgu+k1xdc/vvN78+RPnRXEWoxbSXonxuy9DJg1VQVaP2V9lKnHcIlYtQaz2xtdTBhOVAyaVKJxo11ievv96ZFY7eyX2YmaBtOfmU9pNH9InYqU+L,iv:ahXvBl2CgjOxB6MmcjMXBryf+MwahtII/NTxYIFa3DQ=,tag:+AriTfQEhOrfJCRnfes/Cw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmMEhOUTJMcUYvNFozRDNr
WnhJTEYzVWN4V1VXemhtWWU1SmMvUmljNFFNCk91aHhXRVBDSzhhcjIzalQ5SEpN
cTJIOGVVYWNYRGdtMm5nZUZ5Q0EzTE0KLS0tIFRMYnNGakdrSktjT2ZoNk1sN21C
YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp
zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-02T22:33:41Z"
mac: ENC[AES256_GCM,data:DLH8O96zF76gLpyPBoN4vJz3iFfLTlJVovM5URp1LtaN3JxlMGoldhsbeCTWK2O90TTkzAh6BB+2nWa4yEx+VL1pOD8XSYDz5qZS3EpQ5Gf4yr9qSziSg/uLuw39T2OxQkWw5FVCK1mzbF+Pw7IUIasUQFDmM2xBiuYH4M2OYyI=,iv:481eBWmOpRB74G1y4ntMqHS2+DKC0+OOtOEO8eKspfA=,tag:/Be7ik2B+Ya9k9cQH3iVZw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

7
kubernetes/apps/default/unifi/app/backups/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./replicationsource.yaml
- ./restic.sops.yaml

25
kubernetes/apps/default/unifi/app/backups/replicationsource.yaml
View File

@@ -1,25 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: unifi
namespace: default
spec:
sourcePVC: unifi-config
trigger:
schedule: "0 0 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 10
repository: unifi-restic
cacheCapacity: 2Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 999
runAsGroup: 999
fsGroup: 999
retain:
daily: 10
within: 3d

34
kubernetes/apps/default/unifi/app/backups/restic.sops.yaml
View File

@@ -1,34 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: unifi-restic
type: Opaque
stringData:
#ENC[AES256_GCM,data:WTM0Lkqp+sxjbUgkNzAVZQnC5g==,iv:4y8R8GpLy2Ogh3Lt3v6ibVbJF7jy8K1BOGi+ONt7S5c=,tag:wRhEBfRNHp0PBvIjM60iSA==,type:comment]
RESTIC_REPOSITORY: ENC[AES256_GCM,data:FthTBOx4mCQ2gDeoZXFhQfqTc8mEVxP80iRGMR7sa3ZLHACzZN1fJKjWEvmDZZrPdVm7jATT7g==,iv:LF73PZaA+S8FPtnSrkG+8iuN+3q+PxR2GL2VmwXaeNg=,tag:yhNZUDL6vT3ZfJpXtuyblA==,type:str]
#ENC[AES256_GCM,data:cRvGVeuDnEbJs01G+Und5ls1EgaC9Q2vj61IE/2R,iv:qSjv4bGEX9QWABhXgnCJsoj0p1kjgYaQwQX0Oyu9RHk=,tag:x8i1WXbAvdpC+Iv8pn/drw==,type:comment]
RESTIC_PASSWORD: ENC[AES256_GCM,data:6VI/lJQFZg6hu5r0SqNAKQAQGYY=,iv:UYRMnkHB4jsXcV1tyLDTAqh6dxsd18hYWsDoSpjJarA=,tag:d6hgK6LSgu7vZbLfquKcyA==,type:str]
#ENC[AES256_GCM,data:YIIHR5DwXv3YE9fFvNSAfrm47ZsshZMcY31LbaJ4gwXo0yOOHe6qDEc=,iv:axSMsvrIOkJFlErvw9fcAwLNSEWDh6mUU6dWZu6icIo=,tag:MDNlk43vcI9S4o6tMiWVmw==,type:comment]
#ENC[AES256_GCM,data:8Wspw6gPIPBsumfRS/5dlZrAQQqBJEDMgcpip4a3HCfHq8SeVDv4Gl0j3hyZqUsP5af8nN69Y/9bas7z1hnIERkrb8DqYg==,iv:WqCz9vBfg1JxUEpd97J37YztSW3HkcOHa6nIJI4VK8I=,tag:+LxnOzGidF39ojPKSOrVsg==,type:comment]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:I9vuuPEGS6A135zwKUNXvSIAjwk=,iv:dByy2WuuhO6OluWXYRwkdMutK33yKwOcWkR9hvY5bsg=,tag:xHU7Hbx+sxuZ9CRymA55JQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:kRdbENGS1F32JzkvktYkbfhMGBSrUpFSfyCdIpJwLOc+/2TyHAMrxA==,iv:Q+UKNT9aRo+A0KWu/FiST/4bOQKTOBJKHhpP8JXD3ao=,tag:7VE8lx2QAdNutcUj5kMNNA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RE9wTDZVRlExcnVKYjVZ
THNtblNXbGlSUitoS0FYV2k3dlg3aWZEMWxjCmZETUFGSnR0c3JZU2FHNnFneHdB
TEdlYjJTcjNsSDQ0dmgvNWlnNWo4TWMKLS0tIGR2Q25heThUUGliY0ZicDNra1FN
dGppaVJiME1FQnkzdVJOeTZMcjhYWE0KBrGQAYun1Zs3oyHWQ8iGvmF4hheP3md4
3/Lc9CqEC+V1lT9On8ivEBethjt528vCyVMM5pLMRBEO6CMjlNhJ+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-28T04:29:55Z"
mac: ENC[AES256_GCM,data:XlsRVx6bf/r7G1os9tRykc2uwYRcmR+6+noK9ZyaSfJGFDs4NNTQRtk+aXZpPWo7L6BBYeeUk6gV/UjspwoLkKVAO9xOarux5hxN5PbZkS1sRAMTK6oyOZTNyxkhJwQwSj6w1n339yNpJHZcu6FpN1Lw5lGvbvI338RLW1bJ/zY=,iv:SJ1/Ovbp4c3w1B6Utpjk7Yoal3Z4EY6R9HHlV9KpzxQ=,tag:rMMzNLDdnC60mRLV76d/Yg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

Some files were not shown because too many files have changed in this diff Show More