shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-27 04:21:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: nas refactor

Browse Source
This commit is contained in:
auricom
2024-05-12 14:54:08 +02:00
parent 0fdcc976af
commit f78a0fe9e1
39 changed files with 59 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
kubernetes/apps/database/cloudnative-pg/cluster/cluster16.yaml
View File

@@ -38,7 +38,7 @@ spec:
compression: bzip2
maxParallel: 8
destinationPath: s3://postgresql/
endpointURL: https://minio.${SECRET_DOMAIN}:9000
endpointURL: https://s3.feisar.ovh
# Note: serverName version needs to be inclemented
# when recovering from an existing cnpg cluster
serverName: postgres16-v3
@@ -58,7 +58,7 @@ spec:
# - name: postgres16-v2
# barmanObjectStore:
# destinationPath: s3://postgresql/
# endpointURL: https://minio.${SECRET_DOMAIN}:9000
# endpointURL: https://s3.feisar.ovh
# s3Credentials:
# accessKeyId:
# name: cloudnative-pg-secret

2
kubernetes/apps/database/cloudnative-pg/cluster/pgdump/helmrelease.yaml
View File

@@ -101,6 +101,6 @@ spec:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/backups/postgresql
path: /var/mnt/vol1/backups/postgresql
globalMounts:
- path: /backups

2
kubernetes/apps/default/bazarr/app/helmrelease.yaml
View File

@@ -117,7 +117,7 @@ spec:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/video
path: /var/mnt/vol1/video
globalMounts:
- path: /mnt/storage/video
scripts:

2
kubernetes/apps/default/calibre/app/helmrelease.yaml
View File

@@ -82,6 +82,6 @@ spec:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/home/claude/books
path: /var/mnt/vol1/home/claude/books
globalMounts:
- path: /mnt/storage/home/claude/books

2
kubernetes/apps/default/frigate/app/helmrelease.yaml
View File

@@ -129,7 +129,7 @@ spec:
media:
type: nfs
server: 192.168.9.10
path: /mnt/storage/apps/frigate
path: /var/mnt/vol1/apps/frigate
globalMounts:
- path: /media/frigate
cache:

2
kubernetes/apps/default/hajimari/app/helmrelease.yaml
View File

@@ -67,7 +67,7 @@ spec:
url: "https://truenas-remote.${SECRET_DOMAIN}"
- name: minio
icon: mdi:aws
url: "https://minio.${SECRET_DOMAIN}:9000"
url: "https://s3.feisar.ovh"
- name: pikvm
icon: mdi:ip-network
url: "https://pikvm.${SECRET_DOMAIN}"

2
kubernetes/apps/default/homelab/minio/backup/rclone.conf
View File

@@ -3,7 +3,7 @@ type = s3
provider = Minio
access_key_id = __RCLONE_ACCESS_ID__
secret_access_key = __RCLONE_SECRET_KEY__
endpoint = https://minio.${SECRET_DOMAIN}:9000
endpoint = https://s3.feisar.ovh
acl = private
[gdrive-homelab-backups]

4
kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml
View File

@@ -41,8 +41,8 @@ spec:
tag: 1.29.2@sha256:693ced2697bb7c7349419d4035a62bd474fc41710675b344f71773d8a687dfc3
command: [/bin/bash, /app/opnsense-backup.sh]
env:
OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}"
S3_URL: "https://minio.${SECRET_DOMAIN}:9000"
OPNSENSE_URL: "https://opnsense.feisar.ovh"
S3_URL: "https://s3.feisar.ovh"
envFrom:
- secretRef:
name: homelab-opnsense-secret

2
kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh
View File

@@ -44,7 +44,7 @@ curl -fsSL \
-H "Date: ${http_request_date}" \
-H "Content-Type: ${http_content_type}" \
-H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \
"https://minio.${SECRET_DOMAIN}:9000/${http_filepath}"
"https://s3.feisar.ovh/${http_filepath}"
rm /tmp/backup-*.tar

91
kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml
View File

@@ -1,91 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app homelab-truenas-certs-deploy
namespace: default
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.1.0
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
controllers:
homelab-truenas-certs-deploy:
type: cronjob
cronjob:
concurrencyPolicy: Forbid
schedule: "@daily"
containers:
app:
image:
repository: ghcr.io/auricom/kubectl
tag: 1.29.2@sha256:693ced2697bb7c7349419d4035a62bd474fc41710675b344f71773d8a687dfc3
command: [/bin/bash, /app/truenas-certs-deploy.sh]
env:
HOSTNAME: truenas
TRUENAS_HOME: /mnt/storage/home/homelab
CERTS_DEPLOY_MINIO_ENABLED: "True"
CERTS_DEPLOY_POSTGRESQL_ENABLED: "True"
envFrom: &envFrom
- secretRef:
name: &secret homelab-truenas-secret
truenas-remote-certs-deploy:
image:
repository: ghcr.io/auricom/kubectl
tag: 1.29.2@sha256:693ced2697bb7c7349419d4035a62bd474fc41710675b344f71773d8a687dfc3
command: [/bin/bash, /app/truenas-certs-deploy.sh]
env:
HOSTNAME: truenas-remote
TRUENAS_HOME: /mnt/vol1/home/homelab
CERTS_DEPLOY_MINIO_ENABLED: "False"
CERTS_DEPLOY_POSTGRESQL_ENABLED: "False"
envFrom: *envFrom
service:
app:
controller: *app
enabled: false
persistence:
config:
enabled: true
type: configMap
name: homelab-truenas-certs-deploy-configmap
defaultMode: 0775
globalMounts:
- path: /app/truenas-certs-deploy.sh
subPath: truenas-certs-deploy.sh
readOnly: true
config-python:
type: configMap
name: homelab-truenas-certs-deploy-configmap
defaultMode: 0775
globalMounts:
- path: /app/truenas-certs-deploy.py
subPath: truenas-certs-deploy.py
readOnly: true
ssh:
type: secret
name: *secret
defaultMode: 0775
globalMounts:
- path: /opt/id_rsa
subPath: TRUENAS_SSH_KEY
readOnly: true

16
kubernetes/apps/default/homelab/truenas/certs-deploy/kustomization.yaml
View File

@@ -1,16 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./helmrelease.yaml
configMapGenerator:
- name: homelab-truenas-certs-deploy-configmap
files:
- ./truenas-certs-deploy.sh
- ./truenas-certs-deploy.py
generatorOptions:
disableNameSuffixHash: true
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled

223
kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.py
View File

@@ -1,223 +0,0 @@
#!/usr/bin/env python3
"""
Import and activate a SSL/TLS certificate into FreeNAS 11.1 or later
Uses the FreeNAS API to make the change, so everything's properly saved in the config
database and captured in a backup.
Requires paths to the cert (including the any intermediate CA certs) and private key,
and username, password, and FQDN of your FreeNAS system.
Source: https://github.com/danb35/deploy-freenas
"""
import argparse
import os
import sys
import json
import requests
import time
import configparser
import socket
from datetime import datetime, timedelta
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
API_KEY = os.getenv('CERTS_DEPLOY_API_KEY')
DOMAIN_NAME = socket.gethostname()
TRUENAS_ADDRESS = 'localhost'
VERIFY = False
PRIVATEKEY_PATH = os.getenv('CERTS_DEPLOY_PRIVATE_KEY_PATH')
FULLCHAIN_PATH = os.getenv('CERTS_DEPLOY_FULLCHAIN_PATH')
PROTOCOL = 'http://'
PORT = '80'
FTP_ENABLED = bool(os.getenv('CERTS_DEPLOY_FTP_ENABLED', ''))
S3_ENABLED = bool(os.getenv('CERTS_DEPLOY_S3_ENABLED', ''))
now = datetime.now()
cert = "letsencrypt-%s-%s-%s-%s" %(now.year, now.strftime('%m'), now.strftime('%d'), ''.join(c for c in now.strftime('%X') if
c.isdigit()))
# Set some general request params
session = requests.Session()
session.headers.update({
'Content-Type': 'application/json'
})
if API_KEY:
session.headers.update({
'Authorization': f'Bearer {API_KEY}'
})
else:
print ("Unable to authenticate. Specify 'CERTS_DEPLOY_API_KEY' in the os Env.")
exit(1)
if not PRIVATEKEY_PATH:
print ("Unable to find private key. Specify 'CERTS_DEPLOY_PRIVATE_KEY_PATH' in the os Env.")
exit(1)
if not FULLCHAIN_PATH:
print ("Unable to find private key. Specify 'CERTS_DEPLOY_FULLCHAIN_PATH' in the os Env.")
exit(1)
# Load cert/key
with open(PRIVATEKEY_PATH, 'r') as file:
priv_key = file.read()
with open(FULLCHAIN_PATH, 'r') as file:
full_chain = file.read()
# Update or create certificate
r = session.post(
PROTOCOL + TRUENAS_ADDRESS + ':' + PORT + '/api/v2.0/certificate/',
verify=VERIFY,
data=json.dumps({
"create_type": "CERTIFICATE_CREATE_IMPORTED",
"name": cert,
"certificate": full_chain,
"privatekey": priv_key,
})
)
if r.status_code == 200:
print ("Certificate import successful")
else:
print ("Error importing certificate!")
print (r.text)
sys.exit(1)
# Sleep for a few seconds to let the cert propagate
time.sleep(5)
# Download certificate list
limit = {'limit': 0} # set limit to 0 to disable paging in the event of many certificates
r = session.get(
PROTOCOL + TRUENAS_ADDRESS + ':' + PORT + '/api/v2.0/certificate/',
verify=VERIFY,
params=limit
)
if r.status_code == 200:
print ("Certificate list successful")
else:
print ("Error listing certificates!")
print (r.text)
sys.exit(1)
# Parse certificate list to find the id that matches our cert name
cert_list = r.json()
new_cert_data = None
for cert_data in cert_list:
if cert_data['name'] == cert:
new_cert_data = cert_data
cert_id = new_cert_data['id']
break
if not new_cert_data:
print ("Error searching for newly imported certificate in certificate list.")
sys.exit(1)
# Set our cert as active
r = session.put(
PROTOCOL + TRUENAS_ADDRESS + ':' + PORT + '/api/v2.0/system/general/',
verify=VERIFY,
data=json.dumps({
"ui_certificate": cert_id,
})
)
if r.status_code == 200:
print ("Setting active certificate successful")
else:
print ("Error setting active certificate!")
print (r.text)
sys.exit(1)
if FTP_ENABLED:
# Set our cert as active for FTP plugin
r = session.put(
PROTOCOL + TRUENAS_ADDRESS + ':' + PORT + '/api/v2.0/ftp/',
verify=VERIFY,
data=json.dumps({
"ssltls_certfile": cert,
}),
)
if r.status_code == 200:
print ("Setting active FTP certificate successful")
else:
print ("Error setting active FTP certificate!")
print (r.text)
sys.exit(1)
if S3_ENABLED:
# Set our cert as active for S3 plugin
r = session.put(
PROTOCOL + TRUENAS_ADDRESS + ':' + PORT + '/api/v2.0/s3/',
verify=VERIFY,
data=json.dumps({
"certificate": cert_id,
}),
)
if r.status_code == 200:
print ("Setting active S3 certificate successful")
else:
print ("Error setting active S3 certificate!")
print (r)
sys.exit(1)
# Get expired and old certs with same SAN
cert_ids_same_san = set()
cert_ids_expired = set()
for cert_data in cert_list:
if set(cert_data['san']) == set(new_cert_data['san']):
cert_ids_same_san.add(cert_data['id'])
issued_date = datetime.strptime(cert_data['from'], "%c")
lifetime = timedelta(days=cert_data['lifetime'])
expiration_date = issued_date + lifetime
if expiration_date < now:
cert_ids_expired.add(cert_data['id'])
# Remove new cert_id from lists
if cert_id in cert_ids_expired:
cert_ids_expired.remove(cert_id)
if cert_id in cert_ids_same_san:
cert_ids_same_san.remove(cert_id)
# Delete expired and old certificates with same SAN from freenas
for cid in (cert_ids_same_san | cert_ids_expired):
r = session.delete(
PROTOCOL + TRUENAS_ADDRESS + ':' + PORT + '/api/v2.0/certificate/id/' + str(cid),
verify=VERIFY
)
for c in cert_list:
if c['id'] == cid:
cert_name = c['name']
if r.status_code == 200:
print ("Deleting certificate " + cert_name + " successful")
else:
print ("Error deleting certificate " + cert_name + "!")
print (r.text)
sys.exit(1)
# Reload nginx with new cert
# If everything goes right, the request fails with a ConnectionError
try:
r = session.post(
PROTOCOL + TRUENAS_ADDRESS + ':' + PORT + '/api/v2.0/system/general/ui_restart',
verify=VERIFY
)
if r.status_code == 200:
print ("Reloading WebUI successful")
print ("deploy_freenas.py executed successfully")
else:
print ("Error reloading WebUI!")
print ("{}: {}".format(r.status_code, r.text))
sys.exit(1)
except requests.exceptions.ConnectionError:
print ("Error reloading WebUI!")
sys.exit(1)

97
kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.sh
View File

@@ -1,97 +0,0 @@
#!/usr/bin/env bash
set -o nounset
set -o errexit
mkdir -p ~/.ssh
cp /opt/id_rsa ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
if [ "${HOSTNAME}" == "truenas" ]; then
printf -v truenas_api_key %q "$TRUENAS_API_KEY"
elif [ "${HOSTNAME}" == "truenas-remote" ]; then
printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY"
fi
printf -v cert_deploy_minio_enabled_str %q "$CERTS_DEPLOY_MINIO_ENABLED"
printf -v cert_deploy_postgresql_enabled_str %q "$CERTS_DEPLOY_POSTGRESQL_ENABLED"
printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN"
printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY"
printf -v secret_domain_str %q "$SECRET_DOMAIN"
scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py
ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_minio_enabled_str $cert_deploy_postgresql_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF'
set -o nounset
set -o errexit
PUSHOVER_API_TOKEN=$4
PUSHOVER_USER_KEY=$5
SECRET_DOMAIN=$6
# Variables
TARGET=$(hostname)
DAYS=21
CERTIFICATE_PATH="${HOME}/letsencrypt/${SECRET_DOMAIN}"
SCRIPT_PATH="${HOME}/scripts"
export CERTS_DEPLOY_API_KEY=$1
export CERTS_DEPLOY_PRIVATE_KEY_PATH=${CERTIFICATE_PATH}/key.pem
export CERTS_DEPLOY_FULLCHAIN_PATH=${CERTIFICATE_PATH}/fullchain.pem
if [ "$2" == "True" ]; then
export CERTS_DEPLOY_MINIO_ENABLED=$2
fi
CERTS_DEPLOY_MINIO_CERT_PATH=/mnt/storage/iocage/jails/minio_v2/root/home/minio/certs
if [ "$3" == "True" ]; then
export CERTS_DEPLOY_POSTGRESQL_ENABLED=$3
fi
CERTS_DEPLOY_POSTGRESQL_PATH=/mnt/apps/postgresql
# Check if cert is older than 69 days
result=$(find ${CERTS_DEPLOY_PRIVATE_KEY_PATH} -mtime +69)
if [[ "$result" == "${CERTS_DEPLOY_PRIVATE_KEY_PATH}" ]]; then
echo "ERROR - Certificate is older than 69 days"
echo "ERROR - Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed"
curl -s \
--form-string "token=${PUSHOVER_API_TOKEN}" \
--form-string "user=${PUSHOVER_USER_KEY}" \
--form-string "message=Certificate on $TARGET is older than 69 days. Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" \
https://api.pushover.net/1/messages.json
else
echo "INFO checking if $TARGET expires in less than $DAYS days"
set +o errexit
openssl x509 -checkend $(( 24*3600*$DAYS )) -noout -in <(openssl s_client -showcerts -connect $TARGET:443 </dev/null 2>/dev/null | openssl x509 -outform PEM)
if [[ $? -ne 0 ]]; then
set -o errexit
echo "INFO - Certificate expires in less than $DAYS days"
echo "INFO - Deploying new certificate"
# Deploy certificate (truenas UI)
python ${SCRIPT_PATH}/certificates_deploy.py
# Copy certificates (minio)
if [ "CERTS_DEPLOY_MINIO_ENABLED" == "True" ]; then
cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/private.key
cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/public.crt
iocage exec minio_v2 'service minio restart'
fi
# Copy certificates (postgresql)
if [ "CERTS_DEPLOY_POSTGRESQL_ENABLED" == "True" ]; then
pg_data_dirs=$(find /mnt/{{ postgresql_pool_name }}/postgresql -type d -maxdepth 1 -name '*data*' -exec basename {} \;)
for i in $pg_data_dirs; do
cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.key
cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.crt
iocage exec postgresql_v${i: -2} 'service postgresql reload'
done
fi
curl -s \
--form-string "token=${PUSHOVER_API_TOKEN}" \
--form-string "user=${PUSHOVER_USER_KEY}" \
--form-string "message=New Let's Encrypt certificate deployed on $TARGET." \
https://api.pushover.net/1/messages.json
else
echo "INFO - Certificate expires in more than $DAYS days"
fi
fi
EOF

1
kubernetes/apps/default/homelab/truenas/kustomization.yaml
View File

@@ -5,7 +5,6 @@ kind: Kustomization
namespace: default
resources:
- ./backup
- ./certs-deploy
- ./externalsecret.yaml
- ./photo-sort
- ../../../../templates/gatus/guarded

8
kubernetes/apps/default/homelab/truenas/photo-sort/helmrelease.yaml
View File

@@ -50,8 +50,8 @@ spec:
/app/sort.sh
env:
SORT_SOURCE_DIR: /mnt/storage/photo/mobile
SORT_DEST_DIR: /mnt/storage/photo
SORT_SOURCE_DIR: /var/mnt/vol1/photo/mobile
SORT_DEST_DIR: /var/mnt/vol1/photo
service:
app:
controller: *app
@@ -67,7 +67,7 @@ spec:
readOnly: true
photo:
type: nfs
path: /mnt/storage/photo
path: /var/mnt/vol1/photo
server: 192.168.9.10
globalMounts:
- path: /mnt/storage/photo
- path: /var/mnt/vol1/photo

6
kubernetes/apps/default/jellyfin/app/helmrelease.yaml
View File

@@ -112,21 +112,21 @@ spec:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/music
path: /var/mnt/vol1/music
globalMounts:
- path: /mnt/storage/music
photo:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/photo
path: /var/mnt/vol1/photo
globalMounts:
- path: /mnt/storage/photo
video:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/video
path: /var/mnt/vol1/video
globalMounts:
- path: /mnt/storage/video
transcode:

2
kubernetes/apps/default/komga/app/helmrelease.yaml
View File

@@ -75,6 +75,6 @@ spec:
comics:
type: nfs
server: 192.168.9.10
path: /mnt/storage/home/claude/comics
path: /var/mnt/vol1/home/claude/comics
globalMounts:
- path: /mnt/storage/home/claude/comics

1
kubernetes/apps/default/kustomization.yaml
View File

@@ -33,7 +33,6 @@ resources:
- ./lms/ks.yaml
- ./lychee/ks.yaml
- ./mailrise/ks.yaml
- ./media-browser/ks.yaml
- ./music-transcode/ks.yaml
- ./navidrome/ks.yaml
- ./outline/ks.yaml

4
kubernetes/apps/default/lidarr/app/helmrelease.yaml
View File

@@ -105,13 +105,13 @@ spec:
music:
type: nfs
server: 192.168.9.10
path: /mnt/storage/music
path: /var/mnt/vol1/music
globalMounts:
- path: /mnt/storage/music
downloads:
type: nfs
server: 192.168.9.10
path: /mnt/storage/downloads
path: /var/mnt/vol1/downloads
globalMounts:
- path: /mnt/storage/downloads
scripts:

8
kubernetes/apps/default/lms/app/helmrelease.yaml
View File

@@ -37,8 +37,8 @@ spec:
repository: toertel/logitech-media-server
tag: v8.4.0-1@sha256:07dde462237c0618034c9d2db33967f5bc0db34544558e8edaac32ef0614555a
env:
AUDIO_DIR: &music /mnt/storage/music
PLAYLIST_DIR: &playlist /mnt/storage/apps/lms
AUDIO_DIR: &music /var/mnt/vol1/music
PLAYLIST_DIR: &playlist /var/mnt/vol1/music/.lms
resources:
requests:
memory: 250Mi
@@ -97,9 +97,9 @@ spec:
music-helene:
type: nfs
server: 192.168.9.10
path: /mnt/storage/home/helene/Musique
path: /var/mnt/vol1/home/helene/Musique
globalMounts:
- path: /mnt/storage/home/helene/Musique
- path: /var/mnt/vol1/home/helene/Musique
playlists:
type: nfs
server: 192.168.9.10

2
kubernetes/apps/default/lychee/app/helmrelease.yaml
View File

@@ -93,6 +93,6 @@ spec:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/photo
path: /var/mnt/vol1/photo
globalMounts:
- path: /mnt/storage/photo

120
kubernetes/apps/default/media-browser/app/helmrelease.yaml
View File

@@ -1,120 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app media-browser
namespace: default
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.1.0
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
controllers:
media-browser:
annotations:
reloader.stakater.com/auto: "true"
containers:
app:
image:
repository: docker.io/filebrowser/filebrowser
tag: v2.29.0@sha256:33816c92ba4401bab465528bb54655df427eaaa80dc177e5aecb33d5b8b0a8f7
env:
TZ: "${TIMEZONE}"
FB_DATABASE: /config/filebrowser.db
FB_ROOT: /mnt/storage
FB_LOG: stdout
FB_NOAUTH: "true"
probes:
liveness: &probes
enabled: true
custom: true
spec:
httpGet:
path: /health
port: &port 80
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
readiness: *probes
startup:
enabled: false
resources:
requests:
cpu: 10m
memory: 50Mi
limits:
memory: 500Mi
service:
app:
controller: *app
ports:
http:
port: *port
ingress:
app:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
hajimari.io/icon: mdi:folder-play-outline
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
config:
enabled: true
existingClaim: *app
globalMounts:
- path: /config
music:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/music
globalMounts:
- path: /mnt/storage/music
photo:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/photo
globalMounts:
- path: /mnt/storage/photo
video:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/video
globalMounts:
- path: /mnt/storage/video

9
kubernetes/apps/default/media-browser/app/kustomization.yaml
View File

@@ -1,9 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- ./helmrelease.yaml
- ../../../../templates/gatus/guarded
- ../../../../templates/volsync

48
kubernetes/apps/default/media-browser/app/volsync.yaml
View File

@@ -1,48 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: media-browser-restic
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: media-browser-restic-secret
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: '{{ .REPOSITORY_TEMPLATE }}/media-browser'
RESTIC_PASSWORD: '{{ .RESTIC_PASSWORD }}'
AWS_ACCESS_KEY_ID: '{{ .AWS_ACCESS_KEY_ID }}'
AWS_SECRET_ACCESS_KEY: '{{ .AWS_SECRET_ACCESS_KEY }}'
dataFrom:
- extract:
key: volsync-restic-template
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/volsync.backube/replicationsource_v1alpha1.json
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
metadata:
name: media-browser
namespace: default
spec:
sourcePVC: config-media-browser-0
trigger:
schedule: "0 7 * * *"
restic:
copyMethod: Snapshot
pruneIntervalDays: 7
repository: media-browser-restic-secret
cacheCapacity: 20Gi
volumeSnapshotClassName: csi-ceph-blockpool
storageClassName: rook-ceph-block
moverSecurityContext:
runAsUser: 33
runAsGroup: 33
fsGroup: 33
retain:
daily: 7
within: 3d

29
kubernetes/apps/default/media-browser/ks.yaml
View File

@@ -1,29 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app media-browser
namespace: flux-system
spec:
targetNamespace: default
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: external-secrets-stores
- name: rook-ceph-cluster
- name: volsync
path: ./kubernetes/apps/default/media-browser/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
VOLSYNC_CAPACITY: 2Gi

4
kubernetes/apps/default/music-transcode/app/helmrelease.yaml
View File

@@ -79,13 +79,13 @@ spec:
readOnly: true
music:
type: nfs
path: /mnt/storage/music
path: /var/mnt/vol1/music
server: 192.168.9.10
globalMounts:
- path: /mnt/music
music-transcoded:
type: nfs
path: /mnt/storage/music_transcoded
path: /var/mnt/vol1/music_transcoded
server: 192.168.9.10
globalMounts:
- path: /mnt/music_transcoded

6
kubernetes/apps/default/navidrome/app/helmrelease.yaml
View File

@@ -45,7 +45,7 @@ spec:
ND_DATAFOLDER: /config
ND_ENABLEGRAVATAR: "true"
ND_LOGLEVEL: info
ND_MUSICFOLDER: /mnt/storage/music/Artistes
ND_MUSICFOLDER: /var/mnt/vol1/music/Artistes
ND_PORT: &port 8080
ND_PROMETHEUS_ENABLED: "true"
ND_REVERSEPROXYUSERHEADER: Remote-User
@@ -96,7 +96,7 @@ spec:
music:
type: nfs
server: 192.168.9.10
path: /mnt/storage/music
path: /var/mnt/vol1/music
globalMounts:
- path: /mnt/storage/music
- path: /var/mnt/vol1/music
readOnly: true

2
kubernetes/apps/default/outline/app/helmrelease.yaml
View File

@@ -53,7 +53,7 @@ spec:
AWS_S3_ACL: private
AWS_S3_FORCE_PATH_STYLE: "true"
AWS_S3_UPLOAD_BUCKET_NAME: outline
AWS_S3_UPLOAD_BUCKET_URL: "https://minio.${SECRET_DOMAIN}:9000"
AWS_S3_UPLOAD_BUCKET_URL: "https://s3.feisar.ovh"
ENABLE_UPDATES: "false"
FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400"
OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"

8
kubernetes/apps/default/paperless/app/helmrelease.yaml
View File

@@ -95,27 +95,27 @@ spec:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/shared-documents/paperless/data
path: /var/mnt/vol1/shared-documents/paperless/data
globalMounts:
- path: /usr/src/paperless/data
media:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/shared-documents/paperless/media
path: /var/mnt/vol1/shared-documents/paperless/media
globalMounts:
- path: /usr/src/paperless/media
consume:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/shared-documents/paperless/watch
path: /var/mnt/vol1/shared-documents/paperless/watch
globalMounts:
- path: /usr/src/paperless/consume
export:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/shared-documents/paperless/export
path: /var/mnt/vol1/shared-documents/paperless/export
globalMounts:
- path: /usr/src/paperless/export

2
kubernetes/apps/default/photoprism/app/helmrelease.yaml
View File

@@ -40,7 +40,7 @@ spec:
tag: latest@sha256:92c0fb0775e2fa5ac681aef71ccfe3d8de578f659f2e577e2c540eaf56374a88
env:
PHOTOPRISM_STORAGE_PATH: &storage /config
PHOTOPRISM_ORIGINALS_PATH: &originals /mnt/storage/photo/Gallery
PHOTOPRISM_ORIGINALS_PATH: &originals /var/mnt/vol1/photo/Gallery
PHOTOPRISM_DEBUG: "false"
PHOTOPRISM_PUBLIC: "true"
PHOTOPRISM_SITE_URL: "https://photos.${SECRET_CLUSTER_DOMAIN}/"

6
kubernetes/apps/default/qbittorrent/app/helmrelease.yaml
View File

@@ -94,18 +94,18 @@ spec:
downloads:
type: nfs
server: 192.168.9.10
path: /mnt/storage/downloads
path: /var/mnt/vol1/downloads
globalMounts:
- path: /mnt/storage/downloads
music-qbittorrent:
type: nfs
server: 192.168.9.10
path: /mnt/storage/music/.qbittorrent
path: /var/mnt/vol1/music/.qbittorrent
globalMounts:
- path: /mnt/storage/music/.qbittorrent
video-qbittorrent:
type: nfs
server: 192.168.9.10
path: /mnt/storage/video/.qbittorrent
path: /var/mnt/vol1/video/.qbittorrent
globalMounts:
- path: /mnt/storage/video/.qbittorrent

4
kubernetes/apps/default/radarr/app/helmrelease.yaml
View File

@@ -106,14 +106,14 @@ spec:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/downloads
path: /var/mnt/vol1/downloads
globalMounts:
- path: /mnt/storage/downloads
video:
enabled: true
type: nfs
server: 192.168.9.10
path: /mnt/storage/video
path: /var/mnt/vol1/video
globalMounts:
- path: /mnt/storage/video
scripts:

12
kubernetes/apps/default/resilio-sync/claude/helmrelease.yaml
View File

@@ -88,36 +88,36 @@ spec:
backups:
type: nfs
server: 192.168.9.10
path: /mnt/storage/backups
path: /var/mnt/vol1/backups
globalMounts:
- path: /sync/backup
home-claude:
type: nfs
server: 192.168.9.10
path: /mnt/storage/home/claude
path: /var/mnt/vol1/home/claude
globalMounts:
- path: /sync/home/claude
music-transcoded:
type: nfs
server: 192.168.9.10
path: /mnt/storage/music_transcoded
path: /var/mnt/vol1/music_transcoded
globalMounts:
- path: /sync/music_transcoded
photo:
type: nfs
server: 192.168.9.10
path: /mnt/storage/photo
path: /var/mnt/vol1/photo
globalMounts:
- path: /sync/photo
shared-documents:
type: nfs
server: 192.168.9.10
path: /mnt/storage/shared-documents
path: /var/mnt/vol1/shared-documents
globalMounts:
- path: /sync/shared-documents
video:
type: nfs
server: 192.168.9.10
path: /mnt/storage/video
path: /var/mnt/vol1/video
globalMounts:
- path: /sync/video

6
kubernetes/apps/default/resilio-sync/helene/helmrelease.yaml
View File

@@ -88,18 +88,18 @@ spec:
backups:
type: nfs
server: 192.168.9.10
path: /mnt/storage/backups
path: /var/mnt/vol1/backups
globalMounts:
- path: /sync/backup
home-helene:
type: nfs
server: 192.168.9.10
path: /mnt/storage/home/helene
path: /var/mnt/vol1/home/helene
globalMounts:
- path: /sync/home
photo:
type: nfs
server: 192.168.9.10
path: /mnt/storage/photo
path: /var/mnt/vol1/photo
globalMounts:
- path: /sync/photo

6
kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
View File

@@ -118,18 +118,18 @@ spec:
downloads:
type: nfs
server: 192.168.9.10
path: /mnt/storage/downloads
path: /var/mnt/vol1/downloads
globalMounts:
- path: /mnt/storage/downloads
music-usenet:
type: nfs
server: 192.168.9.10
path: /mnt/storage/music/.usenet
path: /var/mnt/vol1/music/.usenet
globalMounts:
- path: /mnt/storage/music/.usenet
video-usenet:
type: nfs
server: 192.168.9.10
path: /mnt/storage/video/.usenet
path: /var/mnt/vol1/video/.usenet
globalMounts:
- path: /mnt/storage/video/.usenet

2
kubernetes/apps/default/sharry/app/config/sharry.conf
View File

@@ -33,7 +33,7 @@ sharry.restserver {
minio =
{ enabled = true
type = "s3"
endpoint = "https://minio.${SECRET_DOMAIN}:9000"
endpoint = "https://s3.feisar.ovh"
access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}"
secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}"
bucket = "sharry"

4
kubernetes/apps/default/sonarr/app/helmrelease.yaml
View File

@@ -122,13 +122,13 @@ spec:
downloads:
type: nfs
server: 192.168.9.10
path: /mnt/storage/downloads
path: /var/mnt/vol1/downloads
globalMounts:
- path: /mnt/storage/downloads
video:
type: nfs
server: 192.168.9.10
path: /mnt/storage/video
path: /var/mnt/vol1/video
globalMounts:
- path: /mnt/storage/video
scripts:

2
kubernetes/apps/monitoring/thanos/app/helmrelease.yaml
View File

@@ -35,7 +35,7 @@ spec:
type: s3
config:
bucket: thanos
endpoint: "minio.${SECRET_DOMAIN}:9000"
endpoint: "s3.feisar.ovh"
region: ""
# insecure: true
query: